Skip to Content

Active Directory Connection Details

Introduction

Connector Version

This documentation is based on version 21.0.8657 of the connector.

Important

We recommend using the Active Directory v2 connector to connect to the on-premises version of Active Directory as it allows for additional configuration properties.

Get Started

Active Directory Version Support

The connector provides SQL-based access to Active Directory through the LDAP protocol. The connector is a standard LDAP client that supports LDAP v2 and v3.

Establish a Connection

Authenticate to Active Directory

To authenticate requests, set the User and Password properties to valid Active Directory credentials (e.g., set User to "Domain\BobF" or "cn=Bob F,ou=Employees,dc=Domain").

The connector uses plaintext authentication by default, since the connector attempts to negotiate TLS/SSL with the server. You can specify another authentication method with AuthMechanism.

See SSL Configuration for more information on TLS/SSL configuration.

Connect to Active Directory

Set Server and Port for basic connectivity. Additionally, you can fine-tune the connection with the following:

  • FollowReferrals: When set, the connector surfaces data as views from only referral servers. To modify data on a referral server, you must specify this server with Server and Port.
  • LDAPVersion: Set this to the version of the protocol your server implements; by default, the connector uses version 2.

Fine Tuning Data Access

The following properties control the scope of data returned:

  • BaseDN will limit the scope of LDAP searches to the height of the distinguished name provided. Note: Specifying a narrow BaseDN may greatly increase performance; for example, a value of "cn=users,dc=domain" will only return results contained within "cn=users" and its children.
  • Scope: This property enables more granular control over the data to return from a subtree.

Customize Tables

The connector surfaces the columns most often needed from Active Directory entities. However, if you need to work with other data, the tables are easy to modify. Tables are defined in schema files, which have a simple format.

See Working with Active Directory Tables for a guide to extending the default schemas or writing your own. To use custom schemas, set the Location property to the folder containing the schema files.

Work with Active Directory Tables

The connector includes table schemas for many standard Active Directory objects. You can easily extend the included table schemas to edit column behavior or you can write your own from scratch.

Table schemas are defined in .rsd files, which are simple configuration files. This section will walk through different parts of the schema, adding several columns to the Person table as an example.

You can find the Person.rsd file in the db subfolder in the installation folder of the Active Directory connector.

Connect to Custom Tables

To use custom schemas, set the Location property to the folder containing the schema files.

Define a New Table

It is important to define a new table with the same name as the object class that the table will represent. This will allow the connector to search for only the desired object class when querying the Active Directory server. The file name defines the table name.

Define Table Columns and Inputs

Columns are defined in the rsb:info block, a shown below. The attr tags in the schema represent the columns of the table. These should match the attributes that make up the desired object class.

There are a few columns that every table should include, regardless of the object class:

<rsb:script xmlns:rsb="http://www.rssbus.com/ns/rsbscript/2">
<rsb:info title="Person" description="Create, update, delete, and query person entries in Active Directory.">
<!-- Required Columns -->
<attr name="Id"          xs:type="string" readonly="true"  key="true"        />
<attr name="DN"          xs:type="string" readonly="true"  required="false" other:ldaptype="OID" />
<attr name="RDN"         xs:type="string" readonly="true"  required="false" other:ldaptype="Directory String" />
<attr name="BaseDN"      xs:type="string" readonly="true"  required="false" other:ldaptype="OID" />

Note: The title attribute of the rsb:info block must match the name of the .rsd file.

Customize Column Behavior

Each column requires at least name and xs:type attributes. Additionally, you will need to specify dataFormat to decide how data is returned from the table. For example:

<!-- Person Required Attributes -->
<attr name="ObjectClass"                 other:dataFormat="splitDataByRow" xs:type="string" readonly="false" required="false" other:ldaptype="OID" />
<attr name="SN"                          other:dataFormat="delimitedData"  xs:type="string" readonly="false" required="false" other:ldaptype="Directory String" />
<attr name="CN"                          other:dataFormat="delimitedData"  xs:type="string" readonly="false" required="false" other:ldaptype="Directory String" />

<!-- Person Optional Attributes -->
<attr name="UserPassword"                other:dataFormat="delimitedData"  xs:type="string" readonly="false" required="false" other:ldaptype="Binary" />
<attr name="TelephoneNumber"             other:dataFormat="delimitedData"  xs:type="string" readonly="false" required="false" other:ldaptype="Directory String" />
<attr name="SeeAlso"                     other:dataFormat="delimitedData"  xs:type="string" readonly="false" required="false" other:ldaptype="DN" />
<attr name="Description_1"               other:dataFormat="splitDataByCol" xs:type="string" readonly="false" required="false" other:ldaptype="Directory String" />
<attr name="Description_2"               other:dataFormat="splitDataByCol" xs:type="string" readonly="false" required="false" other:ldaptype="Directory String" />
<attr name="Description_3"               other:dataFormat="splitDataByCol" xs:type="string" readonly="false" required="false" other:ldaptype="Directory String" />

The other:dataFormat attribute has three options:

  • delimitedData: Return multiple Active Directory attribute values as delimited strings, separated by the delimiter character defined in the Table Settings section of the .rsd file, detailed later.

    This is the default format in which to retrieve data and the delimiter defaults to a semicolon.

  • splitDataByRow: Push multiple Active Directory attribute values for the same DN as separate rows. All other columns will be pushed consistently, and the index in ID will be incremented. Note: Pushing multiple columns like this will exponentially grow the result set, potentially causing performance issues.

  • splitDataByCol: Push multiple Active Directory attribute values for the same DN with an appended index on the column name. You need to define multiple columns and append an "_n" to the end; for example, ObjectClass_1, ObjectClass_2, and ObjectClass_3. In this example, if there are more than 3 values, the remaining values will not be visible in the table, unless more columns are added.

Example: Splitting the ObjectClass Attribute

The code below can be used to split the different values of the ObjectClass attributes into their own rows and Description attributes into their own columns. Notice the column definition now includes multiple columns for the Description attribute. Also note the other:dataFormat attribute for the attr.

...
<attr name="ObjectClass"     other:dataFormat="delimitedData" xs:type="string"  readonly="false" required="false" other:ldaptype="OID" />
<attr name="SN"              other:dataFormat="delimitedData" xs:type="string"  readonly="false" required="false" other:ldaptype="Directory String" />
<attr name="CN"              other:dataFormat="delimitedData" xs:type="string"  readonly="false" required="false" other:ldaptype="Directory String" />
<attr name="UserPassword"    other:dataFormat="delimitedData" xs:type="string"  readonly="false" required="false" other:ldaptype="Binary" />
<attr name="TelephoneNumber" other:dataFormat="delimitedData" xs:type="string"  readonly="false" required="false" other:ldaptype="Directory String" />
<attr name="SeeAlso"         other:dataFormat="delimitedData" xs:type="string"  readonly="false" required="false" other:ldaptype="DN" />
<attr name="Description_1"   other:dataFormat="delimitedData" xs:type="string"  readonly="false" required="false" other:ldaptype="Directory String" />
<attr name="Description_2"   other:dataFormat="delimitedData" xs:type="string"  readonly="false" required="false" other:ldaptype="Directory String" />
<attr name="Description_3"   other:dataFormat="delimitedData" xs:type="string"  readonly="false" required="false" other:ldaptype="Directory String" />

</rsb:info>

<!-- Table Settings -->
<rsb:set attr="delimiter" value=";"/>
...

