ms-PKI-Key-Recovery-Agent class

One key recovery agent (KRA) object instance is created for each installed Cert Server (with a unique common name) during cert server setup. If two CAs were given the same common name during CA setup, they will share a single KRA object instance.

Entry	Value
CN	ms-PKI-Key-Recovery-Agent
Ldap-Display-Name	msPKI-Key-Recovery-Agent
Update Privilege	An admin installing a CA will need to be able to create a KRA instance in the KRA container. Installed cert servers need to be able to update the userCertificate attribute.
Update Frequency	A few certificates will be added at most every few months.
Schema-Id-Guid	26ccf238-a08e-4b86-9a82-a8c9ac7ee5cb

Implementations

• Windows Server 2003
• Windows Server 2003 R2
• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2012

Windows Server 2003

• Attributes

Entry	Value
System-Only	False
Object-Category	1
Default-Object-Category	-
Governs-Id	1.2.840.113556.1.5.195
Default-Hiding-Value	1
Rdn-Att-Id	Common-Name
Subclass of	User
Possible Superiors	Container
Auxiliary Classes	-
NT-Security-Descriptor	O:BAG:BAD:S:
Default Security Descriptor	D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
System-Flags	0x00000010

Windows Server 2003 Attributes

This class contains the following attributes for Windows Server 2003:

Attribute	Mandatory	Derived from
Account-Expires	False	User
ACS-Policy-Name	False	User
Address	False	Organizational-Person
Address-Home	False	User Organizational-Person
Admin-Count	False	User
Admin-Description	False	Top
Admin-Display-Name	False	Top
Allowed-Attributes	False	Top
Allowed-Attributes-Effective	False	Top
Allowed-Child-Classes	False	Top
Allowed-Child-Classes-Effective	False	Top
Assistant	False	Organizational-Person
attributeCertificateAttribute	False	Person
audio	False	User
Bad-Password-Time	False	User
Bad-Pwd-Count	False	User
Bridgehead-Server-List-BL	False	Top
Business-Category	False	User
Canonical-Name	False	Top
carLicense	False	User
Code-Page	False	User
Common-Name	True	Person Top
Company	False	Organizational-Person
Control-Access-Rights	False	User
Country-Code	False	Organizational-Person
Country-Name	False	Organizational-Person
Create-Time-Stamp	False	Top
DBCS-Pwd	False	User
Default-Class-Store	False	User
Department	False	Organizational-Person
departmentNumber	False	User
Description	False	Top
Desktop-Profile	False	User
Destination-Indicator	False	Organizational-Person
Display-Name	False	User Top
Display-Name-Printable	False	Top
Division	False	Organizational-Person
DSA-Signature	False	Top
DS-Core-Propagation-Data	False	Top
Dynamic-LDAP-Server	False	User
E-mail-Addresses	False	User Organizational-Person
Employee-ID	False	Organizational-Person
Employee-Number	False	User
Employee-Type	False	User
Extension-Name	False	Top
Facsimile-Telephone-Number	False	Organizational-Person
Flags	False	Top
From-Entry	False	Top
Frs-Computer-Reference-BL	False	Top
FRS-Member-Reference-BL	False	Top
FSMO-Role-Owner	False	Top
Generation-Qualifier	False	Organizational-Person
Given-Name	False	User Organizational-Person
Group-Membership-SAM	False	User
Group-Priority	False	User
Groups-to-Ignore	False	User
Home-Directory	False	User
Home-Drive	False	User
houseIdentifier	False	Organizational-Person
Initials	False	User Organizational-Person
Instance-Type	True	Top
International-ISDN-Number	False	Organizational-Person
Is-Critical-System-Object	False	Top
Is-Deleted	False	Top
Is-Member-Of-DL	False	Top
Is-Privilege-Holder	False	Top
jpegPhoto	False	User
labeledURI	False	User
Last-Known-Parent	False	Top
Last-Logoff	False	User
Last-Logon	False	User
Last-Logon-Timestamp	False	User
Lm-Pwd-History	False	User
Locale-ID	False	User
Locality-Name	False	Organizational-Person
Lockout-Time	False	User
Logo	False	Organizational-Person
Logon-Count	False	User
Logon-Hours	False	User
Logon-Workstation	False	User
Managed-Objects	False	Top
Manager	False	User Organizational-Person
Mastered-By	False	Top
Max-Storage	False	User
MHS-OR-Address	False	Organizational-Person
Modify-Time-Stamp	False	Top
ms-COM-PartitionSetLink	False	Top
ms-COM-UserLink	False	Top
ms-COM-UserPartitionSetLink	False	User
MS-DRM-Identity-Certificate	False	User
ms-DS-Allowed-To-Delegate-To	False	Organizational-Person
ms-DS-Approx-Immed-Subordinates	False	Top
ms-DS-Cached-Membership	False	User
ms-DS-Cached-Membership-Time-Stamp	False	User
MS-DS-Consistency-Child-Count	False	Top
MS-DS-Consistency-Guid	False	Top
MS-DS-Creator-SID	False	User
ms-DS-Mastered-By	False	Top
ms-DS-Members-For-Az-Role-BL	False	Top
ms-DS-NC-Repl-Cursors	False	Top
ms-DS-NC-Repl-Inbound-Neighbors	False	Top
ms-DS-NC-Repl-Outbound-Neighbors	False	Top
ms-DS-Non-Members-BL	False	Top
ms-DS-Object-Reference-BL	False	Top
ms-DS-Operations-For-Az-Role-BL	False	Top
ms-DS-Operations-For-Az-Task-BL	False	Top
ms-DS-Repl-Attribute-Meta-Data	False	Top
ms-DS-Repl-Value-Meta-Data	False	Top
ms-DS-Site-Affinity	False	User
ms-DS-Tasks-For-Az-Role-BL	False	Top
ms-DS-Tasks-For-Az-Task-BL	False	Top
ms-DS-User-Account-Control-Computed	False	User
ms-Exch-House-Identifier	False	Organizational-Person
ms-Exch-Owner-BL	False	Top
ms-IIS-FTP-Dir	False	User
ms-IIS-FTP-Root	False	User
MSMQ-Digests	False	User
MSMQ-Digests-Mig	False	User
MSMQ-Sign-Certificates	False	User
MSMQ-Sign-Certificates-Mig	False	User
msNPAllowDialin	False	User
msNPCallingStationID	False	User
msNPSavedCallingStationID	False	User
msRADIUSCallbackNumber	False	User
msRADIUSFramedIPAddress	False	User
msRADIUSFramedRoute	False	User
msRADIUSServiceType	False	User
msRASSavedCallbackNumber	False	User
msRASSavedFramedIPAddress	False	User
msRASSavedFramedRoute	False	User
netboot-SCP-BL	False	Top
Network-Address	False	User
Non-Security-Member-BL	False	Top
Nt-Pwd-History	False	User
NT-Security-Descriptor	True	Top
Obj-Dist-Name	False	Top
Object-Category	True	Top
Object-Class	True	Top
Object-Guid	False	Top
Object-Version	False	Top
Operator-Count	False	User
Organizational-Unit-Name	False	Organizational-Person
Organization-Name	False	User Organizational-Person
Other-Login-Workstations	False	User
Other-Mailbox	False	Organizational-Person
Other-Name	False	Organizational-Person
Other-Well-Known-Objects	False	Top
Partial-Attribute-Deletion-List	False	Top
Partial-Attribute-Set	False	Top
Personal-Title	False	Organizational-Person
Phone-Fax-Other	False	Organizational-Person
Phone-Home-Other	False	Organizational-Person
Phone-Home-Primary	False	User Organizational-Person
Phone-Ip-Other	False	Organizational-Person
Phone-Ip-Primary	False	Organizational-Person
Phone-ISDN-Primary	False	Organizational-Person
Phone-Mobile-Other	False	Organizational-Person
Phone-Mobile-Primary	False	User Organizational-Person
Phone-Office-Other	False	Organizational-Person
Phone-Pager-Other	False	Organizational-Person
Phone-Pager-Primary	False	User Organizational-Person
photo	False	User
Physical-Delivery-Office-Name	False	Organizational-Person
Picture	False	Organizational-Person
Possible-Inferiors	False	Top
Postal-Address	False	Organizational-Person
Postal-Code	False	Organizational-Person
Post-Office-Box	False	Organizational-Person
Preferred-Delivery-Method	False	Organizational-Person
preferredLanguage	False	User
Preferred-OU	False	User
Primary-Group-ID	False	User
Profile-Path	False	User
Proxied-Object-Name	False	Top
Proxy-Addresses	False	Top
Pwd-Last-Set	False	User
Query-Policy-BL	False	Top
RDN	False	Top
Registered-Address	False	Organizational-Person
Repl-Property-Meta-Data	False	Top
Repl-UpToDate-Vector	False	Top
Reports	False	Top
Reps-From	False	Top
Reps-To	False	Top
Revision	False	Top
roomNumber	False	User
Script-Path	False	User
SD-Rights-Effective	False	Top
secretary	False	User
See-Also	False	Person
Serial-Number	False	Person
Server-Reference-BL	False	Top
Service-Principal-Name	False	User
Show-In-Advanced-View-Only	False	Top
Site-Object-BL	False	Top
State-Or-Province-Name	False	Organizational-Person
Street-Address	False	Organizational-Person
Structural-Object-Class	False	Top
Sub-Refs	False	Top
SubSchemaSubEntry	False	Top
Surname	False	Person
System-Flags	False	Top
Telephone-Number	False	Person
Teletex-Terminal-Identifier	False	Organizational-Person
Telex-Number	False	Organizational-Person
Telex-Primary	False	Organizational-Person
Terminal-Server	False	User
Text-Country	False	Organizational-Person
Title	False	Organizational-Person
uid	False	User
Unicode-Pwd	False	User
User-Account-Control	False	User
User-Comment	False	Organizational-Person
User-Parameters	False	User
User-Password	False	Person
userPKCS12	False	User
User-Principal-Name	False	User
User-Shared-Folder	False	User
User-Shared-Folder-Other	False	User
User-SMIME-Certificate	False	User
User-Workstations	False	User
USN-Changed	False	Top
USN-Created	False	Top
USN-DSA-Last-Obj-Removed	False	Top
USN-Intersite	False	Top
USN-Last-Obj-Rem	False	Top
USN-Source	False	Top
Wbem-Path	False	Top
Well-Known-Objects	False	Top
When-Changed	False	Top
When-Created	False	Top
WWW-Home-Page	False	Top
WWW-Page-Other	False	Top
X121-Address	False	Organizational-Person
x500uniqueIdentifier	False	User
X509-Cert	False	User

