Upravit

Attributes (AD DS)

  • Článek

Each object in Active Directory Domain Services contains a set of attributes that define the characteristics of the object. Each attribute is described by an attributeSchema object in the schema container that defines the attribute. The attribute definition includes a variety of data, for example, what object types that the attribute applies to and the syntax type of the attribute. For more information about attribute schema definitions, see Characteristics of Attributes.

The following list lists the type of attributes that are stored in Active Directory Domain Services.

Domain-replicated, stored attributes

Some attributes are stored in the directory (such as cn, nTSecurityDescriptor, and objectGUID) and replicated to all domain controllers in a domain. A subset of these attributes is also replicated to the global catalog. If you enumerate attributes of an object from the global catalog, only the attributes replicated to the global catalog are returned. Some attributes are also indexed because including an indexed property in a query improves the query performance.

Non-replicated, locally stored attributes

Non-replicated attributes, such as badPwdCount, Last-Logon, and Last-Logoff are stored on each domain controller, but are not replicated. The non-replicated attributes are attributes that pertain to a particular domain controller. For example, Last-Logon attribute is the last date and time that the user's network logon was validated by that particular domain controller that returned the property. These attributes can be retrieved in the same way as the domain-wide attributes described previously. However, for these attributes, each domain controller stores only values that pertain to that particular domain controller. For example, to obtain the last time that a user logged on to the domain, retrieve the Last-Logon attribute for the user from every domain controller in the domain and find that latest date and time.

Non-stored, constructed attributes

A user object also has constructed attributes that are not stored in the directory, but are calculated by the domain controller, such as canonicalName and allowedAttributes.