An example result will look like:

Id DN ObjectClass SN CN UserPassword TelephoneNumber SeeAlso Description_1 Description_2 Description_3
1|CN=User1, DC=Test CN=User1, DC=Test Top TestSN User1 555-5555 A;B;C Desc1 Desc2 Desc3
2|CN=User1, DC=Test CN=User1, DC=Test User TestSN User1 555-5555 A;B;C Desc1 Desc2 Desc3
Specify Column Encoding

In addition to data format on inputs, encoding can also be specified. Currently, returning data with UTF8 encoding or BASE64 encoding is supported. In order to retrieve data with a specified encoding, the other:encoding field must be specified for the desired attribute to be encoded. If no encoding is specified, UTF8 is the default.

An example of specifying encoding for an attribute:

...
<attr name="ObjectClass"     other:dataFormat="delimitedData" other:encoding="UTF8"   xs:type="string"  readonly="false" required="false" other:ldaptype="OID" desc="The object class of the entry."/>
<attr name="SN"              other:dataFormat="delimitedData" other:encoding="BASE64" xs:type="string"  readonly="false" required="false" other:ldaptype="Directory String" desc="The surname of the person."/>
...
Modify Filter Behavior

Optionally, there are two attributes that can be used to control how filtering is handled when using the driver with SupportEnhancedSQL. The other:ldaptype attribute can be used to set the LDAP syntax of a field. This is used to determine the comparison operators that are supported server-side on a per-field basis. For example, if a field is marked as the type 'DN' and a query filtering for a substring (i.e., CONTAINS), which is not supported server-side, the driver will instead process this part of the filter entirely client-side. The supported type names are found in section 4.3.2 of RFC 2252. If you are unsure of the type or just want to disable server-side filtering for a given column entirely, the other:filterable attribute is also available. Setting this to false for the field will prevent this from ever being sent to the server in a filter, overriding the other:ldaptype attribute entirely.

Configure Table Settings

In addition to the attributes and inputs, you will need to specify the delimiter.

The delimiter specifies the character that will be used for delimited data. Delimited data will be returned for any attribute that appears multiple times for a single object (unless otherwise specified in other:dataFormat).

For example, the code below will concatenate multiple values of an attribute using the ';' character.

...
</rsb:info>

<!-- Table Settings -->
<rsb:set attr="delimiter" value=";"/>
...

Define Supported Operations

Operation definitions will remain exactly the same for all newly created tables: Simply copy and paste these from an existing table, as needed.

<!-- Operation definitions -->
<rsb:script method="GET">
<rsb:set attr="action" value="Get" />
<rsb:call op="ldapadoLDAP" >
<rsb:push />
</rsb:call>
</rsb:script>

<rsb:script method="POST">
<rsb:set attr="action" value="Post" />
<rsb:call op="ldapadoLDAP" >
<rsb:push item="toout"/>
</rsb:call>
</rsb:script>

<rsb:script method="MERGE">
<rsb:set attr="action" value="Merge" />
<rsb:call op="ldapadoLDAP" >
<rsb:push />
</rsb:call>
</rsb:script>

<rsb:script method="DELETE">
<rsb:set attr="action" value="Delete" />
<rsb:call op="ldapadoLDAP" >
<rsb:push />
</rsb:call>
</rsb:script>

Important Notes

Stored Procedures

  • The stored procedures features described in this documentation are not currently supported.
  • Because stored procedures are not currently supported, any feature dependent on stored procedures is also currently not supported.

Configuration Files and Their Paths

  • All references to adding configuration files and their paths refer to files and locations on the Jitterbit agent where the connector is installed. These paths are to be adjusted as appropriate depending on the agent and the operating system. If multiple agents are used in an agent group, identical files will be required on each agent.

Advanced Features

This section details a selection of advanced features of the Active Directory connector.

User Defined Views

The connector allows you to define virtual tables, called user defined views, whose contents are decided by a pre-configured query. These views are useful when you cannot directly control queries being issued to the drivers. See User Defined Views for an overview of creating and configuring custom views.

SSL Configuration

Use SSL Configuration to adjust how connector handles TLS/SSL certificate negotiations. You can choose from various certificate formats; see the SSLServerCert property under "Connection String Options" for more information.

User Defined Views

The Active Directory connector allows you to define a virtual table whose contents are decided by a pre-configured query. These are called User Defined Views, which are useful in situations where you cannot directly control the query being issued to the driver, e.g. when using the driver from Jitterbit. The User Defined Views can be used to define predicates that are always applied. If you specify additional predicates in the query to the view, they are combined with the query already defined as part of the view.

There are two ways to create user defined views:

  • Create a JSON-formatted configuration file defining the views you want.
  • DDL statements.

Define Views Using a Configuration File

User Defined Views are defined in a JSON-formatted configuration file called UserDefinedViews.json. The connector automatically detects the views specified in this file.

You can also have multiple view definitions and control them using the UserDefinedViews connection property. When you use this property, only the specified views are seen by the connector.

This User Defined View configuration file is formatted as follows:

  • Each root element defines the name of a view.
  • Each root element contains a child element, called query, which contains the custom SQL query for the view.

For example:

{
    "MyView": {
        "query": "SELECT * FROM User WHERE MyColumn = 'value'"
    },
    "MyView2": {
        "query": "SELECT * FROM MyTable WHERE Id IN (1,2,3)"
    }
}

Use the UserDefinedViews connection property to specify the location of your JSON configuration file. For example:

"UserDefinedViews", "C:\Users\yourusername\Desktop\tmp\UserDefinedViews.json"

Schema for User Defined Views

User Defined Views are exposed in the UserViews schema by default. This is done to avoid the view's name clashing with an actual entity in the data model. You can change the name of the schema used for UserViews by setting the UserViewsSchemaName property.

Work with User Defined Views

For example, a SQL statement with a User Defined View called UserViews.RCustomers only lists customers in Raleigh:

SELECT * FROM Customers WHERE City = 'Raleigh';

An example of a query to the driver:

SELECT * FROM UserViews.RCustomers WHERE Status = 'Active';

Resulting in the effective query to the source:

SELECT * FROM Customers WHERE City = 'Raleigh' AND Status = 'Active';

That is a very simple example of a query to a User Defined View that is effectively a combination of the view query and the view definition. It is possible to compose these queries in much more complex patterns. All SQL operations are allowed in both queries and are combined when appropriate.

SSL Configuration

Customize the SSL Configuration

By default, the connector attempts to negotiate SSL/TLS by checking the server's certificate against the system's trusted certificate store.