Windows Server 2003 R2

• Attributes

Entry	Value
System-Only	False
Object-Category	1
Default-Object-Category	-
Governs-Id	1.2.840.113556.1.5.195
Default-Hiding-Value	1
Rdn-Att-Id	Common-Name
Subclass of	User
Possible Superiors	Container
Auxiliary Classes	-
NT-Security-Descriptor	O:BAG:BAD:S:
Default Security Descriptor	D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
System-Flags	0x00000010

Windows Server 2003 R2 Attributes

This class contains the following attributes for Windows Server 2003 R2:

Attribute	Mandatory	Derived from
Account-Expires	False	User
ACS-Policy-Name	False	User
Address	False	Organizational-Person
Address-Home	False	User Organizational-Person
Admin-Count	False	User
Admin-Description	False	Top
Admin-Display-Name	False	Top
Allowed-Attributes	False	Top
Allowed-Attributes-Effective	False	Top
Allowed-Child-Classes	False	Top
Allowed-Child-Classes-Effective	False	Top
Assistant	False	Organizational-Person
attributeCertificateAttribute	False	Person
audio	False	User
Bad-Password-Time	False	User
Bad-Pwd-Count	False	User
Bridgehead-Server-List-BL	False	Top
Business-Category	False	User
Canonical-Name	False	Top
carLicense	False	User
Code-Page	False	User
Common-Name	True	Person Top
Company	False	Organizational-Person
Control-Access-Rights	False	User
Country-Code	False	Organizational-Person
Country-Name	False	Organizational-Person
Create-Time-Stamp	False	Top
DBCS-Pwd	False	User
Default-Class-Store	False	User
Department	False	Organizational-Person
departmentNumber	False	User
Description	False	Top
Desktop-Profile	False	User
Destination-Indicator	False	Organizational-Person
Display-Name	False	User Top
Display-Name-Printable	False	Top
Division	False	Organizational-Person
DSA-Signature	False	Top
DS-Core-Propagation-Data	False	Top
Dynamic-LDAP-Server	False	User
E-mail-Addresses	False	User Organizational-Person
Employee-ID	False	Organizational-Person
Employee-Number	False	User
Employee-Type	False	User
Extension-Name	False	Top
Facsimile-Telephone-Number	False	Organizational-Person
Flags	False	Top
From-Entry	False	Top
Frs-Computer-Reference-BL	False	Top
FRS-Member-Reference-BL	False	Top
FSMO-Role-Owner	False	Top
Generation-Qualifier	False	Organizational-Person
Given-Name	False	User Organizational-Person
Group-Membership-SAM	False	User
Group-Priority	False	User
Groups-to-Ignore	False	User
Home-Directory	False	User
Home-Drive	False	User
houseIdentifier	False	Organizational-Person
Initials	False	User Organizational-Person
Instance-Type	True	Top
International-ISDN-Number	False	Organizational-Person
Is-Critical-System-Object	False	Top
Is-Deleted	False	Top
Is-Member-Of-DL	False	Top
Is-Privilege-Holder	False	Top
jpegPhoto	False	User
labeledURI	False	User
Last-Known-Parent	False	Top
Last-Logoff	False	User
Last-Logon	False	User
Last-Logon-Timestamp	False	User
Lm-Pwd-History	False	User
Locale-ID	False	User
Locality-Name	False	Organizational-Person
Lockout-Time	False	User
Logo	False	Organizational-Person
Logon-Count	False	User
Logon-Hours	False	User
Logon-Workstation	False	User
Managed-Objects	False	Top
Manager	False	User Organizational-Person
Mastered-By	False	Top
Max-Storage	False	User
MHS-OR-Address	False	Organizational-Person
Modify-Time-Stamp	False	Top
ms-COM-PartitionSetLink	False	Top
ms-COM-UserLink	False	Top
ms-COM-UserPartitionSetLink	False	User
ms-DFSR-ComputerReferenceBL	False	Top
ms-DFSR-MemberReferenceBL	False	Top
MS-DRM-Identity-Certificate	False	User
ms-DS-Allowed-To-Delegate-To	False	Organizational-Person
ms-DS-Approx-Immed-Subordinates	False	Top
ms-DS-Cached-Membership	False	User
ms-DS-Cached-Membership-Time-Stamp	False	User
MS-DS-Consistency-Child-Count	False	Top
MS-DS-Consistency-Guid	False	Top
MS-DS-Creator-SID	False	User
ms-DS-Mastered-By	False	Top
ms-DS-Members-For-Az-Role-BL	False	Top
ms-DS-NC-Repl-Cursors	False	Top
ms-DS-NC-Repl-Inbound-Neighbors	False	Top
ms-DS-NC-Repl-Outbound-Neighbors	False	Top
ms-DS-Non-Members-BL	False	Top
ms-DS-Object-Reference-BL	False	Top
ms-DS-Operations-For-Az-Role-BL	False	Top
ms-DS-Operations-For-Az-Task-BL	False	Top
ms-DS-Repl-Attribute-Meta-Data	False	Top
ms-DS-Repl-Value-Meta-Data	False	Top
ms-DS-Site-Affinity	False	User
ms-DS-Source-Object-DN	False	User
ms-DS-Tasks-For-Az-Role-BL	False	Top
ms-DS-Tasks-For-Az-Task-BL	False	Top
ms-DS-User-Account-Control-Computed	False	User
ms-Exch-House-Identifier	False	Organizational-Person
ms-Exch-Owner-BL	False	Top
ms-IIS-FTP-Dir	False	User
ms-IIS-FTP-Root	False	User
MSMQ-Digests	False	User
MSMQ-Digests-Mig	False	User
MSMQ-Sign-Certificates	False	User
MSMQ-Sign-Certificates-Mig	False	User
msNPAllowDialin	False	User
msNPCallingStationID	False	User
msNPSavedCallingStationID	False	User
msRADIUSCallbackNumber	False	User
msRADIUSFramedIPAddress	False	User
msRADIUSFramedRoute	False	User
msRADIUSServiceType	False	User
msRASSavedCallbackNumber	False	User
msRASSavedFramedIPAddress	False	User
msRASSavedFramedRoute	False	User
msSFU-30-Name	False	User
msSFU-30-Nis-Domain	False	User
msSFU-30-Posix-Member-Of	False	Top
netboot-SCP-BL	False	Top
Network-Address	False	User
Non-Security-Member-BL	False	Top
Nt-Pwd-History	False	User
NT-Security-Descriptor	True	Top
Obj-Dist-Name	False	Top
Object-Category	True	Top
Object-Class	True	Top
Object-Guid	False	Top
Object-Version	False	Top
Operator-Count	False	User
Organizational-Unit-Name	False	Organizational-Person
Organization-Name	False	User Organizational-Person
Other-Login-Workstations	False	User
Other-Mailbox	False	Organizational-Person
Other-Name	False	Organizational-Person
Other-Well-Known-Objects	False	Top
Partial-Attribute-Deletion-List	False	Top
Partial-Attribute-Set	False	Top
Personal-Title	False	Organizational-Person
Phone-Fax-Other	False	Organizational-Person
Phone-Home-Other	False	Organizational-Person
Phone-Home-Primary	False	User Organizational-Person
Phone-Ip-Other	False	Organizational-Person
Phone-Ip-Primary	False	Organizational-Person
Phone-ISDN-Primary	False	Organizational-Person
Phone-Mobile-Other	False	Organizational-Person
Phone-Mobile-Primary	False	User Organizational-Person
Phone-Office-Other	False	Organizational-Person
Phone-Pager-Other	False	Organizational-Person
Phone-Pager-Primary	False	User Organizational-Person
photo	False	User
Physical-Delivery-Office-Name	False	Organizational-Person
Picture	False	Organizational-Person
Possible-Inferiors	False	Top
Postal-Address	False	Organizational-Person
Postal-Code	False	Organizational-Person
Post-Office-Box	False	Organizational-Person
Preferred-Delivery-Method	False	Organizational-Person
preferredLanguage	False	User
Preferred-OU	False	User
Primary-Group-ID	False	User
Profile-Path	False	User
Proxied-Object-Name	False	Top
Proxy-Addresses	False	Top
Pwd-Last-Set	False	User
Query-Policy-BL	False	Top
RDN	False	Top
Registered-Address	False	Organizational-Person
Repl-Property-Meta-Data	False	Top
Repl-UpToDate-Vector	False	Top
Reports	False	Top
Reps-From	False	Top
Reps-To	False	Top
Revision	False	Top
roomNumber	False	User
Script-Path	False	User
SD-Rights-Effective	False	Top
secretary	False	User
See-Also	False	Person
Serial-Number	False	Person
Server-Reference-BL	False	Top
Service-Principal-Name	False	User
Show-In-Advanced-View-Only	False	Top
Site-Object-BL	False	Top
State-Or-Province-Name	False	Organizational-Person
Street-Address	False	Organizational-Person
Structural-Object-Class	False	Top
Sub-Refs	False	Top
SubSchemaSubEntry	False	Top
Surname	False	Person
System-Flags	False	Top
Telephone-Number	False	Person
Teletex-Terminal-Identifier	False	Organizational-Person
Telex-Number	False	Organizational-Person
Telex-Primary	False	Organizational-Person
Terminal-Server	False	User
Text-Country	False	Organizational-Person
Title	False	Organizational-Person
uid	False	User
Unicode-Pwd	False	User
User-Account-Control	False	User
User-Comment	False	Organizational-Person
User-Parameters	False	User
User-Password	False	Person
userPKCS12	False	User
User-Principal-Name	False	User
User-Shared-Folder	False	User
User-Shared-Folder-Other	False	User
User-SMIME-Certificate	False	User
User-Workstations	False	User
USN-Changed	False	Top
USN-Created	False	Top
USN-DSA-Last-Obj-Removed	False	Top
USN-Intersite	False	Top
USN-Last-Obj-Rem	False	Top
USN-Source	False	Top
Wbem-Path	False	Top
Well-Known-Objects	False	Top
When-Changed	False	Top
When-Created	False	Top
WWW-Home-Page	False	Top
WWW-Page-Other	False	Top
X121-Address	False	Organizational-Person
x500uniqueIdentifier	False	User
X509-Cert	False	User

Windows Server 2008

• Attributes

Entry	Value
System-Only	False
Object-Category	1
Default-Object-Category	-
Governs-Id	1.2.840.113556.1.5.195
Default-Hiding-Value	1
Rdn-Att-Id	Common-Name
Subclass of	User
Possible Superiors	Container
Auxiliary Classes	-
NT-Security-Descriptor	O:BAG:BAD:S:
Default Security Descriptor	D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
System-Flags	0x00000010

Windows Server 2008 Attributes

This class contains the following attributes for Windows Server 2008:

