Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.

The full distinguished name.

The relative distinguished name.

The base distinguished name.

A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.

The Windows NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.

An object class name used to group objects of this or derived classes.

The list of classes from which this class is derived.

The description displayed on admin screens.

The name to be displayed on admin screens.

Attributes that will be permitted to be assigned to a class.

A list of attributes that can be modified on the object.

Classes that can be contained by a class.

A list of classes that can be modified.

The list of servers that are bridgeheads for replication.

The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).

The name that represents an object. Used to perform searches.

The date when this object was created. This value is replicated.

Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.

The display name for an object. This is usually the combination of the users first name, middle initial, and last name.

The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.

The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.

The DS-Core-Propagation-Data attribute is for internal use only.

The name of a property page used to extend the UI of a directory object.

To be used by the object to store bit information.

This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.

Reference to replica sets to which this computer belongs.

Reference to subscriber objects for this member.

Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.

Specifies a host computer.

If TRUE, the object hosting this attribute must be replicated during installation of a new replica.

If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.

The distinguished name of the groups to which this object belongs.

Backward link to privileges held by a given principal.

The Distinguished Name (DN) of the last known parent of an orphaned object.

Represents the name of a locality, such as a town or city.

Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.

Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.

A computed attribute that represents the date when this object was last changed. This value is not replicated.

A link used to associate a COM+ Partition with a COM+ PartitionSet object.

A link used to associate a COM+ PartitionSet with a User object.

The value returned by this attribute is based on index sizes. This may be off by +/-10% on large containers, and the error is theoretically unbounded, but using this attribute helps the UI display the contents of a container.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.

Backward link for msDS-hasMasterNCs.

Backward link from member application group or user to Az-Role objects linking to it.

A list of past and present replication partners, and how current we are with each of them.

Replication partners for this partition. This server obtains replication data from these other servers, which act as sources.

Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available.

Backward link from non-member group or user to Az groups that link to it (same functionality as Non-Security-Member-BL).

Backward link for ms-DS-Object-Reference.

Backward link from Az-Operation to Az-Role objects that link to it.

Backward link from Az-Operation to Az-Task objects that link to it.

A list of metadata for each replicated attribute. The metadata indicates who changed the attribute last.

A list of metadata for each value of an attribute. The metadata indicates who changed the value last.

Backward link from Az-Task to Az-Role objects that link to it.

Backward link from Az-Task to the Az-Task objects that link to it.

The backward link to the owner attribute. Contains a list of owners for an object.

A list of service connection points that reference this NetBoot server.

List of nonsecurity-members for an Exchange distribution list.

Same as the Distinguished Name for an object. Used by Exchange.

The unique identifier for an object.

This can be used to store a version number for the object.

The name of the organizational unit.

The name of the company or organization.

Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.

The list of objects that this object can contain.

This attribute is used internally by Active Directory to help track interdomain moves.

A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.

List of all objects holding references to a given Query-Policy.

The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.

Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.

Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.

Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.

Lists the servers from which the directory will accept changes for the defined naming context.

Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.

The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.

This constructed attribute returns a single DWORD value that can have up to three bits set:

List of distinguished names that are related to an object.

Found in the domain naming context. The distinguished name of a computer under the sites folder.

TRUE if this attribute is to be visible in the Advanced mode of the UI.

The list of distinguished names for subnets that belong to this site.

This constructed attribute stores a list of classes contained in a class hierarchy, including abstract classes. This list does contain dynamically linked auxiliary classes.

List of subordinate references of a Naming Context.

The distinguished name for the location of the subschema object where a class or attribute is defined.

An integer value that contains flags that define additional properties of the class. See Remarks.

A user ID.

The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.

The update sequence number (USN) assigned at object creation. See also, USN-Changed.

Contains the update sequence number (USN) for the last system object that was removed from a server.

The update sequence number (USN) for inter-site replication.

Contains the update sequence number (USN) for the last non-system object that was removed from a server.

Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.

References to objects in other ADSI namespaces.

This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):

The date when this object was last changed. This value is not replicated and exists in the global catalog.

The date when this object was created. This value is replicated and is in the global catalog.

A web page that is the primary landing page of a website.

A list of alternate webpages.

Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.

The full distinguished name.

The relative distinguished name.

The base distinguished name.

A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.