To specify another certificate, see the SSLServerCert property for the available formats to do so.

Data Model

The Active Directory connector models Active Directory entities in relational tables and stored procedures.

Tables

The included Tables cover many standard Active Directory object classes. You can easily extend the schemas to map more closely to your Active Directory classes. The schemas are defined in simple configuration files.

To use custom tables and schemas, set the Location property to the folder containing the schema files. The schemas shipped with the connector are located in the db subfolder of the installation directory.

See Working with Active Directory Tables for a guide to customizing table schemas.

Stored Procedures

Stored Procedures are function-like interfaces to the data source. They can be used to access Active Directory functionality not represented as SELECT, INSERT, UPDATE, or DELETE.

Collaborative Query Processing

API limitations and requirements are documented in this section. The connector offloads as much of the SELECT statement processing as possible to Active Directory and then processes the rest of the query in memory.

See SupportEnhancedSQL for more information on how the connector circumvents API limitations with in-memory client-side processing.

Tables

The connector models the data in Active Directory into a list of tables that can be queried using standard SQL statements.

Generally, querying Active Directory tables is the same as querying a table in a relational database. Sometimes there are special cases, for example, including a certain column in the WHERE clause might be required to get data for certain columns in the table. This is typically needed for situations where a separate request must be made for each row to get certain columns. These types of situations are clearly documented at the top of the table page linked below.

Active Directory Connector Tables

Name Description
Account The account object class is used to define entries that represent computer accounts.
ApplicationEntity X.500 base class for applications: Directory Service only uses subclass MSFT-DSA.
ApplicationProcess X.500 base class for applications: Exchange only uses subclass DSA-Application.
ApplicationSettings Base class for server-specific application settings.
ApplicationSiteSettings Contains all site-specific settings.
ApplicationVersion Can be used by application developers to store version information about their application or its schema.
BuiltinDomain The container that holds the default groups for a domain.
CertificationAuthority Represents a process that issues public key certificates, for example, a Certificate Server.
Computer This class represents a computer account in the domain.
Contact This class contains information about a person or company that you may need to contact on a regular basis.
CRLDistributionPoint The object holding Certificate, Authority, and Delta Revocation lists.
DHCPClass Represents a DHCP Server (or set of servers).
DnsNode Holds the DNS resource records for a single host.
DnsZone The container for DNS Nodes. Holds zone metadata.
Domain Contains information about a domain.
DomainDNS Windows NT domain with DNS-based (DC=) naming.
DomainPolicy Defines the local security authority policy for one or more domains.
DomainRelatedObject The domainRelatedObject object class is used to define an entry that represents a series of documents.
ForeignSecurityPrincipal The Security Principal from an external source.
Group Stores a list of user names. Used to apply security principals on resources.
GroupOfNames Used to define entries that represent an unordered set of names that represent individual objects or other groups of names.
GroupOfUniqueNames Defines the entries for a group of unique names. In general, used to store account objects.
GroupPolicyContainer This represents the Group Policy Object. It is used to define group polices.
IpHost Represents an abstraction of a host or other IP device.
IpNetwork Represents an abstraction of a network. The distinguished name value of the Common-Name attribute denotes the canonical name of the network.
Organization Stores information about a company or organization.
OrganizationalPerson This class is used for objects that contain organizational information about a user, such as the employee number, department, manager, title, office address, and so on.
OrganizationalRole This class is used for objects that contain information that pertains to a position or role within an organization, such as a system administrator, manager, and so on. It can also be used for a nonhuman identity in an organization.
OrganizationalUnit A container for storing users, computers, and other account objects.
Person Contains personal information about a user.
PosixAccount Represents an abstraction of an account with Portable Operating System Interface (POSIX) attributes.
PosixGroup Represents an abstraction of a group of accounts.
PrintQueue Contains information about a print queue.
SecurityObject This is an auxiliary class that is used to identify security principals.
SecurityPrincipal Contains the security information for an object.
Server This class represents a server computer in a site.
Site A container for storing server objects. Represents a physical location that contains computers. Used to manage replication.
Top The top level class from which all classes are derived.
TrustedDomain An object that represents a domain trusted by (or trusting) the local domain.
User This class is used to store information about an employee or contractor who works for an organization. It is also possible to apply this class to long term visitors.

Account

The account object class is used to define entries that represent computer accounts.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
Host String False DelimitedData Specifies a host computer.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
L String False DelimitedData Represents the name of a locality, such as a town or city.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MsCOM-PartitionSetLink String False DelimitedData A link used to associate a COM+ Partition with a COM+ PartitionSet object.
MsCOM-UserLink String False DelimitedData A link used to associate a COM+ PartitionSet with a User object.
MsDS-Approx-Immed-Subordinates String False DelimitedData The value returned by this attribute is based on index sizes. This may be off by +/-10% on large containers, and the error is theoretically unbounded, but using this attribute helps the UI display the contents of a container.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
MsDs-masteredBy String False DelimitedData Backward link for msDS-hasMasterNCs.
MsDS-MembersForAzRoleBL String False DelimitedData Backward link from member application group or user to Az-Role objects linking to it.
MsDS-NCReplCursors String False DelimitedData A list of past and present replication partners, and how current we are with each of them.
MsDS-NCReplInboundNeighbors String False DelimitedData Replication partners for this partition. This server obtains replication data from these other servers, which act as sources.
MsDS-NCReplOutboundNeighbors String False DelimitedData Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available.
MsDS-NonMembersBL String False DelimitedData Backward link from non-member group or user to Az groups that link to it (same functionality as Non-Security-Member-BL).
MsDS-ObjectReferenceBL String False DelimitedData Backward link for ms-DS-Object-Reference.
MsDS-OperationsForAzRoleBL String False DelimitedData Backward link from Az-Operation to Az-Role objects that link to it.
MsDS-OperationsForAzTaskBL String False DelimitedData Backward link from Az-Operation to Az-Task objects that link to it.
MsDS-ReplAttributeMetaData String False DelimitedData A list of metadata for each replicated attribute. The metadata indicates who changed the attribute last.
MsDS-ReplValueMetaData String False DelimitedData A list of metadata for each value of an attribute. The metadata indicates who changed the value last.
MsDS-TasksForAzRoleBL String False DelimitedData Backward link from Az-Task to Az-Role objects that link to it.
MsDS-TasksForAzTaskBL String False DelimitedData Backward link from Az-Task to the Az-Task objects that link to it.
OwnerBL String False DelimitedData The backward link to the owner attribute. Contains a list of owners for an object.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
Ou String False DelimitedData The name of the organizational unit.
O String False DelimitedData The name of the company or organization.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
StructuralObjectClass String False DelimitedData This constructed attribute stores a list of classes contained in a class hierarchy, including abstract classes. This list does contain dynamically linked auxiliary classes.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
Uid String False DelimitedData A user ID.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

