3.1.1.2.3 Attributes
The attributes of class attributeSchema are specified in the following table.
The term "Unique" (in quotation marks) in the following table, and in the similar table for classSchema in section 3.1.1.2.4.8, means that the value satisfies the following constraint:
If the forest functional level is less than DS_BEHAVIOR_WIN2003, the value is unique among all values of this attribute in the set containing every attributeSchema and classSchema object in the schema NC.
If the forest functional level is DS_BEHAVIOR_WIN2003 or greater, the value is unique among all values of this attribute in the set containing every attributeSchema and classSchema object S in the schema NC that satisfies at least one of the following three conditions:
FLAG_ATTR_IS_RDN is present in S!systemFlags (defined in the following table).
S = C!rDNAttID (section 3.1.1.2.4.8) for some classSchema object C.
The term system-only in the following table means that the attribute is defined with systemOnly TRUE. The value of the system-only attributes in the table can be specified on Add (except where noted) but cannot be modified on existing objects by LDAP Modify requests (except as specified in section 3.1.1.5.3.2), only by the system. The table is ordered with the system-only attributes before the other attributes.
-
Attribute
Description
Equals the sequence [ top, classSchema ]. System-only.
"Unique" OID that identifies this attribute. System-only.
"Unique" GUID that identifies this attribute, used in security descriptors (SDs). If not specified on Add, the DC generates a GUID. This GUID MUST NOT be the NULL GUID. System-only.
Not specified on Add (if specified in the Add request, the DC returns error unwillingToPerform / <unrestricted>); the value (a 32-bit unsigned integer in the subrange [0x80000000..0xBFFFFFFF]) is generated by the DC. Present on attributeSchema objects added when forest functional level is DS_BEHAVIOR_WIN2003 or greater with FLAG_SCHEMA_BASE_OBJECT not present in systemFlags (below). The value of msDS-IntId is the ATTRTYP of this attributeSchema object. Unique among all values of this attribute on objects in the schema NC, regardless of forest functional level. System-only.
Optional. If present, and not zero, this is a link attribute, and the linkID value is unique among all values of this attribute on objects in the schema NC, regardless of forest functional level. If linkID is even, the attribute is a forward link attribute; otherwise it is a back link attribute. The linkID for back link attribute equals to the linkID of the corresponding forward link attribute plus one. Special auto-generation behavior for the linkID attribute is specified in section 3.1.1.2.3.1. System-only.
Optional. "Unique" integer that identifies this attribute, used by Messaging Application Programming Interface (MAPI) clients. Not present on attributeSchema objects in AD LDS. Special auto-generation behavior for the mAPIID attribute is specified in section 3.1.1.2.3.2. System-only. If the DC functional level is DS_BEHAVIOR_WIN2008 or greater, the mAPIID attribute can be modified on attributeSchema objects that do not include FLAG_SCHEMA_BASE_OBJECT as the systemFlags attribute. Otherwise, the mAPIID attribute cannot be modified.
One of the three attributes that identify the syntax of the attribute. See section 3.1.1.2.2. System-only.
One of the three attributes that identify the syntax of the attribute. See section 3.1.1.2.2. System-only.
Optional. One of the three attributes that identify the syntax of the attribute. See section 3.1.1.2.2. System-only.
TRUE if this attribute is single-valued; FALSE, if it is multivalued. If an attribute is multivalued, all values have the syntax specified for the attribute. System-only.
systemFlags
Optional. Flags that determine specific system operations; see section 2.2.10 for values. The systemFlags values specific to an attributeSchema object are:
FLAG_ATTR_NOT_REPLICATED: This attribute is nonreplicated.
Note If the FLAG_ATTR_NOT_REPLICATED bit is not specified on Add and the linkID value is odd (denoting a back link attribute), the DC adds the FLAG_ATTR_NOT_REPLICATED bit to the systemFlags value using a bitwise OR.
FLAG_ATTR_REQ_PARTIAL_SET_MEMBER: This attribute is a member of PAS regardless the value of attribute isMemberOfPartialAttributeSet.
FLAG_ATTR_IS_CONSTRUCTED: This attribute is a constructed attribute.
FLAG_ATTR_IS_OPERATIONAL: This attribute is an operational attribute, as defined in [RFC2251] section 3.2.1.
FLAG_SCHEMA_BASE_OBJECT: This class is part of the base schema. Modifications to a base schema object are restricted as described in section 3.1.1.2.5.
FLAG_ATTR_IS_RDN: This attribute can be used as an RDN attribute of a class.
System-only.
systemOnly
Optional. The value of a system-only attribute cannot be modified on existing objects by LDAP Modify requests (except as specified in section 3.1.1.5.3.2), only by the system. System-only.
RDN for the schema object.
"Unique" name that identifies this attribute, used by LDAP clients. If not specified on Add, the DC generates a value as specified in section 3.1.1.2.3.4. The syntax of lDAPDisplayName is described in [RFC2251] section 4.1.4.