Attribute	Mandatory	Derived from
Account-Expires	False	User
ACS-Policy-Name	False	User
Address	False	Organizational-Person
Address-Home	False	User Organizational-Person
Admin-Count	False	User
Admin-Description	False	Top
Admin-Display-Name	False	Top
Allowed-Attributes	False	Top
Allowed-Attributes-Effective	False	Top
Allowed-Child-Classes	False	Top
Allowed-Child-Classes-Effective	False	Top
Assistant	False	Organizational-Person
attributeCertificateAttribute	False	Person
audio	False	User
Bad-Password-Time	False	User
Bad-Pwd-Count	False	User
Bridgehead-Server-List-BL	False	Top
Business-Category	False	User
Canonical-Name	False	Top
carLicense	False	User
Code-Page	False	User
Common-Name	True	Person Top
Company	False	Organizational-Person
Control-Access-Rights	False	User
Country-Code	False	Organizational-Person
Country-Name	False	Organizational-Person
Create-Time-Stamp	False	Top
DBCS-Pwd	False	User
Default-Class-Store	False	User
Department	False	Organizational-Person
departmentNumber	False	User
Description	False	Top
Desktop-Profile	False	User
Destination-Indicator	False	Organizational-Person
Display-Name	False	User Top
Display-Name-Printable	False	Top
Division	False	Organizational-Person
DSA-Signature	False	Top
DS-Core-Propagation-Data	False	Top
Dynamic-LDAP-Server	False	User
E-mail-Addresses	False	User Organizational-Person
Employee-ID	False	Organizational-Person
Employee-Number	False	User
Employee-Type	False	User
Extension-Name	False	Top
Facsimile-Telephone-Number	False	Organizational-Person
Flags	False	Top
From-Entry	False	Top
Frs-Computer-Reference-BL	False	Top
FRS-Member-Reference-BL	False	Top
FSMO-Role-Owner	False	Top
Generation-Qualifier	False	Organizational-Person
Given-Name	False	User Organizational-Person
Group-Membership-SAM	False	User
Group-Priority	False	User
Groups-to-Ignore	False	User
Home-Directory	False	User
Home-Drive	False	User
houseIdentifier	False	Organizational-Person
Initials	False	User Organizational-Person
Instance-Type	True	Top
International-ISDN-Number	False	Organizational-Person
Is-Critical-System-Object	False	Top
Is-Deleted	False	Top
Is-Member-Of-DL	False	Top
Is-Privilege-Holder	False	Top
jpegPhoto	False	User
labeledURI	False	User
Last-Known-Parent	False	Top
Last-Logoff	False	User
Last-Logon	False	User
Last-Logon-Timestamp	False	User
Lm-Pwd-History	False	User
Locale-ID	False	User
Locality-Name	False	Organizational-Person
Lockout-Time	False	User
Logo	False	Organizational-Person
Logon-Count	False	User
Logon-Hours	False	User
Logon-Workstation	False	User
Managed-Objects	False	Top
Manager	False	User Organizational-Person
Mastered-By	False	Top
Max-Storage	False	User
MHS-OR-Address	False	Organizational-Person
Modify-Time-Stamp	False	Top
ms-COM-PartitionSetLink	False	Top
ms-COM-UserLink	False	Top
ms-COM-UserPartitionSetLink	False	User
ms-DFSR-ComputerReferenceBL	False	Top
ms-DFSR-MemberReferenceBL	False	Top
MS-DRM-Identity-Certificate	False	User
ms-DS-Allowed-To-Delegate-To	False	Organizational-Person
ms-DS-Approx-Immed-Subordinates	False	Top
ms-DS-AuthenticatedAt-DC	False	User
ms-DS-AuthenticatedTo-Accountlist	False	Top
ms-DS-Cached-Membership	False	User
ms-DS-Cached-Membership-Time-Stamp	False	User
MS-DS-Consistency-Child-Count	False	Top
MS-DS-Consistency-Guid	False	Top
MS-DS-Creator-SID	False	User
ms-DS-Failed-Interactive-Logon-Count	False	User
ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon	False	User
ms-DS-HAB-Seniority-Index	False	Organizational-Person
ms-DS-Is-Domain-For	False	Top
ms-DS-Is-Full-Replica-For	False	Top
ms-DS-Is-Partial-Replica-For	False	Top
ms-DS-KrbTgt-Link-BL	False	Top
ms-DS-Last-Failed-Interactive-Logon-Time	False	User
ms-DS-Last-Successful-Interactive-Logon-Time	False	User
ms-DS-Mastered-By	False	Top
ms-DS-Members-For-Az-Role-BL	False	Top
ms-DS-NC-Repl-Cursors	False	Top
ms-DS-NC-Repl-Inbound-Neighbors	False	Top
ms-DS-NC-Repl-Outbound-Neighbors	False	Top
ms-DS-NC-RO-Replica-Locations-BL	False	Top
ms-DS-NC-Type	False	Top
ms-DS-Non-Members-BL	False	Top
ms-DS-Object-Reference-BL	False	Top
ms-DS-Operations-For-Az-Role-BL	False	Top
ms-DS-Operations-For-Az-Task-BL	False	Top
ms-DS-Phonetic-Company-Name	False	Organizational-Person
ms-DS-Phonetic-Department	False	Organizational-Person
ms-DS-Phonetic-Display-Name	False	Organizational-Person
ms-DS-Phonetic-First-Name	False	Organizational-Person
ms-DS-Phonetic-Last-Name	False	Organizational-Person
ms-DS-Principal-Name	False	Top
ms-DS-PSO-Applied	False	Top
ms-DS-Repl-Attribute-Meta-Data	False	Top
ms-DS-Repl-Value-Meta-Data	False	Top
ms-DS-Resultant-PSO	False	User
ms-DS-Revealed-DSAs	False	Top
ms-DS-Revealed-List-BL	False	Top
ms-DS-Secondary-KrbTgt-Number	False	User
ms-DS-Site-Affinity	False	User
ms-DS-Source-Object-DN	False	User
ms-DS-Supported-Encryption-Types	False	User
ms-DS-Tasks-For-Az-Role-BL	False	Top
ms-DS-Tasks-For-Az-Task-BL	False	Top
ms-DS-User-Account-Control-Computed	False	User
ms-DS-User-Password-Expiry-Time-Computed	False	User
ms-Exch-House-Identifier	False	Organizational-Person
ms-Exch-Owner-BL	False	Top
ms-IIS-FTP-Dir	False	User
ms-IIS-FTP-Root	False	User
MSMQ-Digests	False	User
MSMQ-Digests-Mig	False	User
MSMQ-Sign-Certificates	False	User
MSMQ-Sign-Certificates-Mig	False	User