The Windows NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.

An object class name used to group objects of this or derived classes.

The list of classes from which this class is derived.

Specifies a presentation address associated with an object that represents an OSI application entity.

The description displayed on admin screens.

The name to be displayed on admin screens.

Attributes that will be permitted to be assigned to a class.

A list of attributes that can be modified on the object.

Classes that can be contained by a class.

A list of classes that can be modified.

The list of servers that are bridgeheads for replication.

The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).

The name that represents an object. Used to perform searches.

The date when this object was created. This value is replicated.

Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.

The display name for an object. This is usually the combination of the users first name, middle initial, and last name.

The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.

The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.

The DS-Core-Propagation-Data attribute is for internal use only.

The name of a property page used to extend the UI of a directory object.

To be used by the object to store bit information.

This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.

Reference to replica sets to which this computer belongs.

Reference to subscriber objects for this member.

Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.

If TRUE, the object hosting this attribute must be replicated during installation of a new replica.

If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.

The distinguished name of the groups to which this object belongs.

Backward link to privileges held by a given principal.

The Distinguished Name (DN) of the last known parent of an orphaned object.

Represents the name of a locality, such as a town or city.

Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.

Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.

A computed attribute that represents the date when this object was last changed. This value is not replicated.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.

A list of service connection points that reference this NetBoot server.

List of nonsecurity-members for an Exchange distribution list.

Same as the Distinguished Name for an object. Used by Exchange.

The unique identifier for an object.

This can be used to store a version number for the object.

The name of the organizational unit.

The name of the company or organization.

Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.

The list of objects that this object can contain.

This attribute is used internally by Active Directory to help track interdomain moves.

A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.

List of all objects holding references to a given Query-Policy.

The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.

Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.

Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.

Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.

Lists the servers from which the directory will accept changes for the defined naming context.

Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.

The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.

This constructed attribute returns a single DWORD value that can have up to three bits set:

List of distinguished names that are related to an object.

Found in the domain naming context. The distinguished name of a computer under the sites folder.

TRUE if this attribute is to be visible in the Advanced mode of the UI.

The list of distinguished names for subnets that belong to this site.

List of subordinate references of a Naming Context.

The distinguished name for the location of the subschema object where a class or attribute is defined.

Specifies the object identifiers of application contexts that an OSI application supports.

An integer value that contains flags that define additional properties of the class. See Remarks.

The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.

The update sequence number (USN) assigned at object creation. See also, USN-Changed.

Contains the update sequence number (USN) for the last system object that was removed from a server.

The update sequence number (USN) for inter-site replication.

Contains the update sequence number (USN) for the last non-system object that was removed from a server.

Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.

References to objects in other ADSI namespaces.

This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):

The date when this object was last changed. This value is not replicated and exists in the global catalog.

The date when this object was created. This value is replicated and is in the global catalog.

A web page that is the primary landing page of a website.

A list of alternate webpages.

Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.

The full distinguished name.

The relative distinguished name.

The base distinguished name.

A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.

The Windows NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.

An object class name used to group objects of this or derived classes.

The list of classes from which this class is derived.

The description displayed on admin screens.

The name to be displayed on admin screens.

Attributes that will be permitted to be assigned to a class.

A list of attributes that can be modified on the object.

Classes that can be contained by a class.

A list of classes that can be modified.

The list of servers that are bridgeheads for replication.

The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).

The name that represents an object. Used to perform searches.

The date when this object was created. This value is replicated.

Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.

The display name for an object. This is usually the combination of the users first name, middle initial, and last name.

The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.

The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.

The DS-Core-Propagation-Data attribute is for internal use only.

The name of a property page used to extend the UI of a directory object.

To be used by the object to store bit information.

This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.

Reference to replica sets to which this computer belongs.

Reference to subscriber objects for this member.

Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.

If TRUE, the object hosting this attribute must be replicated during installation of a new replica.

If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.

The distinguished name of the groups to which this object belongs.

Backward link to privileges held by a given principal.

The Distinguished Name (DN) of the last known parent of an orphaned object.

Represents the name of a locality, such as a town or city.

Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.

Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.

A computed attribute that represents the date when this object was last changed. This value is not replicated.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.

A list of service connection points that reference this NetBoot server.

List of nonsecurity-members for an Exchange distribution list.

