Schema classes and attributes

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Schema classes and attributes

Every directory object you create is an instance of an object class contained in the schema. Each object class contains a list of associated attributes that determine the information the object can contain. Classes and attributes are defined independently, so that a single attribute can be associated with multiple classes. All schema classes and attributes are defined by the classSchema and attributeSchema objects, respectively.


ClassSchema objects are used to define classes in the schema. A classSchema object provides the template for building directory objects of that class. Examples of classSchema include User and Server. A classSchema object contains, among other things, the following information:

  • Class type (structural, abstract, or auxiliary)

  • Common name and Lightweight Directory Access Protocol (LDAP) display name

  • Lists of the "must contain" and "may contain" attributes for instances of the object

  • Relative distinguished name attribute

  • A list of possible parent classes

Class types

Three different types of classes exist in the schema:

Class type Purpose


Used to instantiate objects (users, servers and so on) in the directory.


Provides templates for deriving structural classes


Contains predefined lists of attributes that can be included in structural and abstract classes.


  • With the Windows ServerĀ 2003 family, the inetOrgPerson class is now a part of base schema. This class can be used as a security principal in the same manner as the user class.


AttributeSchema objects are used to define attributes in the schema. An attributeSchema object determines the allowable contents and syntax for instances of that attribute in the directory. Examples of attributeSchema include User-Principal-Name and Telex-Number. An attributeSchema object contains, among other things, the following information:

  • Common name and LDAP display name

  • Syntax rules

  • Data constraints (single versus multivalued, minimum, and maximum values)

  • Whether and how the attribute is indexed

Single and multivalued attributes

Attributes can be single-valued or multivalued. An instance of a single-valued attribute can can only contain a single value. An instance of a multivalued attribute can contain multiple values of uniform syntax. A multivalued attribute stores no information about ordering of the attributes it contains. Each value of a multivalue attribute must be unique.

Indexed attributes

Both multivalued and single valued attributes can be indexed to help improve the performance of queries on that attribute. (Indexing does not apply to classes.) Attributes are marked for indexing based on their schema definition. Indexing an attribute also allows users to use wildcards (*) as prefixes and suffixes when specifying a search string. When you mark an attribute as indexed, all instances of the attribute are added to the index, not just the instances that are members of a particular class. Indexing attributes, particularly multivalued attributes, can negatively affect replication and object creation time, as well as directory database size. So, it is recommended that you only index commonly used attributes. For more information, see Index an attribute in Active Directory.

For more information about the schema, see "Active Directory Schema" at the Microsoft Windows Resource Kits Web site and the Microsoft MSDN Web site.