msNPAllowDialin	False	User
msNPCallingStationID	False	User
msNPSavedCallingStationID	False	User
ms-PKI-AccountCredentials	False	User
ms-PKI-DPAPIMasterKeys	False	User
ms-PKI-RoamingTimeStamp	False	User
msRADIUSCallbackNumber	False	User
ms-RADIUS-FramedInterfaceId	False	User
msRADIUSFramedIPAddress	False	User
ms-RADIUS-FramedIpv6Prefix	False	User
ms-RADIUS-FramedIpv6Route	False	User
msRADIUSFramedRoute	False	User
ms-RADIUS-SavedFramedInterfaceId	False	User
ms-RADIUS-SavedFramedIpv6Prefix	False	User
ms-RADIUS-SavedFramedIpv6Route	False	User
msRADIUSServiceType	False	User
msRASSavedCallbackNumber	False	User
msRASSavedFramedIPAddress	False	User
msRASSavedFramedRoute	False	User
msSFU-30-Name	False	User
msSFU-30-Nis-Domain	False	User
msSFU-30-Posix-Member-Of	False	Top
ms-TS-Allow-Logon	False	User
ms-TS-Broken-Connection-Action	False	User
ms-TS-Connect-Client-Drives	False	User
ms-TS-Connect-Printer-Drives	False	User
ms-TS-Default-To-Main-Printer	False	User
MS-TS-ExpireDate	False	User
MS-TS-ExpireDate2	False	User
MS-TS-ExpireDate3	False	User
MS-TS-ExpireDate4	False	User
ms-TS-Home-Directory	False	User
ms-TS-Home-Drive	False	User
ms-TS-Initial-Program	False	User
MS-TS-LicenseVersion	False	User
MS-TS-LicenseVersion2	False	User
MS-TS-LicenseVersion3	False	User
MS-TS-LicenseVersion4	False	User
MS-TSLS-Property01	False	User
MS-TSLS-Property02	False	User
MS-TS-ManagingLS	False	User
MS-TS-ManagingLS2	False	User
MS-TS-ManagingLS3	False	User
MS-TS-ManagingLS4	False	User
ms-TS-Max-Connection-Time	False	User
ms-TS-Max-Disconnection-Time	False	User
ms-TS-Max-Idle-Time	False	User
ms-TS-Profile-Path	False	User
MS-TS-Property01	False	User
MS-TS-Property02	False	User
ms-TS-Reconnection-Action	False	User
ms-TS-Remote-Control	False	User
ms-TS-Work-Directory	False	User
netboot-SCP-BL	False	Top
Network-Address	False	User
Non-Security-Member-BL	False	Top
Nt-Pwd-History	False	User
NT-Security-Descriptor	True	Top
Obj-Dist-Name	False	Top
Object-Category	True	Top
Object-Class	True	Top
Object-Guid	False	Top
Object-Version	False	Top
Operator-Count	False	User
Organizational-Unit-Name	False	Organizational-Person
Organization-Name	False	User Organizational-Person
Other-Login-Workstations	False	User
Other-Mailbox	False	Organizational-Person
Other-Name	False	Organizational-Person
Other-Well-Known-Objects	False	Top
Partial-Attribute-Deletion-List	False	Top
Partial-Attribute-Set	False	Top
Personal-Title	False	Organizational-Person
Phone-Fax-Other	False	Organizational-Person
Phone-Home-Other	False	Organizational-Person
Phone-Home-Primary	False	User Organizational-Person
Phone-Ip-Other	False	Organizational-Person
Phone-Ip-Primary	False	Organizational-Person
Phone-ISDN-Primary	False	Organizational-Person
Phone-Mobile-Other	False	Organizational-Person
Phone-Mobile-Primary	False	User Organizational-Person
Phone-Office-Other	False	Organizational-Person
Phone-Pager-Other	False	Organizational-Person
Phone-Pager-Primary	False	User Organizational-Person
photo	False	User
Physical-Delivery-Office-Name	False	Organizational-Person
Picture	False	Organizational-Person
Possible-Inferiors	False	Top
Postal-Address	False	Organizational-Person
Postal-Code	False	Organizational-Person
Post-Office-Box	False	Organizational-Person
Preferred-Delivery-Method	False	Organizational-Person
preferredLanguage	False	User
Preferred-OU	False	User
Primary-Group-ID	False	User
Profile-Path	False	User
Proxied-Object-Name	False	Top
Proxy-Addresses	False	Top
Pwd-Last-Set	False	User
Query-Policy-BL	False	Top
RDN	False	Top
Registered-Address	False	Organizational-Person
Repl-Property-Meta-Data	False	Top
Repl-UpToDate-Vector	False	Top
Reports	False	Top
Reps-From	False	Top
Reps-To	False	Top
Revision	False	Top
roomNumber	False	User
Script-Path	False	User
SD-Rights-Effective	False	Top
secretary	False	User
See-Also	False	Person
Serial-Number	False	Person
Server-Reference-BL	False	Top
Service-Principal-Name	False	User
Show-In-Advanced-View-Only	False	Top
Site-Object-BL	False	Top
State-Or-Province-Name	False	Organizational-Person
Street-Address	False	Organizational-Person
Structural-Object-Class	False	Top
Sub-Refs	False	Top
SubSchemaSubEntry	False	Top
Surname	False	Person
System-Flags	False	Top
Telephone-Number	False	Person
Teletex-Terminal-Identifier	False	Organizational-Person
Telex-Number	False	Organizational-Person
Telex-Primary	False	Organizational-Person
Terminal-Server	False	User
Text-Country	False	Organizational-Person
Title	False	Organizational-Person
uid	False	User
Unicode-Pwd	False	User
User-Account-Control	False	User
User-Comment	False	Organizational-Person
User-Parameters	False	User
User-Password	False	Person
userPKCS12	False	User
User-Principal-Name	False	User
User-Shared-Folder	False	User
User-Shared-Folder-Other	False	User
User-SMIME-Certificate	False	User
User-Workstations	False	User
USN-Changed	False	Top
USN-Created	False	Top
USN-DSA-Last-Obj-Removed	False	Top
USN-Intersite	False	Top
USN-Last-Obj-Rem	False	Top
USN-Source	False	Top
Wbem-Path	False	Top
Well-Known-Objects	False	Top
When-Changed	False	Top
When-Created	False	Top
WWW-Home-Page	False	Top
WWW-Page-Other	False	Top
X121-Address	False	Organizational-Person
x500uniqueIdentifier	False	User
X509-Cert	False	User