ApplicationEntity

X.500 base class for applications: Directory Service only uses subclass MSFT-DSA.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
PresentationAddress String False DelimitedData Specifies a presentation address associated with an object that represents an OSI application entity.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
L String False DelimitedData Represents the name of a locality, such as a town or city.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
Ou String False DelimitedData The name of the organizational unit.
O String False DelimitedData The name of the company or organization.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SupportedApplicationContext String False DelimitedData Specifies the object identifiers of application contexts that an OSI application supports.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

ApplicationProcess

X.500 base class for applications: Exchange only uses subclass DSA-Application.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
L String False DelimitedData Represents the name of a locality, such as a town or city.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
Ou String False DelimitedData The name of the organizational unit.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

ApplicationSettings

Base class for server-specific application settings.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
ApplicationName String False DelimitedData The name of the application.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
NotificationList String False DelimitedData The Notification-List attribute is not currently used.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

ApplicationSiteSettings

Contains all site-specific settings.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
ApplicationName String False DelimitedData The name of the application.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
NotificationList String False DelimitedData The Notification-List attribute is not currently used.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

ApplicationVersion

Can be used by application developers to store version information about their application or its schema.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
ApplicationName String False DelimitedData The name of the application.
AppSchemaVersion String False DelimitedData This attribute stores the schema version of the class store. It is used to provide correct behavior across schema changes.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
Keywords String False DelimitedData A list of keywords that can be used to locate a given connection point.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedBy String False DelimitedData The distinguished name of the user that is assigned to manage this object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MsCOM-PartitionSetLink String False DelimitedData A link used to associate a COM+ Partition with a COM+ PartitionSet object.
MsCOM-UserLink String False DelimitedData A link used to associate a COM+ PartitionSet with a User object.
MsDS-Approx-Immed-Subordinates String False DelimitedData The value returned by this attribute is based on index sizes. This may be off by +/-10% on large containers, and the error is theoretically unbounded, but using this attribute helps the UI display the contents of a container.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
MsDs-masteredBy String False DelimitedData Backward link for msDS-hasMasterNCs.
MsDS-MembersForAzRoleBL String False DelimitedData Backward link from member application group or user to Az-Role objects linking to it.
MsDS-NCReplCursors String False DelimitedData A list of past and present replication partners, and how current we are with each of them.
MsDS-NCReplInboundNeighbors String False DelimitedData Replication partners for this partition. This server obtains replication data from these other servers, which act as sources.
MsDS-NCReplOutboundNeighbors String False DelimitedData Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available.
MsDS-NonMembersBL String False DelimitedData Backward link from non-member group or user to Az groups that link to it (same functionality as Non-Security-Member-BL).
MsDS-ObjectReferenceBL String False DelimitedData Backward link for ms-DS-Object-Reference.
MsDS-OperationsForAzRoleBL String False DelimitedData Backward link from Az-Operation to Az-Role objects that link to it.
MsDS-OperationsForAzTaskBL String False DelimitedData Backward link from Az-Operation to Az-Task objects that link to it.
MsDS-ReplAttributeMetaData String False DelimitedData A list of metadata for each replicated attribute. The metadata indicates who changed the attribute last.
MsDS-ReplValueMetaData String False DelimitedData A list of metadata for each value of an attribute. The metadata indicates who changed the value last.
MsDS-Settings String False DelimitedData Used to store settings for an object. Its use is solely determined by the object's owner. We recommend using it to store name/value pairs. For example, color=blue.
MsDS-TasksForAzRoleBL String False DelimitedData Backward link from Az-Task to Az-Role objects that link to it.
MsDS-TasksForAzTaskBL String False DelimitedData Backward link from Az-Task to the Az-Task objects that link to it.
OwnerBL String False DelimitedData The backward link to the owner attribute. Contains a list of owners for an object.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
NotificationList String False DelimitedData The Notification-List attribute is not currently used.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
Owner String False DelimitedData The distinguished name of an object that has ownership of an object.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
StructuralObjectClass String False DelimitedData This constructed attribute stores a list of classes contained in a class hierarchy, including abstract classes. This list does contain dynamically linked auxiliary classes.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
Vendor String False DelimitedData This attribute identifies the vendor for an application.
VersionNumber String False DelimitedData A general purpose version number.
VersionNumberHi String False DelimitedData A general purpose major version number.
VersionNumberLo String False DelimitedData A general purpose minor version number.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

BuiltinDomain

The container that holds the default groups for a domain.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
CreationTime String False DelimitedData The date and time that the object was created.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DomainReplica String False DelimitedData Unicode String Attribute, gives the list of Windows�NT&nbps;4.0 Replication Domain Controllers.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
ForceLogoff String False DelimitedData Used in computing the kick off time in SamIGetAccountRestrictions. Logoff time minus Force Log off equals kick off time.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
LockoutDuration String False DelimitedData The amount of time that an account is locked due to the Lockout-Threshold being exceeded. This value is stored as a large integer that represents the negative of the number of 100-nanosecond intervals from the time the Lockout-Threshold is exceeded that must elapse before the account is unlocked.
LockOutObservationWindow String False DelimitedData The range of time, in 100-nanosecond intervals, in which the system increments the incorrect logon count.
LockoutThreshold String False DelimitedData The number of invalid logon attempts that are permitted before the account is locked out.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
MaxPwdAge String False DelimitedData The maximum amount of time, in 100-nanosecond intervals, a password is valid. This value is stored as a large integer that represents the number of 100-nanosecond intervals from the time the password was set before the password expires.
MinPwdAge String False DelimitedData The minimum amount of time, in 100-nanosecond intervals, that a password is valid.
MinPwdLength String False DelimitedData The minimum number of characters that a password must contain.
ModifiedCount String False DelimitedData Net Logon Change Log serial number.
ModifiedCountAtLastProm String False DelimitedData The Net Logon Change Log serial number at last promotion.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NextRid String False DelimitedData The Next Rid field used by the mixed mode allocator.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectSid String False DelimitedData A binary value that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OEMInformation String False DelimitedData For holding OEM information. No longer used. Here for backward compatibility.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
PwdHistoryLength String False DelimitedData The number of old passwords to save.
PwdProperties String False DelimitedData Password Properties. Part of Domain Policy. A bitfield to indicate complexity and storage restrictions.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ServerRole String False DelimitedData For compatibility with pre-Windows�2000 Server servers. A computer running Windows�NT Server can be a standalone server, a primary domain controller (PDC), or a backup domain controller (BDC).
ServerState String False DelimitedData Indicates whether the server is enabled or disabled. A value of 1 indicates that the server is enabled. A value of 2 indicates that the server is disabled. All other values are invalid.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
UASCompat String False DelimitedData Indicates if the security account manager will enforce data sizes to make Active Directory compatible with the LanManager User Account System (UAS). If this value is 0, no limits are enforced. If this value is 1, the following limits are enforced.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

