Characteristics of Object Classes
Each object class in Active Directory Domain Services is defined by a classSchema object in the schema container. The attributes of a classSchema object specify the characteristics of the class, such as:
- Class identifiers: Classes have several identifiers including ldapDisplayName, which are used by LDAP clients to identify the class in search filters, and schemaIDGUID, which are used in security descriptors to control access to the class.
- Possible attributes: An object class definition includes lists of the mandatory and optional attributes that can be set on an instance of the class.
- Possible parents: Every object instance, except the root of the directory hierarchy, has exactly one parent. An object class definition includes lists of possible parents, that is, of the object classes that can contain an instance of the class.
- Superclasses and auxiliary classes: Every object class (except top) is derived from another class. A class inherits possible attributes and possible parents from the classes above it in the class hierarchy. A class can also have any number of auxiliary classes from which it inherits lists of possible attributes. For more information, see Class Inheritance in the Active Directory Schema.
The following table lists the lDAPDisplayName and description of the key attributes of a classSchema object. For more information, and a complete list of the mandatory and optional attributes of a classSchema object, see classSchema.
| lDAPDisplayName | Description |
|---|---|
| cn | Every object in Active Directory Domain Services has a naming attribute from which its Relative Distinguished Name (RDN) is formed. The naming attribute for classSchema objects is cn (Common-Name). The value assigned to cn is the value that the object class will have as its RDN. For example, the cn of the organizationalUnit object class is Organizational-Unit, which would appear in a distinguished name as CN=Organizational-Unit. The cn must be unique in the schema container. |
| lDAPDisplayName | The name used by LDAP clients, such as the ADSI LDAP provider, to refer to the class, for example to specify the class in a search filter. A class's lDAPDisplayName must be unique in the schema container, which means it must be unique across all classSchema and attributeSchema objects. For more information about composing a cn and an lDAPDisplayName for a new class, see Naming Attributes and Classes. |
| schemaIDGUID | A GUID stored as an octet string. This GUID uniquely identifies the class. This GUID can be used in access control entries to control access to objects of this class. For more information, see Setting Permissions on Child Object Operations. On creation of the classSchema object, the Active Directory server generates this value if it is not specified. If you create a new class, generate your own GUID for each class so that all installations of your extension use the same schemaIDGUID to refer to the class. |
| adminDisplayName | A display name of the class for use in administrative tools. If adminDisplayName is not specified when a class is created, the system uses the Common-Name value as the display name. This display name is used only if a mapping does not exist in the classDisplayName property of the display specifier for the class. For more information, see Display Specifiers and Class and Attribute Display Names. |
| governsID | The OID of the class. This value must be unique among the governsIDs of all classSchema objects and the attributeIDs of all attributeSchema objects. For more information, see Object Identifiers. |
| rDnAttId | Identifies the naming attribute, which is the attribute that provides the RDN for this class if different than the default (cn). Use of a naming attribute other than cn is discouraged. Naming attributes should be drawn from the well-known set (OU, CN, O, L, and DC) that is understood by all LDAP version 3 clients. For more information, see Object Names and Identities and Syntaxes for Attributes in Active Directory Domain Services. A naming attribute must have the Directory String syntax. For more information, see Syntaxes for Attributes in Active Directory Domain Services. |
| mustContain, systemMustContain | A pair of multi-valued properties that specify the attributes that must be present on instances of this class. These are mandatory attributes that must be present during creation and cannot be cleared after creation. After creation of the class, these properties cannot be changed. The full set of mandatory attributes for a class is the union of the systemMustContain and mustContain values on this class and all inherited classes. |
| mayContain, systemMayContain | A pair of multi-valued properties that specify the attributes that MAY be present on instances of this class. These are optional attributes that are not mandatory and, therefore, may or may not be present on an instance of this class. You can add or remove mayContain values from an existing category 1 or category 2 classSchema object. Before removing a mayContain value from a classSchema object, you should search for instances of the object class and clear any values for the attribute that you are removing. After creation of the class, the systemMayContain property cannot be changed. The full set of optional attributes for a class is the union of the systemMayContain and mayContain values on this class and all inherited classes. |