Windows Server 2008 R2

• Attributes

Entry	Value
System-Only	False
Object-Category	1
Default-Object-Category	-
Governs-Id	1.2.840.113556.1.5.195
Default-Hiding-Value	1
Rdn-Att-Id	Common-Name
Subclass of	User
Possible Superiors	Container
Auxiliary Classes	-
NT-Security-Descriptor	O:BAG:BAD:S:
Default Security Descriptor	D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
System-Flags	0x00000010

Windows Server 2008 R2 Attributes

This class contains the following attributes for Windows Server 2008 R2:

Attribute	Mandatory	Derived from
Account-Expires	False	User
ACS-Policy-Name	False	User
Address	False	Organizational-Person
Address-Home	False	User Organizational-Person
Admin-Count	False	User
Admin-Description	False	Top
Admin-Display-Name	False	Top
Allowed-Attributes	False	Top
Allowed-Attributes-Effective	False	Top
Allowed-Child-Classes	False	Top
Allowed-Child-Classes-Effective	False	Top
Assistant	False	Organizational-Person
attributeCertificateAttribute	False	Person
audio	False	User
Bad-Password-Time	False	User
Bad-Pwd-Count	False	User
Bridgehead-Server-List-BL	False	Top
Business-Category	False	User
Canonical-Name	False	Top
carLicense	False	User
Code-Page	False	User
Common-Name	True	Person Top
Company	False	Organizational-Person
Control-Access-Rights	False	User
Country-Code	False	Organizational-Person
Country-Name	False	Organizational-Person
Create-Time-Stamp	False	Top
DBCS-Pwd	False	User
Default-Class-Store	False	User
Department	False	Organizational-Person
departmentNumber	False	User
Description	False	Top
Desktop-Profile	False	User
Destination-Indicator	False	Organizational-Person
Display-Name	False	User Top
Display-Name-Printable	False	Top
Division	False	Organizational-Person
DSA-Signature	False	Top
DS-Core-Propagation-Data	False	Top
Dynamic-LDAP-Server	False	User
E-mail-Addresses	False	User Organizational-Person
Employee-ID	False	Organizational-Person
Employee-Number	False	User
Employee-Type	False	User
Extension-Name	False	Top
Facsimile-Telephone-Number	False	Organizational-Person
Flags	False	Top
From-Entry	False	Top
Frs-Computer-Reference-BL	False	Top
FRS-Member-Reference-BL	False	Top
FSMO-Role-Owner	False	Top
Generation-Qualifier	False	Organizational-Person
Given-Name	False	User Organizational-Person
Group-Membership-SAM	False	User
Group-Priority	False	User
Groups-to-Ignore	False	User
Home-Directory	False	User
Home-Drive	False	User
houseIdentifier	False	Organizational-Person
Initials	False	User Organizational-Person
Instance-Type	True	Top
International-ISDN-Number	False	Organizational-Person
Is-Critical-System-Object	False	Top
Is-Deleted	False	Top
Is-Member-Of-DL	False	Top
Is-Privilege-Holder	False	Top
Is-Recycled	False	Top
jpegPhoto	False	User
labeledURI	False	User
Last-Known-Parent	False	Top
Last-Logoff	False	User
Last-Logon	False	User
Last-Logon-Timestamp	False	User
Lm-Pwd-History	False	User
Locale-ID	False	User
Locality-Name	False	Organizational-Person
Lockout-Time	False	User
Logo	False	Organizational-Person
Logon-Count	False	User
Logon-Hours	False	User
Logon-Workstation	False	User
Managed-Objects	False	Top
Manager	False	User Organizational-Person
Mastered-By	False	Top
Max-Storage	False	User
MHS-OR-Address	False	Organizational-Person
Modify-Time-Stamp	False	Top
ms-COM-PartitionSetLink	False	Top
ms-COM-UserLink	False	Top
ms-COM-UserPartitionSetLink	False	User
ms-DFSR-ComputerReferenceBL	False	Top
ms-DFSR-MemberReferenceBL	False	Top
MS-DRM-Identity-Certificate	False	User
ms-DS-Allowed-To-Delegate-To	False	Organizational-Person
ms-DS-Approx-Immed-Subordinates	False	Top
ms-DS-AuthenticatedAt-DC	False	User
ms-DS-AuthenticatedTo-Accountlist	False	Top
ms-DS-Cached-Membership	False	User
ms-DS-Cached-Membership-Time-Stamp	False	User
MS-DS-Consistency-Child-Count	False	Top
MS-DS-Consistency-Guid	False	Top
MS-DS-Creator-SID	False	User
ms-DS-Enabled-Feature-BL	False	Top
ms-DS-Failed-Interactive-Logon-Count	False	User
ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon	False	User
ms-DS-HAB-Seniority-Index	False	Organizational-Person
ms-DS-Host-Service-Account-BL	False	Top
ms-DS-Is-Domain-For	False	Top
ms-DS-Is-Full-Replica-For	False	Top
ms-DS-Is-Partial-Replica-For	False	Top
ms-DS-KrbTgt-Link-BL	False	Top
ms-DS-Last-Failed-Interactive-Logon-Time	False	User
ms-DS-Last-Known-RDN	False	Top
ms-DS-Last-Successful-Interactive-Logon-Time	False	User
ms-DS-local-Effective-Deletion-Time	False	Top
ms-DS-local-Effective-Recycle-Time	False	Top
ms-DS-Mastered-By	False	Top
ms-DS-Members-For-Az-Role-BL	False	Top
ms-DS-NC-Repl-Cursors	False	Top
ms-DS-NC-Repl-Inbound-Neighbors	False	Top
ms-DS-NC-Repl-Outbound-Neighbors	False	Top
ms-DS-NC-RO-Replica-Locations-BL	False	Top
ms-DS-NC-Type	False	Top
ms-DS-Non-Members-BL	False	Top
ms-DS-Object-Reference-BL	False	Top
ms-DS-OIDToGroup-Link-BL	False	Top
ms-DS-Operations-For-Az-Role-BL	False	Top
ms-DS-Operations-For-Az-Task-BL	False	Top
ms-DS-Phonetic-Company-Name	False	Organizational-Person
ms-DS-Phonetic-Department	False	Organizational-Person
ms-DS-Phonetic-Display-Name	False	Organizational-Person
ms-DS-Phonetic-First-Name	False	Organizational-Person
ms-DS-Phonetic-Last-Name	False	Organizational-Person
ms-DS-Principal-Name	False	Top
ms-DS-PSO-Applied	False	Top
ms-DS-Repl-Attribute-Meta-Data	False	Top
ms-DS-Repl-Value-Meta-Data	False	Top
ms-DS-Resultant-PSO	False	User
ms-DS-Revealed-DSAs	False	Top
ms-DS-Revealed-List-BL	False	Top
ms-DS-Secondary-KrbTgt-Number	False	User
ms-DS-Site-Affinity	False	User
ms-DS-Source-Object-DN	False	User
ms-DS-Supported-Encryption-Types	False	User
ms-DS-Tasks-For-Az-Role-BL	False	Top
ms-DS-Tasks-For-Az-Task-BL	False	Top
ms-DS-User-Account-Control-Computed	False	User