Same as the Distinguished Name for an object. Used by Exchange.

The unique identifier for an object.

This can be used to store a version number for the object.

The name of the organizational unit.

Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.

The list of objects that this object can contain.

This attribute is used internally by Active Directory to help track interdomain moves.

A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.

List of all objects holding references to a given Query-Policy.

The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.

Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.

Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.

Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.

Lists the servers from which the directory will accept changes for the defined naming context.

Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.

The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.

This constructed attribute returns a single DWORD value that can have up to three bits set:

List of distinguished names that are related to an object.

Found in the domain naming context. The distinguished name of a computer under the sites folder.

TRUE if this attribute is to be visible in the Advanced mode of the UI.

The list of distinguished names for subnets that belong to this site.

List of subordinate references of a Naming Context.

The distinguished name for the location of the subschema object where a class or attribute is defined.

An integer value that contains flags that define additional properties of the class. See Remarks.

The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.

The update sequence number (USN) assigned at object creation. See also, USN-Changed.

Contains the update sequence number (USN) for the last system object that was removed from a server.

The update sequence number (USN) for inter-site replication.

Contains the update sequence number (USN) for the last non-system object that was removed from a server.

Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.

References to objects in other ADSI namespaces.

This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):

The date when this object was last changed. This value is not replicated and exists in the global catalog.

The date when this object was created. This value is replicated and is in the global catalog.

A web page that is the primary landing page of a website.

A list of alternate webpages.

Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.

The full distinguished name.

The relative distinguished name.

The base distinguished name.

A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.

The Windows NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.

An object class name used to group objects of this or derived classes.

The list of classes from which this class is derived.

The description displayed on admin screens.

The name to be displayed on admin screens.

Attributes that will be permitted to be assigned to a class.

A list of attributes that can be modified on the object.

Classes that can be contained by a class.

A list of classes that can be modified.

The name of the application.

The list of servers that are bridgeheads for replication.

The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).

The name that represents an object. Used to perform searches.

The date when this object was created. This value is replicated.

Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.

The display name for an object. This is usually the combination of the users first name, middle initial, and last name.

The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.

The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.

The DS-Core-Propagation-Data attribute is for internal use only.

The name of a property page used to extend the UI of a directory object.

To be used by the object to store bit information.

This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.

Reference to replica sets to which this computer belongs.

Reference to subscriber objects for this member.

Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.

If TRUE, the object hosting this attribute must be replicated during installation of a new replica.

If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.

The distinguished name of the groups to which this object belongs.

Backward link to privileges held by a given principal.

The Distinguished Name (DN) of the last known parent of an orphaned object.

Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.

Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.

A computed attribute that represents the date when this object was last changed. This value is not replicated.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.

A list of service connection points that reference this NetBoot server.

List of nonsecurity-members for an Exchange distribution list.

The Notification-List attribute is not currently used.

Same as the Distinguished Name for an object. Used by Exchange.

The unique identifier for an object.

This can be used to store a version number for the object.

Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.

The list of objects that this object can contain.

This attribute is used internally by Active Directory to help track interdomain moves.

A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.

List of all objects holding references to a given Query-Policy.

The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.

Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.

Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.

Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.

Lists the servers from which the directory will accept changes for the defined naming context.

Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.

The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.

This constructed attribute returns a single DWORD value that can have up to three bits set:

Found in the domain naming context. The distinguished name of a computer under the sites folder.

TRUE if this attribute is to be visible in the Advanced mode of the UI.

The list of distinguished names for subnets that belong to this site.

List of subordinate references of a Naming Context.

The distinguished name for the location of the subschema object where a class or attribute is defined.

An integer value that contains flags that define additional properties of the class. See Remarks.

The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.

The update sequence number (USN) assigned at object creation. See also, USN-Changed.

Contains the update sequence number (USN) for the last system object that was removed from a server.

The update sequence number (USN) for inter-site replication.

Contains the update sequence number (USN) for the last non-system object that was removed from a server.

Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.

References to objects in other ADSI namespaces.

This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):

The date when this object was last changed. This value is not replicated and exists in the global catalog.

The date when this object was created. This value is replicated and is in the global catalog.

A web page that is the primary landing page of a website.

A list of alternate webpages.

Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.

The full distinguished name.

The relative distinguished name.

The base distinguished name.