| possSuperiors, systemPossSuperiors | A pair of multi-valued properties that specify the structural classes that can be legal parents of instances of this class. The full set of possible superiors is the union of the systemPossSuperiors and possSuperiors values on this class and any inherited structural or abstract classes. systemPossSuperiors and possSuperiors values are not inherited from auxiliary classes. You can add or remove possSuperiors values from an existing category 1 or category 2 classSchema object. After creation of the class, the systemPossSuperiors property cannot be changed. |
| objectClassCategory | An integer value that specifies the category of the class, which can be one of the following:
|
| subClassOf | An OID for the immediate superclass of this class, that is, the class from which this class is derived. For structural classes, subClassOf can be a structural or abstract class. For abstract classes, subClassOf can be an abstract class only. For auxiliary classes, subClassOf can be an abstract or auxiliary class. If you define a new class, ensure that the subClassOf class exists or will exist when the new class is written to the directory. If class does not exist, the classSchema object is not added to the directory. |
| auxiliaryClass, systemAuxiliaryClass | A pair of multi-valued properties that specify the auxiliary classes that this class inherits from. The full set of auxiliary classes is the union of the systemAuxiliaryClass and auxiliaryClass values on this class and all inherited classes. For an existing classSchema object, values can be added to the auxiliaryClass property but not removed. After creation of the class, the systemAuxiliaryClass property cannot be changed. |
| defaultObjectCategory | The distinguished name of this object class or one of its superclasses. When an instance of this object class is created, the system sets the objectCategory property of the new instance to the value specified in the defaultObjectCategory property of its object class. The objectCategory property is an indexed property used to increase the efficiency of object class searches. If defaultObjectCategory is not specified when a class is created, the system sets it to the distinguished name (DN) of the classSchema object for this class. If this object will be frequently queried by the value of a superclass rather than the object's own class, you can set defaultObjectCategory to the DN of the superclass. For example, if you are subclassing a predefined (category 1) class, the best practice is to set defaultObjectCategory to the same value as the superclass. This enables the standard UI to "find" your subclass. For more information, see Object Class and Object Category. |
| defaultHidingValue | A Boolean value that specifies the default setting of the showInAdvancedViewOnly property of new instances of this class. Many directory objects are not interesting to end users. To keep these objects from cluttering the UI, every object has a Boolean attribute called showInAdvancedViewOnly. If defaultHidingValue is set to TRUE, new object instances are hidden in the Administrative snap-ins and the Windows shell. A menu item for the object class will not appear in the New context menu of the Administrative snap-ins even if the appropriate creation wizard properties are set on the object class's displaySpecifier object. If defaultHidingValue is set to FALSE, new instances of the object are displayed in the Administrative snap-ins and the Windows shell. Set this property to FALSE to see instances of the class in the administrative snap-ins and the shell and enable a creation wizard and its menu item in the New menu of the administrative snap-ins. If the defaultHidingValue value is not set, the default is TRUE. |
| systemFlags | An integer value that contains flags that define additional properties of the class. The 0x10 bit identifies a category 1 class (a class that is part of the base schema that is included with the system). You cannot set this bit, which means that the bit is not set in category 2 classes (which are extensions to the schema). |
| systemOnly | A Boolean value that specifies whether only the Active Directory server can modify the class. System-only classes can be created or deleted only by the Directory System Agent (DSA). System-only classes are those that the system depends on for normal operations. |
| defaultSecurityDescriptor | Specifies the default security descriptor for new objects of this class. For more information, see Default Security Descriptor and How Security Descriptors are Set on New Directory Objects. |
| isDefunct | A Boolean value that indicates whether the class is defunct. For more information, see Disabling Existing Classes and Attributes. |
| description | A text description of the class for use by administrative applications. |
| objectClass | Identifies the object class of which this object is an instance, which is the classSchema object class for all class definitions and the attributeSchema object class for all attribute definitions. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for