Basics, objectGUID, and Special Attribute Behavior

The LDAP data model is defined by [RFC3377]. Because the LDAP RFCs and their underlying ITU specifications have been interpreted in a variety of ways, this section defines a more specific model that correctly represents the behavior of Active Directory objects and attributes and describes the correspondence between this model and the LDAP model.

The model is based on the general definitions of Replica, Object, and Attribute given in section 1, and repeated here for convenience:

A replica is a variable containing a set of objects.

An attribute is an identifier for a set of values.

An object is set of attributes, each with its associated values. Two attributes of an object have special significance:

  • Identifying attribute. A designated single-valued attribute appears on every object; the value of this attribute identifies the object. For the set of objects in a replica, the values of the identifying attribute are distinct.

  • Parent-identifying attribute. A designated single-valued attribute appears on every object; the value of this attribute identifies the object's parent. That is, this attribute either contains the value of the parent's identifying attribute, or contains a reserved value (NULL GUID, as described later in this section) identifying no object. For the set of objects in a replica, the values of this parent-identifying attribute define an oriented tree with objects as vertices and child-parent references as directed edges, with the child as an edge's tail and the parent as an edge's head.

Note that an object is a value, not a variable; a replica is a variable. The process of adding, modifying, or deleting an object in a replica replaces the entire value of the replica with a new value.

As the word replica suggests, it is often the case that two replicas contain "the same objects". In this usage, objects in two replicas are considered "the same" if they have the same value of the identifying attribute and if there is a process in place (replication) to converge both the set of objects in existence and the values of the non-identifying attributes as originating updates take place in replicas. When the members of a set of replicas are considered to be the same, it is common to say "an object" as a shorthand referring to the set of corresponding objects in the replicas.

A child object is an object that is not the root of its oriented tree. The children of an object o is the set of all objects whose parent is o.

The directory model used in this specification instantiates the preceding definitions as follows. The identifying attribute is objectGUID and the parent-identifying attribute is parent, an abstract attribute. Both attributes have GUID values. No actual object has objectGUID equal to the NULL GUID. The root object has parent equal to the NULL GUID.

This specification uses the following s-expression representation ([LISP15]) of directory values, attributes, objects, and replicas to provide a notation for examples:

  • Represent an attribute and its values as a list (Attr Val1 Val2 ... Valn) where Attr is an atom whose name is the attribute's name (its lDAPDisplayName, defined in section and each Valk is a value. The attribute comes first, but the ordering of values in the list is not significant, with the exception of the values of the objectClass attribute explained later in this section. If a value is a GUID, represent it as a 128-bit unsigned integer instead of using a representation that reflects the internal structure of a GUID. To aid the readability of examples, the GUIDs used in examples are unrealistically small integers.

  • Represent an object as a list (Attrval1 Attrval2 ...Attrvaln) where each Attrvalk is the representation of an attribute and its values; the ordering of this list is not significant.

  • Represent a replica as a list (Obj1 Obj2 ... Objn) where each Objk is the representation of an object; the ordering of this list is not significant.

The following list

   ( (objectGUID 5) (parent 0) (dc "microsoft") )
   ( (objectGUID 2) (parent 5) (ou "NTDEV") )
   ( (objectGUID 9) (parent 2) (cn "Peter Houston") )

is one representation of the value of some replica containing three objects. The object with objectGUID = 5 is the root, the object with objectGUID = 2 is the only child of the root, and the object with objectGUID = 9 is the only grandchild of the root. Each object in this example has one additional attribute whose meaning has not yet been described.

Representing an attribute as its lDAPDisplayName makes examples readable. In the actual state model, an attribute is identified by an ATTRTYP. An ATTRTYP is a 32-bit unsigned integer that can be mapped to and from an object representing an attribute. This mapping is specified in section

Active Directory's objectGUID attribute has special behavior. A GUID that is generated by the DC is assigned to the objectGUID attribute of an object during its creation (LDAP Add), and this attribute is read-only thereafter. This is the first of many examples of an attribute with special behavior. Section specifies the behavior of every attribute that has special behavior.

Active Directory includes the objectSid attribute on certain objects, called security principal objects. The objectSid attribute has special behavior. A fresh SID is assigned to the objectSid attribute of an object during its creation (LDAP Add), and this attribute is read-only thereafter, unless the object moves to another NC (LDAP Modify DN; see section for the specification of such moves). More on objectSid generation can be found in section