A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.

The Windows NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.

An object class name used to group objects of this or derived classes.

The list of classes from which this class is derived.

The description displayed on admin screens.

The name to be displayed on admin screens.

Attributes that will be permitted to be assigned to a class.

A list of attributes that can be modified on the object.

Classes that can be contained by a class.

A list of classes that can be modified.

The name of the application.

The list of servers that are bridgeheads for replication.

The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).

The name that represents an object. Used to perform searches.

The date when this object was created. This value is replicated.

Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.

The display name for an object. This is usually the combination of the users first name, middle initial, and last name.

The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.

The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.

The DS-Core-Propagation-Data attribute is for internal use only.

The name of a property page used to extend the UI of a directory object.

To be used by the object to store bit information.

This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.

Reference to replica sets to which this computer belongs.

Reference to subscriber objects for this member.

Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.

If TRUE, the object hosting this attribute must be replicated during installation of a new replica.

If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.

The distinguished name of the groups to which this object belongs.

Backward link to privileges held by a given principal.

The Distinguished Name (DN) of the last known parent of an orphaned object.

Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.

Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.

A computed attribute that represents the date when this object was last changed. This value is not replicated.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.

A list of service connection points that reference this NetBoot server.

List of nonsecurity-members for an Exchange distribution list.

The Notification-List attribute is not currently used.

Same as the Distinguished Name for an object. Used by Exchange.

The unique identifier for an object.

This can be used to store a version number for the object.

Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.

The list of objects that this object can contain.

This attribute is used internally by Active Directory to help track interdomain moves.

A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.

List of all objects holding references to a given Query-Policy.

The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.

Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.

Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.

Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.

Lists the servers from which the directory will accept changes for the defined naming context.

Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.

The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.

This constructed attribute returns a single DWORD value that can have up to three bits set:

Found in the domain naming context. The distinguished name of a computer under the sites folder.

TRUE if this attribute is to be visible in the Advanced mode of the UI.

The list of distinguished names for subnets that belong to this site.

List of subordinate references of a Naming Context.

The distinguished name for the location of the subschema object where a class or attribute is defined.

An integer value that contains flags that define additional properties of the class. See Remarks.

The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.

The update sequence number (USN) assigned at object creation. See also, USN-Changed.

Contains the update sequence number (USN) for the last system object that was removed from a server.

The update sequence number (USN) for inter-site replication.

Contains the update sequence number (USN) for the last non-system object that was removed from a server.

Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.

References to objects in other ADSI namespaces.

This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):

The date when this object was last changed. This value is not replicated and exists in the global catalog.

The date when this object was created. This value is replicated and is in the global catalog.

A web page that is the primary landing page of a website.

A list of alternate webpages.

Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.

The full distinguished name.

The relative distinguished name.

The base distinguished name.

A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.

The Windows NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.

An object class name used to group objects of this or derived classes.

The list of classes from which this class is derived.

The description displayed on admin screens.

The name to be displayed on admin screens.

Attributes that will be permitted to be assigned to a class.

A list of attributes that can be modified on the object.

Classes that can be contained by a class.

A list of classes that can be modified.

The name of the application.

This attribute stores the schema version of the class store. It is used to provide correct behavior across schema changes.

The list of servers that are bridgeheads for replication.

The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).

The name that represents an object. Used to perform searches.

The date when this object was created. This value is replicated.

Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.

The display name for an object. This is usually the combination of the users first name, middle initial, and last name.

The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.

The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.

The DS-Core-Propagation-Data attribute is for internal use only.

The name of a property page used to extend the UI of a directory object.

To be used by the object to store bit information.

This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.

Reference to replica sets to which this computer belongs.

Reference to subscriber objects for this member.

Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.

If TRUE, the object hosting this attribute must be replicated during installation of a new replica.

If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.

The distinguished name of the groups to which this object belongs.

Backward link to privileges held by a given principal.

A list of keywords that can be used to locate a given connection point.

The Distinguished Name (DN) of the last known parent of an orphaned object.

The distinguished name of the user that is assigned to manage this object.

Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.

Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.

A computed attribute that represents the date when this object was last changed. This value is not replicated.

A link used to associate a COM+ Partition with a COM+ PartitionSet object.

A link used to associate a COM+ PartitionSet with a User object.

