Characteristics of Attributes
Each attribute in an Active Directory Domain Services object is defined by an attributeSchema object in the schema container. The properties of an attributeSchema object specify the characteristics of the attribute, such as:
- Attribute identifiers. Attributes have several identifiers, of which the most interesting from a programming perspective are the lDAPDisplayName, which is used by LDAP clients to read and write the attribute, and the schemaIDGUID, which is used in security descriptors to control access to the attribute.
- The type of data contained by instances of the attribute. An attribute's syntax properties determine the type of data, such as integer, string, or binary. Additional properties can specify the range of values that are allowed for the attribute and whether an instance of the attribute can have multiple values.
- Including the attribute in groups. Other properties tag an attribute to be included in a property set, which is a set of related properties, or to be included in the set of attributes that are replicated in the global catalog or indexed to optimize search performance.
The following table lists the lDAPDisplayName and description of the key properties of an attributeSchema object. For more information and a complete list of the mandatory and optional properties of an attributeSchema object, see Attribute-Schema Class.
| lDAPDisplayName | Description |
|---|---|
| cn |
Every object in Active Directory Domain Services has a naming attribute from which its RDN is formed. The naming attribute for attributeSchema objects is cn (common name). The value assigned to cn is the value that the attributeSchema object will have as its RDN. For example, the cn of the isSingleValued object in the schema container is set as Is-Single-Valued, which would appear in a distinguished name as CN=Is-Single-Valued. The cn must be unique in the schema container. |
| lDAPDisplayName |
The name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute using the LDAP protocol. An attribute's lDAPDisplayName must be unique in the schema container, which means it must be unique across all classSchema and attributeSchema objects. For more information about composing a cn and an lDAPDisplayName for a new attribute, see Naming Attributes and Classes. |
| schemaIDGUID |
A GUID stored as an octet string. This GUID uniquely identifies the attribute. This GUID can be used in access control entries to control access to instances of this attribute. For more information, see Setting Permissions to a Specific Property. On creation of the attributeSchema object, the Active Directory server generates this value if it is not specified. If you are creating a new attribute, it is recommended that you generate your own GUID for each attribute so that all installations of your extension will use the same schemaIDGUID to refer to the attribute. |
| adminDisplayName |
A display name of the attribute for use in administrative tools. If adminDisplayName is not specified when a class is created, the system uses the Common-Name value as the display name. This display name is used only if a mapping does not exist in the attributeDisplayNames property of the display specifier for the class. For more information, see Display Specifiers and Class and Attribute Display Names. |
| attributeID |
The OID of this attribute. This value must be unique among the attributeID values of all attributeSchema objects and governsIDs of all classSchema objects. For more information, see Object Identifiers. |
| attributeSecurityGUID |
A GUID stored as an octet string. This is an optional GUID that identifies the attribute as a member of an attribute grouping; this is also called a property set. You can use this GUID in access control entries to control access to all attributes in the property set, that is, to all attributes that have the specified GUID set in their attributeSecurityGUID property. For more information, see Setting Permissions on a Group of Properties. |
| attributeSyntax |
The object identifier of the syntax for this attribute. The combination of the attributeSyntax and oMSyntax properties determines the syntax of the attribute, that is, the type of data stored by instances of the attribute. For more information about the attributeSyntax, oMSyntax, and oMObjectClass syntax attributes, see Syntaxes for Attributes in Active Directory Domain Services. |
| oMSyntax | An integer that is the XDS representation of the syntax. |
| oMObjectClass | An octet string that must be specified for attributes of oMSyntax 127. For attributes with any other oMSyntax value, this property is not used. If no oMObjectClass is specified for an attribute with an oMSyntax of 127, the default oMObjectClass is set. Usually, there is a one-to-one mapping between the attributeSyntax and the oMObjectClass. |
| rangeLower, rangeUpper | A pair of integers that specify the lower and upper bounds of the range of values for this attribute. All values set for the attribute must be within or equal to the specified bounds. For attributes with numeric syntax the range specifies the minimum and maximum value. For attributes with string syntax the range specifies the minimum and maximum size, in characters. For attributes with binary syntax, the range specifies the number of bytes. If both rangeLower and rangeUpper are set, rangeLower must be less than rangeUpper. If one constraint is present without the other, the missing constraint is unbounded. For example, if the rangeLower for an integer is 3, and rangeUpper is absent, it means there is no upper constraint on the attribute. Likewise, if rangeUpper for a string is 2000, and rangeLower is absent, this indicates that there is no lower constraint on the length. |
| isSingleValued |
A Boolean value that is TRUE if the attribute can have only one value or FALSE if the attribute can have multiple values. If this property is not set, the attribute has a single value. Multi-valued attributes are unordered; there is no guarantee they will be stored or returned in any specific order. In the event of a replication collision, conflict resolution is for each attribute, not for each value within an attribute. The entire multi-value succeeds or fails. For more information about replication collision, see Consistency GUIDs. |
| searchFlags |
Contains a set of flags that specify search and indexing information for an attribute. For more information, see Indexed Attributes. |
| isMemberOfPartialAttributeSet |
A Boolean value that is TRUE if the attribute is replicated to the global catalog or FALSE if the attribute is not included in the global catalog. For more information, see Attributes Included in the Global Catalog. |
| linkID |
An integer that indicates that the attribute is a linked attribute. An even integer is a forward link and an odd integer is a back link. |
| systemFlags |
An integer value that contains flags that define additional properties of the attribute. For more information, see System-Flags. |
| systemOnly |
A Boolean value that specifies whether only the Active Directory server can modify the attribute. |
| mAPIID |
An integer by which MAPI clients identify this attribute. |
| isDefunct |
A Boolean value that indicates whether the attribute is defunct. For more information, see Disabling Existing Classes and Attributes. |
| description |
A text description of the attribute. |
| objectClass |
Identifies the object class of which this object is an instance, which is the classSchema object class for all class definitions and the attributeSchema object class for all attribute definitions. |
For more information about attributes, see:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for