다음을 통해 공유

Active Directory: Syntaxes of Attributes

  • 아티클

Introduction

The attributes of objects in Active Directory each have a syntax. This is also called a DataType. There are many different syntaxes available. The subject can be confusing because there is often more than one syntax name for the same attribute. The syntax names can vary, depending on where you look or how you retrieve it. This Wiki documents the syntaxes available in Active Directory.

Table of Active Directory Attribute Syntaxes

The table below documents the attribute syntaxes available in Active Directory. The column headings are explained here.

  • oMSyntax: The value of the oMSyntax attribute of the attribute object in the Schema partition.
  • Attribute: The value of the attributeSyntax attribute of the attribute object in the Schema partition.
  • Schema: The value of the Syntax property of the object retrieved by the MandatoryProperties and OptionalProperties methods of the class object in the Schema partition. The Name property of this object is the lDAPDisplayName of the attribute.
  • LDAP: The corresponding LDAP syntax name. These names are documented in 3.1.1.2.2.2 LDAP Representations.
  • ADSI: The corresponding ADSI syntax name. The value in the table does not include the string "ADSTYPE_". For example, "INTEGER" is really syntax type "ADSTYPE_INTEGER". These names are documented in ADSTYPEENUM Enumeration.
  • Example Attribute: An attribute in Active Directory with the syntax.
oMSyntax Attribute Schema LDAP ADSI Example Attribute
1 2.5.5.8 Bool Boolean BOOLEAN msNPAllowDialin
2 2.5.5.9 Int Integer INTEGER badPwdCount
4 2.5.5.10 Byte[] OctetString OCTET_STRING photo
4 2.5.5.10 Byte[] OctetString OCTET_STRING objectGUID
4 2.5.5.10 Byte[] OctetString OCTET_STRING logonHours
4 2.5.5.10 Byte[] String(Octet) OCTET_STRING schedule
4 2.5.5.17 Byte[] Sid OCTET_STRING objectSid
4 2.5.5.17 Byte[] String(Sid) OCTET_STRING tokenGroups
6 2.5.5.2 Oid String(Object-Identifier) CASE_IGNORE_STRING objectClass
10 2.5.5.9 Enumeration Enumeration INTEGER searchFlags
18 2.5.5.6 NumericString String(Numeric) NUMERIC_STRING x121Address
19 2.5.5.5 PrintableString String(Printable) PRINTABLE_STRING displayNamePrintable
20 2.5.5.4 CaseIgnoreString String(Telex) CASE_IGNORE_STRING networkAddress
22 2.5.5.5 IA5String String(IA5) CASE_IGNORE_STRING unixHomeDirectory
23 2.5.5.11 GeneralizedTime String(UTC-Time) UTC_TIME meetingStartTime
24 2.5.5.11 GeneralizedTime String(Generalized-Time) UTC_TIME whenChanged
27 2.5.5.3 String(Case)
64 2.5.5.12 DirectoryString String(Unicode) CASE_IGNORE_STRING company
65 2.5.5.16 Int64 LargeInteger LARGE_INTEGER maxStorage
65 2.5.5.16 Int64 Integer8 LARGE_INTEGER maxPwdAge
65 2.5.5.16 Int64 Integer8 LARGE_INTEGER pwdLastSet
66 2.5.5.15 Oid String(NT-Sec-Desc) NT_SECURITY_DESCRIPTOR nTSecurityDescriptor
127 2.5.5.1 DN Object(DS-DN) DN_STRING member
127 2.5.5.7 DNWithBinary Object(OR-Binary) DN_WITH_BINARY wellKnownObjects
127 2.5.5.7 DNWithBinary Object(OR-Name) DN_WITH_BINARY
127 2.5.5.10 ReplicaLink Object(Replica-Link) OCTET_STRING repsFrom
127 2.5.5.13 Object Object(Presentation-Address) presentationAddress
127 2.5.5.14 DNWithString Object(Access-Point) DN_WITH_STRING
127 2.5.5.14 DNWithString Object(DN-String) DN_WITH_STRING msDS-RevealedList

No attributes were found with oMSyntax 27. This is a case sensitive string format, which is allowed, but rarely used. And no attributes with LDAP Syntax names Object(OR-Name) or Object(Access-Point) were found.

The difference between attributes with LDAP syntax Object(OR-Binary) and Object(OR-Name) is determined by checking the value of the oMObjectClass attribute, which is a byte array. Similarly, the difference between attributes with LDAP syntax Object(Access-Point) and Object(DN-String) is determined by the value of oMObjectClass.

When you extend the Schema, you assign values to the oMSyntax and attributeSyntax attributes of each attributeSchema object added in the Schema container. You cannot add additional syntaxes beyond the ones defined in AD. In addition, if you assign 127 to the oMSyntax attribute, you must also set the oMObjectClass attribute, which is OctetString (a byte array). As an example, the oMObjectClass attribute of the member attribute has a value that corresponds to OID 1.3.12.2.1011.28.0.714. The byte array is a BER (Basic Encoding Rules) encoding of the OID.