The value returned by this attribute is based on index sizes. This may be off by +/-10% on large containers, and the error is theoretically unbounded, but using this attribute helps the UI display the contents of a container.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.

Backward link for msDS-hasMasterNCs.

Backward link from member application group or user to Az-Role objects linking to it.

A list of past and present replication partners, and how current we are with each of them.

Replication partners for this partition. This server obtains replication data from these other servers, which act as sources.

Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available.

Backward link from non-member group or user to Az groups that link to it (same functionality as Non-Security-Member-BL).

Backward link for ms-DS-Object-Reference.

Backward link from Az-Operation to Az-Role objects that link to it.

Backward link from Az-Operation to Az-Task objects that link to it.

A list of metadata for each replicated attribute. The metadata indicates who changed the attribute last.

A list of metadata for each value of an attribute. The metadata indicates who changed the value last.

Used to store settings for an object. Its use is solely determined by the object's owner. We recommend using it to store name/value pairs. For example, color=blue.

Backward link from Az-Task to Az-Role objects that link to it.

Backward link from Az-Task to the Az-Task objects that link to it.

The backward link to the owner attribute. Contains a list of owners for an object.

A list of service connection points that reference this NetBoot server.

List of nonsecurity-members for an Exchange distribution list.

The Notification-List attribute is not currently used.

Same as the Distinguished Name for an object. Used by Exchange.

The unique identifier for an object.

This can be used to store a version number for the object.

Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.

The distinguished name of an object that has ownership of an object.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.

The list of objects that this object can contain.

This attribute is used internally by Active Directory to help track interdomain moves.

A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.

List of all objects holding references to a given Query-Policy.

The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.

Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.

Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.

Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.

Lists the servers from which the directory will accept changes for the defined naming context.

Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.

The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.

This constructed attribute returns a single DWORD value that can have up to three bits set:

Found in the domain naming context. The distinguished name of a computer under the sites folder.

TRUE if this attribute is to be visible in the Advanced mode of the UI.

The list of distinguished names for subnets that belong to this site.

This constructed attribute stores a list of classes contained in a class hierarchy, including abstract classes. This list does contain dynamically linked auxiliary classes.

List of subordinate references of a Naming Context.

The distinguished name for the location of the subschema object where a class or attribute is defined.

An integer value that contains flags that define additional properties of the class. See Remarks.

The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.

The update sequence number (USN) assigned at object creation. See also, USN-Changed.

Contains the update sequence number (USN) for the last system object that was removed from a server.

The update sequence number (USN) for inter-site replication.

Contains the update sequence number (USN) for the last non-system object that was removed from a server.

Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.

This attribute identifies the vendor for an application.

A general purpose version number.

A general purpose major version number.

A general purpose minor version number.

References to objects in other ADSI namespaces.

This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):

The date when this object was last changed. This value is not replicated and exists in the global catalog.

The date when this object was created. This value is replicated and is in the global catalog.

A web page that is the primary landing page of a website.

A list of alternate webpages.

Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.

The full distinguished name.

The relative distinguished name.

The base distinguished name.

A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.

The Windows NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.

An object class name used to group objects of this or derived classes.

The list of classes from which this class is derived.

The description displayed on admin screens.

The name to be displayed on admin screens.

Attributes that will be permitted to be assigned to a class.

A list of attributes that can be modified on the object.

Classes that can be contained by a class.

A list of classes that can be modified.

The list of servers that are bridgeheads for replication.

The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).

The name that represents an object. Used to perform searches.

The date when this object was created. This value is replicated.

The date and time that the object was created.

Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.

The display name for an object. This is usually the combination of the users first name, middle initial, and last name.

The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.

Unicode String Attribute, gives the list of Windows NT 4.0 Replication Domain Controllers.

The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.

The DS-Core-Propagation-Data attribute is for internal use only.

The name of a property page used to extend the UI of a directory object.

To be used by the object to store bit information.

Used in computing the kick off time in SamIGetAccountRestrictions. Logoff time minus Force Log off equals kick off time.

This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.

Reference to replica sets to which this computer belongs.

Reference to subscriber objects for this member.

Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.

If TRUE, the object hosting this attribute must be replicated during installation of a new replica.

If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.

The distinguished name of the groups to which this object belongs.

Backward link to privileges held by a given principal.

