Active Directory Schema Terminology

The following terms are commonly used to refer to the Active Directory schema.


Data items used to describe the objects that are represented by the classes that are defined in the schema. Attributes are defined in the schema separately from the classes; this allows a single attribute definition to be applied to many classes. For example, Description is an attribute that can be applied to any class in the schema. The Description attribute is defined once in the schema, assuring consistency, rather than having a different definition for Description of a user and Description of a printer.


The term property is frequently used interchangeably with the term attribute.


Attribute Instance

An occurrence of an attribute that is defined in the schema. This term is used to distinguish between the definition of an attribute and a discrete occurrence of the attribute. For example, storing a User object for "Jeff Smith" with the Common-Name attribute set to "Jeff Smith" creates an instance of Common-Name.


A formal description of a discrete, identifiable type of object stored in the directory service. For example, User, Print-Queue, and Group are all classes. Furthermore, there are 3 distinct categories of classes: Structural Classes, Abstract Classes, and Auxiliary Classes.

Class Instance

An occurrence of a class that is defined in the schema. This term is used to distinguish between the definition of a class and a discrete occurrence of the class. For example, storing a User object for "Jeff Smith" in the directory service creates an instance of User.

Content Rules

The definition of the possible contents of the class instances that are stored in the directory service. In NT Directory Services (NTDS), upon which Active Directory is based, the content rules are completely expressed by the Must-Contain and May-Contain attributes of the schema definitions for each class.


See Inheritance.

Directory Information Tree

The directory itself, represented as a tree structure in which the vertices are the directory entries (class instances) and the connecting lines the parent-child relationships between the entries.


See Directory Information Tree.

Control Access Rights

A class that describes an access right not tied to a resource, but an action. For example, a user can be granted the right to create relative ID values.


The ability to build new object classes from existing object classes. The new object is defined as a subclass of the parent object. The parent object becomes a superclass of the new object. A subclass inherits the attributes of the parent, including structure rules and content rules.


See Lightweight Directory Access Protocol.

Lightweight Directory Access Protocol

A standard Internet communications protocol used to communicate with the NTDS. LDAP version 2 and version 3 are supported.

NT Security Descriptor

See Security Descriptor.


A unit of data storage in the directory service. Directory service objects are not to be confused with COM objects or other object-oriented system objects, which have an executable component and run-time behavior. Directory service objects consist only of data. A directory service object is defined by a Class-Schema object and a group of Attribute-Schema objects referenced by the Class-Schema object.

Class-Schema and Attribute-Schema objects are themselves directory service objects, and have definitions in the schema like any other objects. See Class.

Object Identifier

Unique numeric values, issued by various issuing authorities, to uniquely identify data elements, syntaxes, and various other parts of distributed applications. Object Identifiers (OIDs) are found in OSI applications, X.500 Directories, SNMP, and other applications where uniqueness is important. OIDs are based on a tree structure, in which a superior issuing authority, such as the ISO, allocates a branch of the tree to a sub-authority, which in turn can allocate sub-branches.

OIDs in the NTDS include some issued by the ISO for X.500 classes and attributes, and some issued by Microsoft. OID notation is a dotted string of numbers, for example "1.2.840.113556.1.5.4", which translates as listed in the following list.

Value Description
1 ISO - the "root authority", issued "1.2" to ANSI, which in turn...
2 ANSI ...issued "1.2.840" to USA, which in turn...
840 USA ...issued "1.2.840.113556" to Microsoft...
113556 Microsoft ...where Microsoft internally manages several OID branches under "1.2.840.113556".
1 Microsoft DS
5 NTDS Classes
4 Builtin-Domain



See Object Identifier.


A formal definition of the directory service contents and structure. The schema defines all attributes and classes. For each class, the Poss-Superiors, Must-Contain, and May-Contain attributes are defined. Poss-Superiors defines the possible tree structures for the directory service by specifying what classes can be the parent for any given class. Must-Contain and May-Contain list the attributes for a class that must be present to store the class and what additional attributes may optionally be present.

Security Descriptor

Information about the ownership of an object and the permissions that other users have on that object. The NT-Security-Descriptor property of a schema entry contains a string that represents the security descriptor of the object. For more information about the format of the information in this field, see Security Descriptor String Format.

Structure Rules

The definition of the possible tree structure or structures. In the NTDS, the structure rules are completely expressed by the Poss-superiors attribute present on each Class-Schema object. See Schema.


A Class-Schema object that inherits from another Class-Schema object. See Inheritance.


A Class-Schema object from which one or more other Class-Schema objects inherit. See Inheritance.


See Directory Information Tree.


A family of standards developed jointly by the ISO and ITU, formerly known as the CCITT, that specify the naming, data representation, and communications protocols for a directory service.