You can see from the table why the subject can be confusing. There is not a one-to-one correspondence between the oMSyntax and attributeSchema values. The combination of the two is required. In several cases, a value for oMSyntax is used with several different values of attributeSyntax. The reverse situation is also seen in the table. In addition, if you retrieve the syntax using other methods, such as LDAP or the MandatoryProperties and OptionalProperties methods, the syntax name is different.

A few unique combinations of oMSyntax and attributeSyntax are listed more than once in the table. In two cases, when oMSyntax is 127, the value of the oMObjectClass attribute also influences the syntax. The first case is when attributeSyntax is 2.5.5.7, the second when attributeSyntax is 2.5.5.14.

Finally, several other combinations of oMSyntax and attributeSyntax are listed more than once because attributes with the same syntax must be handled differently to interpret the value. For example, oMSyntax of 65 and attributeSyntax 2.5.5.16 is listed three times in the table. All of these attributes are LargeInteger (64-bit integers), but they must be handled differently to be converted into a friendly format understood by humans. The maxStorage attribute is a large integer. It is best to display such a value with thousands separators for readability. The maxPwdAge attribute is a TimeSpan, which should be displayed in days, hours, minutes, and seconds. The pwdLastSet attribute is a DateTime. Different methods must be used for each of these three attributes.

The table entry for OMSyntax 24 and attributeSyntax 2.5.5.11 shows that the Schema and LDAP both document that the syntax is GeneralizedTime, but ADSI shows it as ADSTYPE_UTC_TIME. Technically, GeneralizedTime displays four digits for the year, while UtcTime only uses two digits. UtcTime is not recommended for Active Directory. The whenChanged attribute displays a four digit year, so it is GeneralizedTime. In the entry for OMSyntax 23 and attributeSyntax 2.5.5.11, both LDAP and ADSI show syntax UtcTime, while the Schema shows GeneralizedTime. The Schema MandatoryProperties and OptionalProperties methods are probably more accurate.

↑ Return to Top

oMObjectClass attribute

Active Directory attribute objects in the Schema with the oMSyntax attribute equal to 127 must also have a value assigned to the oMObjectClass attribute. When you extend the Schema with a custom attribute, you are also required to supply a value for the oMObjectClass attribute.

The oMObjectClass attribute is a byte array. It is a BER (Basic Encoding Rules) encoding of an OID (Object ID). The following table documents the values assigned to the oMObjectClass attribute for the default attributes in the Schema partition for each unique syntax. In all cases the oMSyntax of the attribute object is 127. The table documents the hexadecimal representation of the oMObjectClass byte array, the decimal representation, the Base64 encoding, and the corresponding OID.

oMSyntax
Attribute		 LDAP oMObjectClass (Hex)
(Dec)
Base64		 oMObjectClass (Oid)
127
2.5.5.1		 DS-DN 0x2b 0x0c 0x02 0x87 0x73 0x1c 0x00 0x85 0x4a
43 12 2 135 115 28 0 133 74
KwwCh3McAIVK		 1.3.12.2.1011.28.0.714
127
2.5.5.7		 OR-Binary 0x2a 0x86 0x48 0x86 0xf7 0x14 0x01 0x01 0x01 0x0b
42 134 72 134 247 20 1 1 1 11
KoZIhvcUAQEBCw==		 1.2.840.113556.1.1.1.11
127
2.5.5.7		 OR-Name ? ?
127
2.5.5.10		 Replica-Link 0x2a 0x86 0x48 0x86 0xf7 0x14 0x01 0x01 0x01 0x06
42 134 72 134 247 20 1 1 1 6
KoZIhvcUAQEBBg==		 1.2.840.113556.1.1.1.6
127
2.5.5.13		 Presentation-Address 0x2b 0x0c 0x02 0x87 0x73 0x1c 0x00 0x85 0x5c
43 12 2 135 115 28 0 133 92
KwwCh3McAIVc		 1.3.12.2.1011.28.0.732
127
2.5.5.14		 Access-Point ? ?
127
2.5.5.14		 DN-String 0x2a 0x86 0x48 0x86 0xf7 0x14 0x01 0x01 0x01 0x0c
42 134 72 134 247 20 1 1 1 12
KoZIhvcUAQEBDA==		 1.2.840.113556.1.1.1.12

Two entries in the table have no values for oMObjectClass listed because the default Schema has no attributes with the corresponding syntax.