ms-DS-User-Password-Expiry-Time-Computed	False	User
ms-Exch-House-Identifier	False	Organizational-Person
ms-Exch-Owner-BL	False	Top
ms-IIS-FTP-Dir	False	User
ms-IIS-FTP-Root	False	User
MSMQ-Digests	False	User
MSMQ-Digests-Mig	False	User
MSMQ-Sign-Certificates	False	User
MSMQ-Sign-Certificates-Mig	False	User
msNPAllowDialin	False	User
msNPCallingStationID	False	User
msNPSavedCallingStationID	False	User
ms-PKI-AccountCredentials	False	User
ms-PKI-Credential-Roaming-Tokens	False	User
ms-PKI-DPAPIMasterKeys	False	User
ms-PKI-RoamingTimeStamp	False	User
msRADIUSCallbackNumber	False	User
ms-RADIUS-FramedInterfaceId	False	User
msRADIUSFramedIPAddress	False	User
ms-RADIUS-FramedIpv6Prefix	False	User
ms-RADIUS-FramedIpv6Route	False	User
msRADIUSFramedRoute	False	User
ms-RADIUS-SavedFramedInterfaceId	False	User
ms-RADIUS-SavedFramedIpv6Prefix	False	User
ms-RADIUS-SavedFramedIpv6Route	False	User
msRADIUSServiceType	False	User
msRASSavedCallbackNumber	False	User
msRASSavedFramedIPAddress	False	User
msRASSavedFramedRoute	False	User
msSFU-30-Name	False	User
msSFU-30-Nis-Domain	False	User
msSFU-30-Posix-Member-Of	False	Top
ms-TS-Allow-Logon	False	User
ms-TS-Broken-Connection-Action	False	User
ms-TS-Connect-Client-Drives	False	User
ms-TS-Connect-Printer-Drives	False	User
ms-TS-Default-To-Main-Printer	False	User
MS-TS-ExpireDate	False	User
MS-TS-ExpireDate2	False	User
MS-TS-ExpireDate3	False	User
MS-TS-ExpireDate4	False	User
ms-TS-Home-Directory	False	User
ms-TS-Home-Drive	False	User
ms-TS-Initial-Program	False	User
MS-TS-LicenseVersion	False	User
MS-TS-LicenseVersion2	False	User
MS-TS-LicenseVersion3	False	User
MS-TS-LicenseVersion4	False	User
MS-TSLS-Property01	False	User
MS-TSLS-Property02	False	User
MS-TS-ManagingLS	False	User
MS-TS-ManagingLS2	False	User
MS-TS-ManagingLS3	False	User
MS-TS-ManagingLS4	False	User
ms-TS-Max-Connection-Time	False	User
ms-TS-Max-Disconnection-Time	False	User
ms-TS-Max-Idle-Time	False	User
ms-TS-Primary-Desktop	False	User
ms-TS-Profile-Path	False	User
MS-TS-Property01	False	User
MS-TS-Property02	False	User
ms-TS-Reconnection-Action	False	User
ms-TS-Remote-Control	False	User
ms-TS-Secondary-Desktops	False	User
ms-TS-Work-Directory	False	User
netboot-SCP-BL	False	Top
Network-Address	False	User
Non-Security-Member-BL	False	Top
Nt-Pwd-History	False	User
NT-Security-Descriptor	True	Top
Obj-Dist-Name	False	Top
Object-Category	True	Top
Object-Class	True	Top
Object-Guid	False	Top
Object-Version	False	Top
Operator-Count	False	User
Organizational-Unit-Name	False	Organizational-Person
Organization-Name	False	User Organizational-Person
Other-Login-Workstations	False	User
Other-Mailbox	False	Organizational-Person
Other-Name	False	Organizational-Person
Other-Well-Known-Objects	False	Top
Partial-Attribute-Deletion-List	False	Top
Partial-Attribute-Set	False	Top
Personal-Title	False	Organizational-Person
Phone-Fax-Other	False	Organizational-Person
Phone-Home-Other	False	Organizational-Person
Phone-Home-Primary	False	User Organizational-Person
Phone-Ip-Other	False	Organizational-Person
Phone-Ip-Primary	False	Organizational-Person
Phone-ISDN-Primary	False	Organizational-Person
Phone-Mobile-Other	False	Organizational-Person
Phone-Mobile-Primary	False	User Organizational-Person
Phone-Office-Other	False	Organizational-Person
Phone-Pager-Other	False	Organizational-Person
Phone-Pager-Primary	False	User Organizational-Person
photo	False	User
Physical-Delivery-Office-Name	False	Organizational-Person
Picture	False	Organizational-Person
Possible-Inferiors	False	Top
Postal-Address	False	Organizational-Person
Postal-Code	False	Organizational-Person
Post-Office-Box	False	Organizational-Person
Preferred-Delivery-Method	False	Organizational-Person
preferredLanguage	False	User
Preferred-OU	False	User
Primary-Group-ID	False	User
Profile-Path	False	User
Proxied-Object-Name	False	Top
Proxy-Addresses	False	Top
Pwd-Last-Set	False	User
Query-Policy-BL	False	Top
RDN	False	Top
Registered-Address	False	Organizational-Person
Repl-Property-Meta-Data	False	Top
Repl-UpToDate-Vector	False	Top
Reports	False	Top
Reps-From	False	Top
Reps-To	False	Top
Revision	False	Top
roomNumber	False	User
Script-Path	False	User
SD-Rights-Effective	False	Top
secretary	False	User
See-Also	False	Person
Serial-Number	False	Person
Server-Reference-BL	False	Top
Service-Principal-Name	False	User
Show-In-Advanced-View-Only	False	Top
Site-Object-BL	False	Top
State-Or-Province-Name	False	Organizational-Person
Street-Address	False	Organizational-Person
Structural-Object-Class	False	Top
Sub-Refs	False	Top
SubSchemaSubEntry	False	Top
Surname	False	Person
System-Flags	False	Top
Telephone-Number	False	Person
Teletex-Terminal-Identifier	False	Organizational-Person
Telex-Number	False	Organizational-Person
Telex-Primary	False	Organizational-Person
Terminal-Server	False	User
Text-Country	False	Organizational-Person
Title	False	Organizational-Person
uid	False	User
Unicode-Pwd	False	User
User-Account-Control	False	User
User-Comment	False	Organizational-Person
User-Parameters	False	User
User-Password	False	Person
userPKCS12	False	User
User-Principal-Name	False	User
User-Shared-Folder	False	User
User-Shared-Folder-Other	False	User
User-SMIME-Certificate	False	User
User-Workstations	False	User
USN-Changed	False	Top
USN-Created	False	Top
USN-DSA-Last-Obj-Removed	False	Top
USN-Intersite	False	Top
USN-Last-Obj-Rem	False	Top
USN-Source	False	Top
Wbem-Path	False	Top
Well-Known-Objects	False	Top
When-Changed	False	Top
When-Created	False	Top
WWW-Home-Page	False	Top
WWW-Page-Other	False	Top
X121-Address	False	Organizational-Person
x500uniqueIdentifier	False	User
X509-Cert	False	User