CertificationAuthority

Represents a process that issues public key certificates, for example, a Certificate Server.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
AuthorityRevocationList String False DelimitedData Cross certificate, Certificate Revocation List.
CACertificate String False DelimitedData Certificates of trusted Certification Authorities.
CertificateRevocationList String False DelimitedData Represents a list of certificates that have been revoked.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CACertificateDN String False DelimitedData Full distinguished name from the CA certificate.
CAConnect String False DelimitedData The connection string for binding to a certification authority.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
CAUsages String False DelimitedData List of OID/CSP name concatenations.
CAWEBURL String False DelimitedData URL for http connection to a certification authority.
CertificateTemplates String False DelimitedData Contains information for a certificate issued by a Certificate Server.
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
CRLObject String False DelimitedData Reference to certificate revocation list object associated with a certification authority.
CrossCertificatePair String False DelimitedData V3 Cross Certificate.
CurrentParentCA String False DelimitedData Reference to the certification authorities that issued the current certificates for a certification authority.
DeltaRevocationList String False DelimitedData List of certificates that have been revoked since the last delta update.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DNSHostName String False DelimitedData Name of computer as registered in DNS.
DomainID String False DelimitedData Reference to a domain that is associated with a certification authority.
DomainPolicyObject String False DelimitedData Reference to the policy object that defines the Local Security Authority policy for the host domain.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
EnrollmentProviders String False DelimitedData PKI - Certificate Templates.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
ParentCA String False DelimitedData The distinguished name of a certification authority (CA) object for a parent CA.
ParentCACertificateChain String False DelimitedData DER-encoded X.509v3 certificate for the parent certification authority.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PendingCACertificates String False DelimitedData The certificates that are about to become effective for this certification authority.
PendingParentCA String False DelimitedData Reference to the certification authorities that issued the pending certificates for this certification authority.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
PreviousCACertificates String False DelimitedData Last expired certificate for this certification authority.
PreviousParentCA String False DelimitedData Reference to the certification authorities that issued the last expired certificate for a certification authority.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SearchGuide String False DelimitedData Specifies information of suggested search criteria, which may be included in some entries that are expected to be a convenient base-object for the search operation, for example, country/region or organization.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SignatureAlgorithms String False DelimitedData This attribute indicates the type of algorithm that must be used to decode a digital signature during the authentication process.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SupportedApplicationContext String False DelimitedData Specifies the object identifiers of application contexts that an OSI application supports.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
TeletexTerminalIdentifier String False DelimitedData Specifies the Teletex terminal identifier and, optionally, parameters, for a teletex terminal associated with an object.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Computer

