6.1.1.4 Well-Known Objects

  • Article

Within each NC (excluding the schema NC), there are certain well-known system objects that can be referred to using a well-known GUID (see section 3.1.1.3 for more information). Domain and Config NC root objects contain an attribute called wellKnownObjects that lists the well-known objects (WKO) within that NC. Each value in this list is an Object(DN-Binary) value where the Binary portion is the well-known GUID in binary form and the DN portion is the DN of the object. The well-known GUID can be used in conjunction with the NC DN to refer to the object (for more information, see section 3.1.1.3). In addition to the wellKnownObjects attribute, each NC root object can also contain an attribute called otherWellKnownObjects that lists other WKOs. Objects listed in the attribute otherWellKnownObjects can be referred to in the same way as those in the attribute wellKnownObjects.

The following requirements apply to the wellKnownObjects attribute on the NC root object and the referred-to objects, but do not apply to the otherWellKnownObjects attribute:

  • For each of the well-known GUIDs listed below for a given NC, the wellKnownObjects attribute on the NC root object MUST contain a value such that the binary portion matches the well-known GUID. There MUST be exactly one such value.

  • If rename of the referred-to object is permitted (based on the value of the systemFlags attribute on each object), the DN portion of the value is updated.

  • The well-known Users container and the well-known Computers container in the domain NC can be redirected, under the following constraints:

    • The modification is made on a DC that owns the PDC FSMO.

    • The modification removes the reference to the existing object and adds a new reference in the same operation.

    • The new object being referred to is not in the System container of the domain NC.

    • The new object being referred to does exist, and if different from the currently referred-to Users or Computers containers, it does not have the following bits in the systemFlags attribute: FLAG_DISALLOW_DELETE | FLAG_DOMAIN_DISALLOW_RENAME | FLAG_DOMAIN_DISALLOW_MOVE

    • As part of the redirection, the following flags are added to the new object being referred to and removed from the old object: FLAG_DISALLOW_DELETE | FLAG_DOMAIN_DISALLOW_RENAME | FLAG_DOMAIN_DISALLOW_MOVE

In AD DS, the following well-known objects exist within each domain NC.

RDN

Symbolic name for well-known GUID

Computers

GUID_COMPUTERS_CONTAINER_W

Deleted Objects

GUID_DELETED_OBJECTS_CONTAINER_W

Domain Controllers

GUID_DOMAIN_CONTROLLERS_CONTAINER_W

ForeignSecurityPrincipals

GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_W

Infrastructure

GUID_INFRASTRUCTURE_CONTAINER_W

LostAndFound

GUID_LOSTANDFOUND_CONTAINER_W

MicrosoftNote 1

GUID_MICROSOFT_PROGRAM_DATA_CONTAINER_W

NTDS Quotas

GUID_NTDS_QUOTAS_CONTAINER_W

Program Data

GUID_PROGRAM_DATA_CONTAINER_W

System

GUID_SYSTEMS_CONTAINER_W

Users

GUID_USERS_CONTAINER_W

Note 1 The Microsoft container is a child of the Program Data container.

In AD DS, the following well-known objects exist within each application NC.

RDN

Symbolic name for well-known GUID

Deleted Objects

GUID_DELETED_OBJECTS_CONTAINER_W

Infrastructure

GUID_INFRASTRUCTURE_CONTAINER_W

LostAndFound

GUID_LOSTANDFOUND_CONTAINER_W

NTDS Quotas

GUID_NTDS_QUOTAS_CONTAINER_W

In AD DS, the following well-known objects exist within the config NC.

RDN

Symbolic name for well-known GUID

Deleted Objects

GUID_DELETED_OBJECTS_CONTAINER_W

LostAndFoundConfig

GUID_LOSTANDFOUND_CONTAINER_W

NTDS Quotas

GUID_NTDS_QUOTAS_CONTAINER_W

In AD LDS, the following well-known objects exist within each application NC.

RDN

Symbolic name for well-known GUID

Deleted Objects

GUID_DELETED_OBJECTS_CONTAINER_W

ForeignSecurityPrincipalsNote 2

GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_W

LostAndFound

GUID_LOSTANDFOUND_CONTAINER_W

NTDS Quotas

GUID_NTDS_QUOTAS_CONTAINER_W

Roles

GUID_USERS_CONTAINER_W

Note 2 The ForeignSecurityPrincipals container is created (and the corresponding value created in the wellKnownObjects attribute) when the first foreignSecurityPrincipal object is created in the NC.

In AD LDS, the following well-known objects exist within the config NC.

RDN

Symbolic name for well-known GUID

Deleted Objects

GUID_DELETED_OBJECTS_CONTAINER_W

ForeignSecurityPrincipals

GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_W

LostAndFoundConfig

GUID_LOSTANDFOUND_CONTAINER_W

NTDS Quotas

GUID_NTDS_QUOTAS_CONTAINER_W

Roles

GUID_USERS_CONTAINER_W

The following other well-known object exists within each domain NC.

RDN

Symbolic name for well-known GUID

Managed Service Accounts

GUID_MANAGED_SERVICE_ACCOUNTS_CONTAINER_W

The following table gives the GUID values for each of the symbolic names of the well-known GUIDs.

Symbolic name for well-known GUID

GUID

GUID_COMPUTERS_CONTAINER_W

AA312825768811D1ADED00C04FD8D5CD

GUID_DELETED_OBJECTS_CONTAINER_W

18E2EA80684F11D2B9AA00C04F79F805

GUID_DOMAIN_CONTROLLERS_CONTAINER_W

A361B2FFFFD211D1AA4B00C04FD7D83A

GUID_FOREIGNSECURITYPRINCIPALS_CONTAINER_W

22B70C67D56E4EFB91E9300FCA3DC1AA

GUID_INFRASTRUCTURE_CONTAINER_W

2FBAC1870ADE11D297C400C04FD8D5CD

GUID_LOSTANDFOUND_CONTAINER_W

AB8153B7768811D1ADED00C04FD8D5CD

GUID_MICROSOFT_PROGRAM_DATA_CONTAINER_W

F4BE92A4C777485E878E9421D53087DB

GUID_NTDS_QUOTAS_CONTAINER_W

6227F0AF1FC2410D8E3BB10615BB5B0F

GUID_PROGRAM_DATA_CONTAINER_W

09460C08AE1E4A4EA0F64AEE7DAA1E5A

GUID_SYSTEMS_CONTAINER_W

AB1D30F3768811D1ADED00C04FD8D5CD

GUID_USERS_CONTAINER_W

A9D1CA15768811D1ADED00C04FD8D5CD

GUID_MANAGED_SERVICE_ACCOUNTS_CONTAINER_W

1EB93889E40C45DF9F0C64D23BBB6237