Windows Server 2012

• Attributes

Entry	Value
System-Only	False
Object-Category	1
Default-Object-Category	-
Governs-Id	1.2.840.113556.1.5.195
Default-Hiding-Value	1
Rdn-Att-Id	Common-Name
Subclass of	User
Possible Superiors	Container
Auxiliary Classes	-
NT-Security-Descriptor	O:BAG:BAD:S:
Default Security Descriptor	D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
System-Flags	0x00000010

Windows Server 2012 Attributes

This class contains the following attributes for Windows Server 2012:

Attribute	Mandatory	Derived from
Account-Expires	False	User
ACS-Policy-Name	False	User
Address	False	Organizational-Person
Address-Home	False	User Organizational-Person
Admin-Count	False	User
Admin-Description	False	Top
Admin-Display-Name	False	Top
Allowed-Attributes	False	Top
Allowed-Attributes-Effective	False	Top
Allowed-Child-Classes	False	Top
Allowed-Child-Classes-Effective	False	Top
Assistant	False	Organizational-Person
attributeCertificateAttribute	False	Person
audio	False	User
Bad-Password-Time	False	User
Bad-Pwd-Count	False	User
Bridgehead-Server-List-BL	False	Top
Business-Category	False	User
Canonical-Name	False	Top
carLicense	False	User
Code-Page	False	User
Common-Name	True	Person Top
Company	False	Organizational-Person
Control-Access-Rights	False	User
Country-Code	False	Organizational-Person
Country-Name	False	Organizational-Person
Create-Time-Stamp	False	Top
DBCS-Pwd	False	User
Default-Class-Store	False	User
Department	False	Organizational-Person
departmentNumber	False	User
Description	False	Top
Desktop-Profile	False	User
Destination-Indicator	False	Organizational-Person
Display-Name	False	User Top
Display-Name-Printable	False	Top
Division	False	Organizational-Person
DSA-Signature	False	Top
DS-Core-Propagation-Data	False	Top
Dynamic-LDAP-Server	False	User
E-mail-Addresses	False	User Organizational-Person
Employee-ID	False	Organizational-Person
Employee-Number	False	User
Employee-Type	False	User
Extension-Name	False	Top
Facsimile-Telephone-Number	False	Organizational-Person
Flags	False	Top
From-Entry	False	Top
Frs-Computer-Reference-BL	False	Top
FRS-Member-Reference-BL	False	Top
FSMO-Role-Owner	False	Top
Generation-Qualifier	False	Organizational-Person
Given-Name	False	User Organizational-Person
Group-Membership-SAM	False	User
Group-Priority	False	User
Groups-to-Ignore	False	User
Home-Directory	False	User
Home-Drive	False	User
houseIdentifier	False	Organizational-Person
Initials	False	User Organizational-Person
Instance-Type	True	Top
International-ISDN-Number	False	Organizational-Person
Is-Critical-System-Object	False	Top
Is-Deleted	False	Top
Is-Member-Of-DL	False	Top
Is-Privilege-Holder	False	Top
Is-Recycled	False	Top
jpegPhoto	False	User
labeledURI	False	User
Last-Known-Parent	False	Top
Last-Logoff	False	User
Last-Logon	False	User
Last-Logon-Timestamp	False	User
Lm-Pwd-History	False	User
Locale-ID	False	User
Locality-Name	False	Organizational-Person
Lockout-Time	False	User
Logo	False	Organizational-Person
Logon-Count	False	User
Logon-Hours	False	User
Logon-Workstation	False	User
Managed-Objects	False	Top
Manager	False	User Organizational-Person
Mastered-By	False	Top
Max-Storage	False	User
MHS-OR-Address	False	Organizational-Person
Modify-Time-Stamp	False	Top
ms-COM-PartitionSetLink	False	Top
ms-COM-UserLink	False	Top
ms-COM-UserPartitionSetLink	False	User
ms-DFSR-ComputerReferenceBL	False	Top
ms-DFSR-MemberReferenceBL	False	Top
MS-DRM-Identity-Certificate	False	User
ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity	False	Organizational-Person
ms-DS-Allowed-To-Delegate-To	False	Organizational-Person
ms-DS-Approx-Immed-Subordinates	False	Top
ms-DS-AuthenticatedAt-DC	False	User
ms-DS-AuthenticatedTo-Accountlist	False	Top
ms-DS-Cached-Membership	False	User
ms-DS-Cached-Membership-Time-Stamp	False	User
ms-DS-Claim-Shares-Possible-Values-With-BL	False	Top
MS-DS-Consistency-Child-Count	False	Top
MS-DS-Consistency-Guid	False	Top
MS-DS-Creator-SID	False	User
ms-DS-Enabled-Feature-BL	False	Top
ms-DS-Failed-Interactive-Logon-Count	False	User
ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon	False	User
ms-DS-HAB-Seniority-Index	False	Organizational-Person
ms-DS-Host-Service-Account-BL	False	Top
ms-DS-Is-Domain-For	False	Top
ms-DS-Is-Full-Replica-For	False	Top
ms-DS-Is-Partial-Replica-For	False	Top
ms-DS-Is-Primary-Computer-For	False	Top
ms-DS-KrbTgt-Link-BL	False	Top
ms-DS-Last-Failed-Interactive-Logon-Time	False	User
ms-DS-Last-Known-RDN	False	Top
ms-DS-Last-Successful-Interactive-Logon-Time	False	User
ms-DS-local-Effective-Deletion-Time	False	Top
ms-DS-local-Effective-Recycle-Time	False	Top
ms-DS-Mastered-By	False	Top
ms-DS-Members-For-Az-Role-BL	False	Top
ms-DS-Members-Of-Resource-Property-List-BL	False	Top
ms-DS-NC-Repl-Cursors	False	Top
ms-DS-NC-Repl-Inbound-Neighbors	False	Top
ms-DS-NC-Repl-Outbound-Neighbors	False	Top
ms-DS-NC-RO-Replica-Locations-BL	False	Top
ms-DS-NC-Type	False	Top
ms-DS-Non-Members-BL	False	Top
ms-DS-Object-Reference-BL	False	Top
ms-DS-OIDToGroup-Link-BL	False	Top
ms-DS-Operations-For-Az-Role-BL	False	Top
ms-DS-Operations-For-Az-Task-BL	False	Top
ms-DS-Phonetic-Company-Name	False	Organizational-Person
ms-DS-Phonetic-Department	False	Organizational-Person
ms-DS-Phonetic-Display-Name	False	Organizational-Person
ms-DS-Phonetic-First-Name	False	Organizational-Person
ms-DS-Phonetic-Last-Name	False	Organizational-Person
ms-DS-Primary-Computer	False	User
ms-DS-Principal-Name	False	Top
ms-DS-PSO-Applied	False	Top
ms-DS-Repl-Attribute-Meta-Data	False	Top
ms-DS-Repl-Value-Meta-Data	False	Top
ms-DS-Resultant-PSO	False	User
ms-DS-Revealed-DSAs	False	Top
ms-DS-Revealed-List-BL	False	Top
ms-DS-Secondary-KrbTgt-Number	False	User
ms-DS-Site-Affinity	False	User
ms-DS-Source-Object-DN	False	User
ms-DS-Supported-Encryption-Types	False	User
ms-DS-Tasks-For-Az-Role-BL	False	Top