This class represents a computer account in the domain.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AccountExpires String False DelimitedData The date when the account expires. This value represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires.
ACSPolicyName String False DelimitedData String name of an ACS policy that applies to this user.
StreetAddress String False DelimitedData The user's address.
HomePostalAddress String False DelimitedData A user's home address.
AdminCount String False DelimitedData Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively).
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
Assistant String False DelimitedData The distinguished name of a user's administrative assistant.
BadPasswordTime String False DelimitedData The last time and date that an attempt to log on to this account was made with a password that is not valid. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last time a incorrect password was used is unknown.
BadPwdCount String False DelimitedData The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Catalogs String False DelimitedData The list of catalogs that index storage on a given computer.
CodePage String False DelimitedData Specifies the code page for the user's language of choice. This value is not used by Windows�2000.
Cn String False DelimitedData The name that represents an object. Used to perform searches.
Company String False DelimitedData The user's company name.
ControlAccessRights String False DelimitedData Used by DS Security to determine which users can perform specific operations on the host object.
CountryCode String False DelimitedData Specifies the country/region code for the user's language of choice. This value is not used by Windows�2000.
C String False DelimitedData The country/region in the address of the user. The country/region is represented as a 2-character code based on ISO-3166.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
DBCSPwd String False DelimitedData The account's LAN Manager password.
DefaultClassStore String False DelimitedData The default Class Store for a given user.
DefaultLocalPolicyObject String False DelimitedData A reference to a Policy object that defines the local policy for the host object.
Department String False DelimitedData Contains the name for the department in which the user works.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DesktopProfile String False DelimitedData The location of the desktop profile for a user or group of users. Not used.
DestinationIndicator String False DelimitedData This is part of the X.500 specification and not used by NTDS.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
Division String False DelimitedData The user's division.
DNSHostName String False DelimitedData Name of computer as registered in DNS.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
DynamicLDAPServer String False DelimitedData DNS name of server handing dynamic properties for this account.
Mail String False DelimitedData The list of email addresses for a contact.
EmployeeID String False DelimitedData The ID of an employee.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
FacsimileTelephoneNumber String False DelimitedData Contains telephone number of the user's business fax machine.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
GenerationQualifier String False DelimitedData Indicates a person generation. For example, Jr. or II.
GivenName String False DelimitedData Contains the given name (first name) of the user.
GroupMembershipSAM String False DelimitedData Windows�NT Security. Down level Windows�NT support.
GroupPriority String False DelimitedData The Group-Priority attribute is not currently used.
GroupsToIgnore String False DelimitedData The Groups-to-Ignore attribute is not currently used.
HomeDirectory String False DelimitedData The home directory for the account. If homeDrive is set and specifies a drive letter, homeDirectory must be a UNC path. Otherwise, homeDirectory is a fully qualified local path including the drive letter (for example, DriveLetter:\Directory\Folder). This value can be a null string.
HomeDrive String False DelimitedData Specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the form DriveLetter: where DriveLetter is the letter of the drive to map. The DriveLetter must be a single, uppercase letter and the colon (:) is required.
Initials String False DelimitedData Contains the initials for parts of the user's full name. This may be used as the middle initial in the Windows Address Book.
InternationalISDNNumber String False DelimitedData Specifies an International ISDN Number associated with an object.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
LastLogoff String False DelimitedData This attribute is not used.
LastLogon String False DelimitedData The last time the user logged on. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last logon time is unknown.
LmPwdHistory String False DelimitedData The password history of the user in LAN Manager (LM) one-way format (OWF). The LM OWF is used for compatibility with LAN Manager 2.x clients, Windows�95, and Windows�98.
LocaleID String False DelimitedData This attribute contains a list of locale IDs supported by this application. A locale ID represents a geographic location, such as a country/region, city, county, and so on.
L String False DelimitedData Represents the name of a locality, such as a town or city.
LocalPolicyFlags String False DelimitedData Flags that determine where a computer gets its policy. Local-Policy-Reference.
Location String False DelimitedData The user's location, such as office number.
LockoutTime String False DelimitedData The date and time (UTC) that this account was locked out. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the account is not currently locked out.
ThumbnailLogo String False DelimitedData BLOB that contains a logo for this object.
LogonCount String False DelimitedData The number of times the account has successfully logged on. A value of 0 indicates that the value is unknown.
LogonHours String False DelimitedData The hours that the user is allowed to logon to the domain.
LogonWorkstation String False DelimitedData This attribute is not used. See the User-Workstations attribute.
MachineRole String False DelimitedData Role for a machine: DC, Server, or Workstation.
ManagedBy String False DelimitedData The distinguished name of the user that is assigned to manage this object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
Manager String False DelimitedData Contains the distinguished name of the user who is the user's manager. The manager's user object contains a directReports property that contains references to all user objects that have their manager properties set to this distinguished name.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
MaxStorage String False DelimitedData The maximum amount of disk space the user can use. Use the value specified in USER_MAXSTORAGE_UNLIMITED to use all available disk space.
MhsORAddress String False DelimitedData X.400 address.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
MS-DS-CreatorSID String False DelimitedData The security ID of the creator of the object that contains this attribute.
MSMQDigests String False DelimitedData An array of digests of the corresponding certificates in attribute mSMQ-Sign-Certificates. They are used for mapping a digest into a certificate.
MSMQDigestsMig String False DelimitedData In MSMQ mixed-mode, contains the previous value of mSMQDigests.
MSMQSignCertificates String False DelimitedData This attribute contains a number of certificates. A user can generate a certificate per computer. For each certificate we also keep a digest.
MSMQSignCertificatesMig String False DelimitedData In MSMQ mixed-mode, the attribute contains the previous value of mSMQSignCertificates. MSMQ supports migration from the MSMQ 1.0 DS to the Windows�2000 DS, and mixed mode specifies a state in which some of the DS severs were not upgraded to Windows�2000.
MsNPAllowDialin String False DelimitedData Indicates whether the account has permission to dial in to the RAS server. Do not modify this value directly. Use the appropriate RAS administration function to modify this value.
MsNPCallingStationID String False DelimitedData The msNPCallingStationID attribute is used internally. Do not modify this value directly.
MsNPSavedCallingStationID String False DelimitedData The msNPSavedCallingStationID attribute is used internally. Do not modify this value directly.
MsRADIUSCallbackNumber String False DelimitedData The msRADIUSCallbackNumber attribute is used internally. Do not modify this value directly.
MsRADIUSFramedIPAddress String False DelimitedData The msRADIUSFramedIPAddress attribute is used internally. Do not modify this value directly.
MsRADIUSFramedRoute String False DelimitedData The msRADIUSFramedRoute attribute is used internally. Do not modify this value directly.
MsRADIUSServiceType String False DelimitedData The msRADIUSServiceType attribute is used internally. Do not modify this value directly.
MsRASSavedCallbackNumber String False DelimitedData The msRASSavedCallbackNumber attribute is used internally. Do not modify this value directly.
MsRASSavedFramedIPAddress String False DelimitedData The msRASSavedFramedIPAddress attribute is used internally. Do not modify this value directly.
MsRASSavedFramedRoute String False DelimitedData The msRASSavedFramedRoute attribute is used internally. Do not modify this value directly.
NetbootGUID String False DelimitedData Diskless boot: A computer's on-board GUID. Corresponds to the computer's network card MAC address.
NetbootInitialization String False DelimitedData Default boot path for diskless boot.
NetbootMachineFilePath String False DelimitedData This attribute specifies the server that answers the client. Beginning with the Windows Server&nbps;2003 operating system, it can indicate the Startrom.com that the client gets.
NetbootMirrorDataFile String False DelimitedData The Netboot-Mirror-Data-File attribute is reserved for internal use.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NetbootSIFFile String False DelimitedData The Netboot-SIF-File attribute is reserved for internal use.
NetworkAddress String False DelimitedData The TCP/IP address for a network segment. Also called the subnet address.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
NtPwdHistory String False DelimitedData The password history of the user in Windows�NT one-way format (OWF). Windows�2000 uses the Windows�NT OWF.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OperatingSystem String False DelimitedData The Operating System name, for example, Windows�Vista Enterprise.
OperatingSystemHotfix String False DelimitedData The hotfix level of the operating system.
OperatingSystemServicePack String False DelimitedData The operating system service pack ID string (for example, SP3).
OperatingSystemVersion String False DelimitedData The operating system version string, for example, 4.0.
OperatorCount String False DelimitedData Operator count.
Ou String False DelimitedData The name of the organizational unit.
O String False DelimitedData The name of the company or organization.
OtherLoginWorkstations String False DelimitedData Non-Windows�NT or LAN Manager workstations from which a user can log on.
OtherMailbox String False DelimitedData Contains other additional mail addresses in a form such as CCMAIL: BruceKeever.
MiddleName String False DelimitedData Additional names for a user. For example, middle name, patronymic, matronymic, or others.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PersonalTitle String False DelimitedData The user's title.
OtherFacsimileTelephoneNumber String False DelimitedData A list of alternate facsimile numbers.
OtherHomePhone String False DelimitedData A list of alternate home phone numbers.
HomePhone String False DelimitedData The user's main home phone number.
OtherIpPhone String False DelimitedData The list of alternate TCP/IP addresses for the phone. Used by Telephony.
IpPhone String False DelimitedData The TCP/IP address for the phone. Used by Telephony.
PrimaryInternationalISDNNumber String False DelimitedData The primary ISDN.
OtherMobile String False DelimitedData A list of alternate mobile phone numbers.
Mobile String False DelimitedData The primary mobile phone number.
OtherTelephone String False DelimitedData A list of alternate office phone numbers.
OtherPager String False DelimitedData A list of alternate pager numbers.
Pager String False DelimitedData The primary pager number.
PhysicalDeliveryOfficeName String False DelimitedData Contains the office location in the user's place of business.
PhysicalLocationObject String False DelimitedData Used to map a device (for example, a printer, computer, and so on) to a physical location.
ThumbnailPhoto String False DelimitedData An image of the user. A space-efficient format like JPEG or GIF is recommended.
PolicyReplicationFlags String False DelimitedData Determines which LSA properties are replicated to clients.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
PostalAddress String False DelimitedData The mailing address for the object.
PostalCode String False DelimitedData The postal or zip code for mail delivery.
PostOfficeBox String False DelimitedData The post office box number for this object.
PreferredDeliveryMethod String False DelimitedData The X.500-preferred way to deliver to addressee.
PreferredOU String False DelimitedData The Organizational Unit to show by default on user' s desktop.
PrimaryGroupID String False DelimitedData Contains the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group.
ProfilePath String False DelimitedData Specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
PwdLastSet String False DelimitedData The date and time that the password for this account was last changed. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
RegisteredAddress String False DelimitedData Specifies a mnemonic for an address associated with an object at a particular city location. The mnemonic is registered in the country/region in which the city is located and is used in the provision of the Public Telegram Service.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
RIDSetReferences String False DelimitedData List of references to RID-Set objects that manage Relative Identifier (RID) allocation.
ScriptPath String False DelimitedData This attribute specifies the path for the user's logon script. The string can be null.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ServicePrincipalName String False DelimitedData List of principal names used for mutual authentication with an instance of a service on this computer.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteGUID String False DelimitedData The unique identifier for a site.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
St String False DelimitedData The name of a user's state or province.
Street String False DelimitedData The street address.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
Sn String False DelimitedData This attribute contains the family or last name for a user.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
TelephoneNumber String False DelimitedData The primary telephone number.
TeletexTerminalIdentifier String False DelimitedData Specifies the Teletex terminal identifier and, optionally, parameters, for a teletex terminal associated with an object.
TelexNumber String False DelimitedData A list of alternate telex numbers.
PrimaryTelexNumber String False DelimitedData The primary telex number.
TerminalServer String False DelimitedData Opaque data used by the Windows�NT terminal server.
Co String False DelimitedData The country/region in which the user is located.
Title String False DelimitedData Contains the user's job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as Esq. or DDS.
UnicodePwd String False DelimitedData The password of the user in Windows�NT one-way format (OWF). Windows�2000 uses the Windows�NT OWF. This property is used only by the operating system. Note that you cannot derive the clear password back from the OWF form of the password.
UserAccountControl String False DelimitedData Flags that control the behavior of the user account.
Comment String False DelimitedData The user's comments.
UserParameters String False DelimitedData Parameters of the user. Points to a Unicode string that is set aside for use by applications. This string can be a null string, or it can have any number of characters before the terminating null character. Microsoft products use this member to store user data specific to the individual program.
UserPassword String False DelimitedData The user's password in UTF-8 format. This is a write-only attribute.
UserPrincipalName String False DelimitedData This attribute contains the UPN that is an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user email name. The value set for this attribute is equal to the length of the user's ID and the domain name. For more information about this attribute, see User Naming Attributes.
UserSharedFolder String False DelimitedData Specifies a UNC path to the user's shared documents folder. The path must be a network UNC path of the form \Server\Share\Directory. This value can be a null string.
UserSharedFolderOther String False DelimitedData Specifies a UNC path to the user's additional shared documents folder. The path must be a network UNC path of the form \Server\Share\Directory. This value can be a null string.
UserWorkstations String False DelimitedData Contains the NetBIOS or DNS names of the computers running Windows�NT Workstation or Windows�2000 Professional from which the user can log on. Each NetBIOS name is separated by a comma. Multiple names should be separated by commas.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
VolumeCount String False DelimitedData The tracked volume quota for a given computer.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
X121Address String False DelimitedData The X.121 address for an object.
UserCertificate String False DelimitedData Contains the DER-encoded X.509v3 certificates issued to the user. Note that this property contains the public key certificates issued to this user by Microsoft Certificate Service.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Contact

