3.1.1.8.1 objectClass

  • Article

  1. If the objectClass attribute value is user or computer, or derived from either of these classes, all of the following constraints MUST be satisfied:

    1. The objectSid attribute MUST be updated according to the supplemental trigger specified in section 3.1.1.9.2.

    2. The following attributes MUST be updated with the associated values if no value is present in the database.

      Attribute

      Value

      badPwdCount

      0

      codePage

      0

      countryCode

      0

      badPasswordTime

      0

      lastLogoff

      0

      lastLogon

      0

      pwdLastSet

      0

      accountExpires

      0x7FFFFFFF FFFFFFFF (default value)

      logonCount

      0

    3. If the value of the userAccountControl attribute in the database contains a bit that is specified in the following table, the sAMAccountType attribute MUST be updated with the corresponding value.

      userAccountControl

      sAMAccountType

      UF_NORMAL_ACCOUNT

      SAM_USER_OBJECT

      UF_INTERDOMAIN_TRUST_ACCOUNT

      SAM_TRUST_ACCOUNT

      UF_WORKSTATION_TRUST_ACCOUNT

      SAM_MACHINE_ACCOUNT

      UF_SERVER_TRUST_ACCOUNT

      SAM_MACHINE_ACCOUNT

    4. If the value of the userAccountControl attribute in the database contains a bit or bit combination that is specified in the following table, the primaryGroupId attribute MUST be updated with the corresponding value.

      userAccountControl

      primaryGroupId

      UF_NORMAL_ACCOUNT

      DOMAIN_GROUP_RID_USERS

      UF_INTERDOMAIN_TRUST_ACCOUNT

      DOMAIN_GROUP_RID_USERS

      UF_WORKSTATION_TRUST_ACCOUNT

      DOMAIN_GROUP_RID_COMPUTERS

      UF_SERVER_TRUST_ACCOUNT

      DOMAIN_GROUP_RID_CONTROLLERS

      UF_WORKSTATION_TRUST_ACCOUNT & UF_PARTIAL_SECRETS_ACCOUNT

      DOMAIN_GROUP_RID_READONLY_CONTROLLERS

    5. If the value of the userAccountControl attribute in the database contains a bit that is specified in the following table, the userAccountControl attribute MUST be updated with the corresponding bit(s) using a bitwise OR.

      userAccountControl

      userAccountControl bits to augment existing value

      UF_NORMAL_ACCOUNT

      UF_ACCOUNTDISABLE

      UF_PASSWD_NOTREQD

  2. If the objectClass attribute value is group or is derived from this class, all of the following constraints MUST be satisfied:

    1. The objectSid attribute MUST be updated according to the supplemental trigger specified in section 3.1.1.9.2.

    2. The groupType attribute MUST be updated, if no value is present in the database, with the value GROUP_TYPE_SECURITY_ACCOUNT.

    3. The sAMAccountType attribute MUST be updated with the value dictated by an exact match with the value in the groupType attribute.

      groupType

      sAMAccountType

      GROUP_TYPE_SECURITY_ACCOUNT

      SAM_GROUP_OBJECT

      GROUP_TYPE_ACCOUNT_GROUP

      SAM_NON_SECURITY_GROUP_OBJECT

      GROUP_TYPE_SECURITY_RESOURCE

      SAM_ALIAS_OBJECT

      GROUP_TYPE_RESOURCE_GROUP

      SAM_NON_SECURITY_ALIAS_OBJECT

      GROUP_TYPE_SECURITY_UNIVERSAL

      SAM_GROUP_OBJECT

      GROUP_TYPE_UNIVERSAL_GROUP

      SAM_NON_SECURITY_GROUP_OBJECT