ms-DS-Tasks-For-Az-Task-BL	False	Top
ms-DS-TDO-Egress-BL	False	Top
ms-DS-TDO-Ingress-BL	False	Top
ms-DS-User-Account-Control-Computed	False	User
ms-DS-User-Password-Expiry-Time-Computed	False	User
ms-DS-Value-Type-Reference-BL	False	Top
ms-Exch-House-Identifier	False	Organizational-Person
ms-Exch-Owner-BL	False	Top
ms-IIS-FTP-Dir	False	User
ms-IIS-FTP-Root	False	User
MSMQ-Digests	False	User
MSMQ-Digests-Mig	False	User
MSMQ-Sign-Certificates	False	User
MSMQ-Sign-Certificates-Mig	False	User
msNPAllowDialin	False	User
msNPCallingStationID	False	User
msNPSavedCallingStationID	False	User
ms-PKI-AccountCredentials	False	User
ms-PKI-Credential-Roaming-Tokens	False	User
ms-PKI-DPAPIMasterKeys	False	User
ms-PKI-RoamingTimeStamp	False	User
msRADIUSCallbackNumber	False	User
ms-RADIUS-FramedInterfaceId	False	User
msRADIUSFramedIPAddress	False	User
ms-RADIUS-FramedIpv6Prefix	False	User
ms-RADIUS-FramedIpv6Route	False	User
msRADIUSFramedRoute	False	User
ms-RADIUS-SavedFramedInterfaceId	False	User
ms-RADIUS-SavedFramedIpv6Prefix	False	User
ms-RADIUS-SavedFramedIpv6Route	False	User
msRADIUSServiceType	False	User
msRASSavedCallbackNumber	False	User
msRASSavedFramedIPAddress	False	User
msRASSavedFramedRoute	False	User
msSFU-30-Name	False	User
msSFU-30-Nis-Domain	False	User
msSFU-30-Posix-Member-Of	False	Top
ms-TS-Allow-Logon	False	User
ms-TS-Broken-Connection-Action	False	User
ms-TS-Connect-Client-Drives	False	User
ms-TS-Connect-Printer-Drives	False	User
ms-TS-Default-To-Main-Printer	False	User
MS-TS-ExpireDate	False	User
MS-TS-ExpireDate2	False	User
MS-TS-ExpireDate3	False	User
MS-TS-ExpireDate4	False	User
ms-TS-Home-Directory	False	User
ms-TS-Home-Drive	False	User
ms-TS-Initial-Program	False	User
MS-TS-LicenseVersion	False	User
MS-TS-LicenseVersion2	False	User
MS-TS-LicenseVersion3	False	User
MS-TS-LicenseVersion4	False	User
MS-TSLS-Property01	False	User
MS-TSLS-Property02	False	User
MS-TS-ManagingLS	False	User
MS-TS-ManagingLS2	False	User
MS-TS-ManagingLS3	False	User
MS-TS-ManagingLS4	False	User
ms-TS-Max-Connection-Time	False	User
ms-TS-Max-Disconnection-Time	False	User
ms-TS-Max-Idle-Time	False	User
ms-TS-Primary-Desktop	False	User
ms-TS-Profile-Path	False	User
MS-TS-Property01	False	User
MS-TS-Property02	False	User
ms-TS-Reconnection-Action	False	User
ms-TS-Remote-Control	False	User
ms-TS-Secondary-Desktops	False	User
ms-TS-Work-Directory	False	User
netboot-SCP-BL	False	Top
Network-Address	False	User
Non-Security-Member-BL	False	Top
Nt-Pwd-History	False	User
NT-Security-Descriptor	True	Top
Obj-Dist-Name	False	Top
Object-Category	True	Top
Object-Class	True	Top
Object-Guid	False	Top
Object-Version	False	Top
Operator-Count	False	User
Organizational-Unit-Name	False	Organizational-Person
Organization-Name	False	User Organizational-Person
Other-Login-Workstations	False	User
Other-Mailbox	False	Organizational-Person
Other-Name	False	Organizational-Person
Other-Well-Known-Objects	False	Top
Partial-Attribute-Deletion-List	False	Top
Partial-Attribute-Set	False	Top
Personal-Title	False	Organizational-Person
Phone-Fax-Other	False	Organizational-Person
Phone-Home-Other	False	Organizational-Person
Phone-Home-Primary	False	User Organizational-Person
Phone-Ip-Other	False	Organizational-Person
Phone-Ip-Primary	False	Organizational-Person
Phone-ISDN-Primary	False	Organizational-Person
Phone-Mobile-Other	False	Organizational-Person
Phone-Mobile-Primary	False	User Organizational-Person
Phone-Office-Other	False	Organizational-Person
Phone-Pager-Other	False	Organizational-Person
Phone-Pager-Primary	False	User Organizational-Person
photo	False	User
Physical-Delivery-Office-Name	False	Organizational-Person
Picture	False	Organizational-Person
Possible-Inferiors	False	Top
Postal-Address	False	Organizational-Person
Postal-Code	False	Organizational-Person
Post-Office-Box	False	Organizational-Person
Preferred-Delivery-Method	False	Organizational-Person
preferredLanguage	False	User
Preferred-OU	False	User
Primary-Group-ID	False	User
Profile-Path	False	User
Proxied-Object-Name	False	Top
Proxy-Addresses	False	Top
Pwd-Last-Set	False	User
Query-Policy-BL	False	Top
RDN	False	Top
Registered-Address	False	Organizational-Person
Repl-Property-Meta-Data	False	Top
Repl-UpToDate-Vector	False	Top
Reports	False	Top
Reps-From	False	Top
Reps-To	False	Top
Revision	False	Top
roomNumber	False	User
Script-Path	False	User
SD-Rights-Effective	False	Top
secretary	False	User
See-Also	False	Person
Serial-Number	False	Person
Server-Reference-BL	False	Top
Service-Principal-Name	False	User
Show-In-Advanced-View-Only	False	Top
Site-Object-BL	False	Top
State-Or-Province-Name	False	Organizational-Person
Street-Address	False	Organizational-Person
Structural-Object-Class	False	Top
Sub-Refs	False	Top
SubSchemaSubEntry	False	Top
Surname	False	Person
System-Flags	False	Top
Telephone-Number	False	Person
Teletex-Terminal-Identifier	False	Organizational-Person
Telex-Number	False	Organizational-Person
Telex-Primary	False	Organizational-Person
Terminal-Server	False	User
Text-Country	False	Organizational-Person
Title	False	Organizational-Person
uid	False	User
Unicode-Pwd	False	User
User-Account-Control	False	User
User-Comment	False	Organizational-Person
User-Parameters	False	User
User-Password	False	Person
userPKCS12	False	User
User-Principal-Name	False	User
User-Shared-Folder	False	User
User-Shared-Folder-Other	False	User
User-SMIME-Certificate	False	User
User-Workstations	False	User
USN-Changed	False	Top
USN-Created	False	Top
USN-DSA-Last-Obj-Removed	False	Top
USN-Intersite	False	Top
USN-Last-Obj-Rem	False	Top
USN-Source	False	Top
Wbem-Path	False	Top
Well-Known-Objects	False	Top
When-Changed	False	Top
When-Created	False	Top
WWW-Home-Page	False	Top
WWW-Page-Other	False	Top
X121-Address	False	Organizational-Person
x500uniqueIdentifier	False	User
X509-Cert	False	User