User Object Attributes

A user object has multiple attributes. This section documents key attributes used by Windows, administrative tools, and the Windows Address Book (WAB). It does not describe all attributes; many attributes are not used for the user object.

Some attributes are stored in the directory, such as cn, nTSecurityDescriptor, objectGUID, and so on, and replicated to all domain controllers within a domain. A subset of these attributes is also replicated to the global catalog.

Non-replicated attributes are stored on each domain controller, but are not replicated elsewhere, such as badPwdCount, lastLogon, lastLogoff, and so on. The non-replicated attributes are attributes that pertain to a particular domain controller. For example, lastLogon is the last date and time that the user network logon was validated by the particular domain controller that is returning the property.

A user object also has constructed attributes that are not stored in the directory, but are calculated by the domain controller, such as canonicalName, distinguishedName, allowedAttributes, and so on.

User object attributes

Attributes for user objects have the following classifications.

Base object attributes

This category includes attributes required for all directory objects, such as objectClass, nTSecurityDescriptor, and so on.

Naming attributes

This category includes attributes used to refer to or identify the object, such as distinguishedName, objectGUID, objectSID, and so on. For more information about naming attributes for user objects, see User Naming Attributes.

Security attributes

This category includes attributes for logon and access control. For more information about security attributes for user objects, see User Security Attributes.

Address book attributes

This category includes attributes for email and user data. For more information about address book attributes for user objects, see User Address Book Attributes.

Application-specific attributes

This category includes user-specific configuration data for specific applications.

More attribute information

For more information about reading and modifying attributes for a user object, see Reading and Writing Attributes of Objects in Active Directory Domain Services.

For more information about the User class, including a complete list of the mayContain and mustContain attributes of the class, see User.

Setting passwords

The password for a user cannot be modified directly because this would involve sending an unencrypted password over the network. To set the password for a user, it is necessary to use the IADsUser.ChangePassword or IADsUser.SetPassword method. The IADsUser.ChangePassword method is used when the application is allowing the user to change their own password. The IADsUser.SetPassword method is used when the application enables an administrator to reset a password.