↑ Return to Top

Scripts to Retrieve Information on Syntaxes

Following are a few short scripts that can be used to retrieve information on the syntaxes of various attributes. The first script finds all attributes in the Schema partition that have a value assigned to the oMObjectClass attribute, and displays the values of the lDAPDislayName and oMSyntax attributes. It uses the dsquery command line tool available on any domain controller, or any client with RSAT (Remote Server Administration Tools).

dsquery * "cn=Schema,cn=Configuration,dc=Domain,dc=com" -Filter "(oMObjectClass=*)" -Attr lDAPDisplayName oMSyntax

The next script retrieves the values of the oMSyntax, attributeSyntax, and oMObjectClass attributes of the member attribute in the Schema partition. The oMObjectClass is displayed as a series of hexadecimal bytes.

dsquery * "cn=Schema,cn=Configuration,dc=Domain,dc=com" -Filter "(lDAPDisplayName=member)" -Attr oMSyntax attributeSyntax oMObjectClass

The following VBScript program determines the ADSI syntax (the ADsType) of an attribute. The script outputs the numerical constant corresponding to the ADsType, as explained in the section below titled "Documentation Issues".

' Bind to the object in Active Directory.
Set ADObject = GetObject("LDAP://cn=Jim Smith,ou=Sales,ou=West,dc=domain,dc=com")
ADObject.GetInfo
Count = ADObject.PropertyCount
Wscript.Echo "Number of Attributes Found: " & Count


' Retrieve the attribute by lDAPDisplayName.
Set Entry = ADObject.Item("uSNcreated")
Wscript.Echo "Attribute lDAPDisplayName: " & Entry.Name
' Retrieve the ADsType of the attribute (ADsType of uSNCreated is 10).
Wscript.Echo "ADsType: " & Entry.ADsType

This PowerShell script documents the mandatory attributes for a specified class of objects in Active Directory. It displays the lDAPDisplayName and the syntax.

# Specify the object class.
$Class = "user"


# Retrieve the mandatory attributes for this class from the Schema.
$Schema = [DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()
$ManAttributes = $Schema.FindClass("$Class").MandatoryProperties | Out-GridView


# Enumerate the mandatory attributes for the class.
# Output the lDAPDisplayName and syntax of each.
ForEach ($Attribute In $ManAttributes)
{
    $AttrName = $Attribute.Name
    $AttrSyntax = $Attribute.Syntax
    "Mandatory attribute: $AttrName ($AttrSyntax)"
}

A similar script can document the optional attributes for the class, using the OptionalProperties method.

↑ Return to Top

Scripts to Convert DataTypes for oMObjectClass

Following are short scripts that can be used to convert values for the oMObjectClass attribute. The first PowerShell script converts a decimal byte array into a Base64 encoded string.

# Convert Decimal Byte Array into a Base64 Encoded String.


If ($Args.Count -gt 1)
{
    $ByteArray = $Args -Split(" ")
}
Else
{
    $ByteArray = $(Read-Host "Enter byte array as space delimited decimal values") -Split(" ")
}


$Base64String = [System.Convert]::ToBase64String($ByteArray)
"Base64 String: $Base64String"

This PowerShell script converts a Base64 encoded string into a decimal byte array.

# Convert Base64 Encoded String into a Decimal Byte Array.


If ($Args.Count -eq 1)
{
    $Base64String = $Args[0]
}
Else
{
    $Base64String = Read-Host "Enter Base64 Encoded String"
}


$ByteArray = [System.Convert]::FromBase64String($Base64String)
"Byte Array(decimal): $ByteArray"

↑ Return to Top

PowerShell Script to Document All Attributes of Specified AD Object

The script is linked here.

Document all Attributes of Specified Active Directory Object

The script uses the MandatoryProperties and OptionalProperties methods of the appropriate class object in the Schema partition to retrieve all of the attributes appropriate for the specified object. For each attribute the script documents the syntax, if the attribute is multi-valued, if is operational, and all values assigned (if any) in Active Directory.

↑ Return to Top

Documentation Issues

The following articles make statements that conflict with other documentation, or are incomplete.

ADSTYPEENUM Enumeration

This article states:

Because VBScript cannot read data from a type library, VBScript applications do not recognize symbolic constants, as defined above. Use the numerical constants instead to set the appropriate flags in your VBScript application.

But there are no numeric constants in the table of attributes. It has been determined that the constants were omitted in the table. The first entry in the table is number 0, the second is number 1, etc. So ADsType 10 (for the attribute uSNCreated) refers to ADSTYPE_LARGE_INTEGER, the eleventh row in the table.

Defining a New Attribute

Choose a syntax for the attribute. The syntax is determined by the combination of the oMSyntax and oMObjectClass attributes.

Actually, the syntax is determined by the combination of oMSyntax, attributeSyntax, and sometimes also the oMObjectClass attribute. oMObjectClass is only required if oMSyntax is 127, or when you extend the Schema with a custom attribute. Otherwise, the value of oMObjectClass is not set.

Also, in the list of attributes to assign for a new attribute, the attribute oMObjectClass is listed as required. Actually, it is only required if oMSyntax is 127 or you extend the Schema. The only attributes in the default Schema with a value assigned to the oMObjectClass attribute are ones with oMSyntax of 127.

↑ Return to Top

See Also

↑ Return to Top

Other Resources

↑ Return to Top