This class contains information about a person or company that you may need to contact on a regular basis.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
Notes String False DelimitedData Free text for notes on object.
StreetAddress String False DelimitedData The user's address.
HomePostalAddress String False DelimitedData A user's home address.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
Assistant String False DelimitedData The distinguished name of a user's administrative assistant.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Info String False DelimitedData The user's comments. This string can be a null string.
Cn String False DelimitedData The name that represents an object. Used to perform searches.
Company String False DelimitedData The user's company name.
CountryCode String False DelimitedData Specifies the country/region code for the user's language of choice. This value is not used by Windows�2000.
C String False DelimitedData The country/region in the address of the user. The country/region is represented as a 2-character code based on ISO-3166.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Department String False DelimitedData Contains the name for the department in which the user works.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DestinationIndicator String False DelimitedData This is part of the X.500 specification and not used by NTDS.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
Division String False DelimitedData The user's division.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
Mail String False DelimitedData The list of email addresses for a contact.
EmployeeID String False DelimitedData The ID of an employee.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
FacsimileTelephoneNumber String False DelimitedData Contains telephone number of the user's business fax machine.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
GarbageCollPeriod String False DelimitedData This attribute is located on the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,... object. It represents the time, in hours, between DS garbage collection runs.
GenerationQualifier String False DelimitedData Indicates a person generation. For example, Jr. or II.
GivenName String False DelimitedData Contains the given name (first name) of the user.
Initials String False DelimitedData Contains the initials for parts of the user's full name. This may be used as the middle initial in the Windows Address Book.
InternationalISDNNumber String False DelimitedData Specifies an International ISDN Number associated with an object.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
LegacyExchangeDN String False DelimitedData The distinguished name previously used by Exchange.
L String False DelimitedData Represents the name of a locality, such as a town or city.
ThumbnailLogo String False DelimitedData BLOB that contains a logo for this object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
Manager String False DelimitedData Contains the distinguished name of the user who is the user's manager. The manager's user object contains a directReports property that contains references to all user objects that have their manager properties set to this distinguished name.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
MhsORAddress String False DelimitedData X.400 address.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
Ou String False DelimitedData The name of the organizational unit.
O String False DelimitedData The name of the company or organization.
OtherMailbox String False DelimitedData Contains other additional mail addresses in a form such as CCMAIL: BruceKeever.
MiddleName String False DelimitedData Additional names for a user. For example, middle name, patronymic, matronymic, or others.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PersonalTitle String False DelimitedData The user's title.
OtherFacsimileTelephoneNumber String False DelimitedData A list of alternate facsimile numbers.
OtherHomePhone String False DelimitedData A list of alternate home phone numbers.
HomePhone String False DelimitedData The user's main home phone number.
OtherIpPhone String False DelimitedData The list of alternate TCP/IP addresses for the phone. Used by Telephony.
IpPhone String False DelimitedData The TCP/IP address for the phone. Used by Telephony.
PrimaryInternationalISDNNumber String False DelimitedData The primary ISDN.
OtherMobile String False DelimitedData A list of alternate mobile phone numbers.
Mobile String False DelimitedData The primary mobile phone number.
OtherTelephone String False DelimitedData A list of alternate office phone numbers.
OtherPager String False DelimitedData A list of alternate pager numbers.
Pager String False DelimitedData The primary pager number.
PhysicalDeliveryOfficeName String False DelimitedData Contains the office location in the user's place of business.
ThumbnailPhoto String False DelimitedData An image of the user. A space-efficient format like JPEG or GIF is recommended.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
PostalAddress String False DelimitedData The mailing address for the object.
PostalCode String False DelimitedData The postal or zip code for mail delivery.
PostOfficeBox String False DelimitedData The post office box number for this object.
PreferredDeliveryMethod String False DelimitedData The X.500-preferred way to deliver to addressee.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
RegisteredAddress String False DelimitedData Specifies a mnemonic for an address associated with an object at a particular city location. The mnemonic is registered in the country/region in which the city is located and is used in the provision of the Public Telegram Service.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAddressBook String False DelimitedData This attribute is used to indicate in which MAPI address books an object will appear. It is usually maintained by the Exchange Recipient Update Service.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
St String False DelimitedData The name of a user's state or province.
Street String False DelimitedData The street address.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
Sn String False DelimitedData This attribute contains the family or last name for a user.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
TelephoneNumber String False DelimitedData The primary telephone number.
TeletexTerminalIdentifier String False DelimitedData Specifies the Teletex terminal identifier and, optionally, parameters, for a teletex terminal associated with an object.
TelexNumber String False DelimitedData A list of alternate telex numbers.
PrimaryTelexNumber String False DelimitedData The primary telex number.
Co String False DelimitedData The country/region in which the user is located.
TextEncodedORAddress String False DelimitedData This attribute is used to support X.400 addresses in a text format.
Title String False DelimitedData Contains the user's job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as Esq. or DDS.
UserCert String False DelimitedData Nortel v1 or DMS certificates.
Comment String False DelimitedData The user's comments.
UserPassword String False DelimitedData The user's password in UTF-8 format. This is a write-only attribute.
UserSMIMECertificate String False DelimitedData Certificate distribution object or tagged certificates.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
X121Address String False DelimitedData The X.121 address for an object.
UserCertificate String False DelimitedData Contains the DER-encoded X.509v3 certificates issued to the user. Note that this property contains the public key certificates issued to this user by Microsoft Certificate Service.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