Optional. GUID by which the security system identifies the property set of this attribute. If present, this value MUST NOT be the NULL GUID. See the specification of property sets in section 3.1.1.2.3.3.
Optional. If TRUE, character set constraint is not enforced on values of this attribute. Applies to attributes of syntax String(IA5), String(Numeric), String(Teletex), String(Printable).
Optional. Lower range of values that are allowed for this attribute. For syntax Integer, LargeInteger, Enumeration, String(UTC-Time), and String(Generalized-Time), rangeLower equals the minimum allowed value. For syntax Object(DN-binary), Object(DN-String), rangeLower equals the minimum length of the binary_value or string_value portion of the given value. For String(Unicode), rangeLower is the minimum length in characters. rangeLower does not affect the allowed values for syntax Boolean and Object(DS-DN). For all other syntaxes, rangeLower equals the minimum length in bytes. Note that rangeLower is a 32-bit integer and cannot express the full range of LargeInteger, String(UTC-Time), and String(Generalized-Time).
Optional. Upper range of values that are allowed for this attribute. For syntax Integer, LargeInteger, Enumeration, String(UTC-Time), and String(Generalized-Time), rangeUpper equals the maximum allowed value. For syntax Object(DN-binary), Object(DN-String), rangeUpper equals the maximum length of the binary_value or string_value portion of the given value. For String(Unicode), rangeUpper is the maximum length in character. rangeUpper does not affect the allowed values for syntax Boolean and Object(DS-DN). For all other syntaxes, rangeUpper equals the maximum length in bytes. Note that rangeUpper is a 32-bit integer and cannot express the full range of LargeInteger, String(UTC-Time), and String(Generalized-Time).
Optional. The searchFlags attribute specifies whether an attribute is indexed, among other things; see section 2.2.9 for values. It contains bitwise flags as follows:
fATTINDEX: *
fPDNTATTINDEX: *
fANR: Add this attribute to the ambiguous name resolution (ANR) set. If this flag is set, then fATTINDEX MUST also be set. See 3.1.1.3.1.3.4 for ANR search.
fPRESERVEONDELETE: Specifies that the attribute values MUST be preserved on objects after deletion of the object (that is, when the object is transformed to a tombstone or recycled-object). This flag is ignored for the attributes objectCategory and sAMAccountType, plus all linked attributes.
fCOPY: Specifies a hint to LDAP clients that the attribute is intended to be copied when copying the object. This flag is not interpreted by the server.
fTUPLEINDEX: *
fSUBTREEATTINDEX: *
fCONFIDENTIAL: This attribute is confidential, so a special access check is required; for details, see the Extended Access Checks in section 3.1.1.4.4.
fNEVERVALUEAUDIT: Auditing of changes to values contained in this attribute MUST NOT be performed. Auditing is outside the state model.
fRODCFilteredAttribute: This attribute is part of the filtered attribute set. This flag is only effective on a DC whose DC functionality level is DS_BEHAVIOR_WIN2008 or greater. See section 3.1.1.2.3.5 for additional restrictions.
fEXTENDEDLINKTRACKING: The effects of this search flag are outside the state model. Suggests that a DC do additional internal tracking for link changes. This flag can be ignored by other implementations but MUST not be used in a conflicting way that would affect the performance of Windows DCs.
fBASEONLY: This attribute is returned only on searches scoped to one object.
fPARTITIONSECRET: This attribute requires extended access checks to add, read, and update.
The effects of searchFlags marked * are outside the state model. They direct the server to construct certain indexes that affect system performance. These flags can be ignored by other implementations but MUST not be used in a conflicting way that would affect the performance of Windows DCs.
Optional. The schemaFlagsEx attribute specifies whether an attribute can be part of the filtered attribute set; see section 2.2.11 for values. It contains bitwise flags as follows:
FLAG_ATTR_IS_CRITICAL: If this flag is set and the fRODCFilteredAttribute flag in searchFlags is also set, the fRODCFilteredAttribute flag is ignored. If fRODCFilteredAttribute is not set, then setting this flag has no effect. This flag is effective only on a DC whose DC functionality level is DS_BEHAVIOR_WIN2008 or greater; it is ignored by a DC that is not at that level or greater.
isMemberOfPartialAttributeSet
Optional. If TRUE, the attribute is a member of the forest's partial attribute set.
An attribute is a member of the forest's partial attribute set if and only if either (1) this attribute is TRUE or (2) the FLAG_ATTR_REQ_PARTIAL_SET_MEMBER bit is set in the systemFlags attribute.
If this attribute is TRUE and the FLAG_ATTR_NOT_REPLICATED bit is set in the systemFlags attribute, and if the attribute is modified on a DC that is also a GC server, then the value of the attribute is accessible through that GC server, but the value of the attribute does not replicate. If the FLAG_ATTR_NOT_REPLICATED bit is set in the systemFlags attribute, the attribute value does not replicate to other GC servers.