The Distinguished Name (DN) of the last known parent of an orphaned object.

The amount of time that an account is locked due to the Lockout-Threshold being exceeded. This value is stored as a large integer that represents the negative of the number of 100-nanosecond intervals from the time the Lockout-Threshold is exceeded that must elapse before the account is unlocked.

The range of time, in 100-nanosecond intervals, in which the system increments the incorrect logon count.

The number of invalid logon attempts that are permitted before the account is locked out.

Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.

Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.

The maximum amount of time, in 100-nanosecond intervals, a password is valid. This value is stored as a large integer that represents the number of 100-nanosecond intervals from the time the password was set before the password expires.

The minimum amount of time, in 100-nanosecond intervals, that a password is valid.

The minimum number of characters that a password must contain.

Net Logon Change Log serial number.

The Net Logon Change Log serial number at last promotion.

A computed attribute that represents the date when this object was last changed. This value is not replicated.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.

A list of service connection points that reference this NetBoot server.

The Next Rid field used by the mixed mode allocator.

List of nonsecurity-members for an Exchange distribution list.

Same as the Distinguished Name for an object. Used by Exchange.

The unique identifier for an object.

A binary value that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal.

This can be used to store a version number for the object.

For holding OEM information. No longer used. Here for backward compatibility.

Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.

The list of objects that this object can contain.

This attribute is used internally by Active Directory to help track interdomain moves.

A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.

The number of old passwords to save.

Password Properties. Part of Domain Policy. A bitfield to indicate complexity and storage restrictions.

List of all objects holding references to a given Query-Policy.

The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.

Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.

Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.

Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.

Lists the servers from which the directory will accept changes for the defined naming context.

Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.

The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.

This constructed attribute returns a single DWORD value that can have up to three bits set:

Found in the domain naming context. The distinguished name of a computer under the sites folder.

For compatibility with pre-Windows 2000 Server servers. A computer running Windows NT Server can be a standalone server, a primary domain controller (PDC), or a backup domain controller (BDC).

Indicates whether the server is enabled or disabled. A value of 1 indicates that the server is enabled. A value of 2 indicates that the server is disabled. All other values are invalid.

TRUE if this attribute is to be visible in the Advanced mode of the UI.

The list of distinguished names for subnets that belong to this site.

List of subordinate references of a Naming Context.

The distinguished name for the location of the subschema object where a class or attribute is defined.

An integer value that contains flags that define additional properties of the class. See Remarks.

Indicates if the security account manager will enforce data sizes to make Active Directory compatible with the LanManager User Account System (UAS). If this value is 0, no limits are enforced. If this value is 1, the following limits are enforced.

The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.

The update sequence number (USN) assigned at object creation. See also, USN-Changed.

Contains the update sequence number (USN) for the last system object that was removed from a server.

The update sequence number (USN) for inter-site replication.

Contains the update sequence number (USN) for the last non-system object that was removed from a server.

Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.

References to objects in other ADSI namespaces.

This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):

The date when this object was last changed. This value is not replicated and exists in the global catalog.

The date when this object was created. This value is replicated and is in the global catalog.

A web page that is the primary landing page of a website.

A list of alternate webpages.

Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.

The full distinguished name.

The relative distinguished name.

The base distinguished name.

Cross certificate, Certificate Revocation List.

Certificates of trusted Certification Authorities.

Represents a list of certificates that have been revoked.

A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.

The Windows NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.

An object class name used to group objects of this or derived classes.

The list of classes from which this class is derived.

The description displayed on admin screens.

The name to be displayed on admin screens.

Attributes that will be permitted to be assigned to a class.

A list of attributes that can be modified on the object.

Classes that can be contained by a class.

A list of classes that can be modified.

The list of servers that are bridgeheads for replication.

Full distinguished name from the CA certificate.

The connection string for binding to a certification authority.

The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).

List of OID/CSP name concatenations.

URL for http connection to a certification authority.

Contains information for a certificate issued by a Certificate Server.

The name that represents an object. Used to perform searches.

The date when this object was created. This value is replicated.

Reference to certificate revocation list object associated with a certification authority.

V3 Cross Certificate.

Reference to the certification authorities that issued the current certificates for a certification authority.

List of certificates that have been revoked since the last delta update.

Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.

