Windows Active Directory step by step (5) ------ objectClass: User

The most important object classes in AD is User and Computer. As is well known, AD's main function is to manage User accounts and Computer accounts.

This thread focuses on object class "User".

1. How to find the definition of an objectClass?

The object classes' definitions are also stored in a container in AD's database.

CN=Schema,CN=Configuration,DC=smallstrong,DC=org

Then we can search any class definition via filter "cn=class name". e.g. to find "User", we just need the filter "cn=User".

2 attributes of objectClass "User"

The definition describes the "must have" attributes and "may have" attributes.

Here we can find some familiar attributes, like "uid", "empoyeeNumber".

3 The inheritance hierarchy

 As any OO computer language, AD's objectClass maybe a subclass of other classes.

"User" is inherited from object class "orgnizationalPerson", so it has all the attributes defined in "orgnizationalPerson" too.

Please be noticed that the name "orgnizationalPerson" is not a cn attribute, instead, it's the lDAPDisplayName attribute.  Shit! Microsoft always likes to break open standard.

So we can search it by filter:

lDAPDisplayName=organizationalPerson 

 We can see that its CN is "Orgnizational-Person", which is also a subclass inherited from object class "person".

Now, let find the definition of "person".

objectClass "person" is also a subclass of object class "top", which is the root class in LDAP.

As we can see "top" is a subclass of itself. This is common for any OO root class.

Right now, we can draw the whole picture of object class "user".

4 an instance of object class "User"

Now that we know the definition of ‘User', let's look at an object of it. The most common user object is "Administrator".

Every user account is an object of 'User' class. Besides objectClass 'User', an object can belong to multi-classes with a restriction that it only can belong to one 'structural' class.

Here, we can see that "Administrator" also belongs to class "posixAccount" which is an auxiliary class. Later on, we will discuss more details about "posixAccount" as it's the main class to allow Unix accounts to be stored in Windows AD.

Some important attributes of a User:

• unicodePwd    (this is where the hashed user password is saved)
• userPrincipalName (this is one of the user name used by AD)
• uid (this maybe used by unix)
• homeDirectory (this may be used by unix)

Another thing noticeable is both "posixAccount" class and "User" class share some attributes, like "uid". So for a user account, if it has "uid" setted, we are not sure where the uid belongs to. But it doesn't matter, as long as it's "uid".