The display name for an object. This is usually the combination of the users first name, middle initial, and last name.

The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.

Name of computer as registered in DNS.

Reference to a domain that is associated with a certification authority.

Reference to the policy object that defines the Local Security Authority policy for the host domain.

The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.

The DS-Core-Propagation-Data attribute is for internal use only.

PKI - Certificate Templates.

The name of a property page used to extend the UI of a directory object.

To be used by the object to store bit information.

This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.

Reference to replica sets to which this computer belongs.

Reference to subscriber objects for this member.

Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.

If TRUE, the object hosting this attribute must be replicated during installation of a new replica.

If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.

The distinguished name of the groups to which this object belongs.

Backward link to privileges held by a given principal.

The Distinguished Name (DN) of the last known parent of an orphaned object.

Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.

Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.

A computed attribute that represents the date when this object was last changed. This value is not replicated.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.

This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.

A list of service connection points that reference this NetBoot server.

List of nonsecurity-members for an Exchange distribution list.

Same as the Distinguished Name for an object. Used by Exchange.

The unique identifier for an object.

This can be used to store a version number for the object.

Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.

The distinguished name of a certification authority (CA) object for a parent CA.

DER-encoded X.509v3 certificate for the parent certification authority.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.

Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.

The certificates that are about to become effective for this certification authority.

Reference to the certification authorities that issued the pending certificates for this certification authority.

The list of objects that this object can contain.

Last expired certificate for this certification authority.

Reference to the certification authorities that issued the last expired certificate for a certification authority.

This attribute is used internally by Active Directory to help track interdomain moves.

A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.

List of all objects holding references to a given Query-Policy.

The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.

Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.

Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.

Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.

Lists the servers from which the directory will accept changes for the defined naming context.

Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.

The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.

This constructed attribute returns a single DWORD value that can have up to three bits set:

Specifies information of suggested search criteria, which may be included in some entries that are expected to be a convenient base-object for the search operation, for example, country/region or organization.

Found in the domain naming context. The distinguished name of a computer under the sites folder.

TRUE if this attribute is to be visible in the Advanced mode of the UI.

This attribute indicates the type of algorithm that must be used to decode a digital signature during the authentication process.

The list of distinguished names for subnets that belong to this site.

List of subordinate references of a Naming Context.

The distinguished name for the location of the subschema object where a class or attribute is defined.

Specifies the object identifiers of application contexts that an OSI application supports.

An integer value that contains flags that define additional properties of the class. See Remarks.

Specifies the Teletex terminal identifier and, optionally, parameters, for a teletex terminal associated with an object.

The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.

The update sequence number (USN) assigned at object creation. See also, USN-Changed.

Contains the update sequence number (USN) for the last system object that was removed from a server.

The update sequence number (USN) for inter-site replication.

Contains the update sequence number (USN) for the last non-system object that was removed from a server.

Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.

References to objects in other ADSI namespaces.

This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):

The date when this object was last changed. This value is not replicated and exists in the global catalog.

The date when this object was created. This value is replicated and is in the global catalog.

A web page that is the primary landing page of a website.

A list of alternate webpages.

Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.

The full distinguished name.

The relative distinguished name.

The base distinguished name.

A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.

The Windows NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.

An object class name used to group objects of this or derived classes.

The list of classes from which this class is derived.

The date when the account expires. This value represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires.

String name of an ACS policy that applies to this user.

The user's address.

A user's home address.

Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively).

The description displayed on admin screens.

The name to be displayed on admin screens.

Attributes that will be permitted to be assigned to a class.

A list of attributes that can be modified on the object.

Classes that can be contained by a class.

A list of classes that can be modified.

The distinguished name of a user's administrative assistant.

The last time and date that an attempt to log on to this account was made with a password that is not valid. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last time a incorrect password was used is unknown.

The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown.

The list of servers that are bridgeheads for replication.

The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).

The list of catalogs that index storage on a given computer.

Specifies the code page for the user's language of choice. This value is not used by Windows 2000.

The name that represents an object. Used to perform searches.

The user's company name.

Used by DS Security to determine which users can perform specific operations on the host object.

Specifies the country/region code for the user's language of choice. This value is not used by Windows 2000.

The country/region in the address of the user. The country/region is represented as a 2-character code based on ISO-3166.