CRLDistributionPoint

The object holding Certificate, Authority, and Delta Revocation lists.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
AuthorityRevocationList String False DelimitedData Cross certificate, Certificate Revocation List.
CertificateRevocationList String False DelimitedData Represents a list of certificates that have been revoked.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
CertificateAuthorityObject String False DelimitedData Reference to the certification authority associated with a Certificate Revocation List distribution point.
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
CRLPartitionedRevocationList String False DelimitedData Public Key Infrastructure-revocation lists.
DeltaRevocationList String False DelimitedData List of certificates that have been revoked since the last delta update.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

DHCPClass

Represents a DHCP Server (or set of servers).

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
DhcpFlags String False DelimitedData The dhcp-Flags attribute is not currently used.
DhcpIdentification String False DelimitedData The dhcp-Identification attribute is not currently used.
DhcpType String False DelimitedData The type of DHCP server. This attribute is set on all objects of objectClass dHCPClass. Its value defines the type of object:
DhcpUniqueKey String False DelimitedData The dhcp-Unique-Key attribute is not currently used.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DhcpClasses String False DelimitedData The dhcp-Classes attribute is not currently used.
DhcpMask String False DelimitedData The dhcp-Mask attribute is not currently used.
DhcpMaxKey String False DelimitedData The dhcp-MaxKey attribute is not currently used.
DhcpObjDescription String False DelimitedData The dhcp-Obj-Description attribute is not currently used.
DhcpObjName String False DelimitedData The dhcp-Obj-Name attribute is not currently used.
DhcpOptions String False DelimitedData The dhcp-Options attribute is not currently used.
DhcpProperties String False DelimitedData The dhcp-Properties attribute is not currently used.
DhcpRanges String False DelimitedData The dhcp-Ranges attribute is not currently used.
DhcpReservations String False DelimitedData The dhcp-Reservations attribute is not currently used.
DhcpServers String False DelimitedData Contains a list of servers that are authorized in the enterprise.
DhcpSites String False DelimitedData The dhcp-Sites attribute is not currently used.
DhcpState String False DelimitedData The dhcp-State attribute is not currently used.
DhcpSubnets String False DelimitedData The dhcp-Subnets attribute is not currently used.
DhcpUpdateTime String False DelimitedData The dhcp-Update-Time attribute is not currently used.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MscopeId String False DelimitedData Indicates that there is a multicast scope on the specified DHCP server.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NetworkAddress String False DelimitedData The TCP/IP address for a network segment. Also called the subnet address.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OptionDescription String False DelimitedData This attribute contains a description of an option that is set on the DHCP server.
OptionsLocation String False DelimitedData For DHCP, the options location contains the DN for alternate sites that contain the options information.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SuperScopeDescription String False DelimitedData This attribute provides a description for a superscope.
SuperScopes String False DelimitedData This attribute is used to group together all the different scopes used in the DHCP class into a single entity.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

DnsNode

Holds the DNS resource records for a single host.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
Dc String False DelimitedData The naming attribute for Domain and DNS objects. Usually displayed as dc=DomainName.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DNSProperty String False DelimitedData Used to store binary settings (properties) on DNS zone objects.
DnsRecord String False DelimitedData Used to store binary DNS resource records on DNS objects.
DNSTombstoned String False DelimitedData True if this object has been tombstoned. This attribute exists to make searching for tombstoned records easier and faster. Tombstoned objects are objects that have been deleted but not yet removed from the directory.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

DnsZone

The container for DNS Nodes. Holds zone metadata.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
Dc String False DelimitedData The naming attribute for Domain and DNS objects. Usually displayed as dc=DomainName.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DnsAllowDynamic String False DelimitedData The Dns-Allow-Dynamic attribute is not currently used.
DnsAllowXFR String False DelimitedData The Dns-Allow-XFR attribute is not currently used.
DnsNotifySecondaries String False DelimitedData The Dns-Notify-Secondaries attribute is not currently used.
DNSProperty String False DelimitedData Used to store binary settings (properties) on DNS zone objects.
DnsSecureSecondaries String False DelimitedData The Dns-Secure-Secondaries attribute is not currently used.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedBy String False DelimitedData The distinguished name of the user that is assigned to manage this object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Domain

Contains information about a domain.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
Dc String False DelimitedData The naming attribute for Domain and DNS objects. Usually displayed as dc=DomainName.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

DomainDNS

Windows NT domain with DNS-based (DC=) naming.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
CACertificate String False DelimitedData Certificates of trusted Certification Authorities.
Dc String False DelimitedData The naming attribute for Domain and DNS objects. Usually displayed as dc=DomainName.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
AuditingPolicy String False DelimitedData Auditing policy for the local policy.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
BuiltinCreationTime String False DelimitedData The Builtin-Creation-Time attribute is used to support replication to Windows�NT�4.0 domains.
BuiltinModifiedCount String False DelimitedData The Builtin-Modified-Count attribute is used to support replication to Windows�NT�4.0 domains.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
ControlAccessRights String False DelimitedData Used by DS Security to determine which users can perform specific operations on the host object.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
CreationTime String False DelimitedData The date and time that the object was created.
DefaultLocalPolicyObject String False DelimitedData A reference to a Policy object that defines the local policy for the host object.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DesktopProfile String False DelimitedData The location of the desktop profile for a user or group of users. Not used.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DomainPolicyObject String False DelimitedData Reference to the policy object that defines the Local Security Authority policy for the host domain.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
EFSPolicy String False DelimitedData The Encrypting File System Policy.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
GPLink String False DelimitedData A sorted list of Group Policy options. Each option is a DWORD. Use of the UNICODE string is a convenience.
GPOptions String False DelimitedData Options that affect all group policies associated with the object hosting this property.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
LockoutDuration String False DelimitedData The amount of time that an account is locked due to the Lockout-Threshold being exceeded. This value is stored as a large integer that represents the negative of the number of 100-nanosecond intervals from the time the Lockout-Threshold is exceeded that must elapse before the account is unlocked.
LockOutObservationWindow String False DelimitedData The range of time, in 100-nanosecond intervals, in which the system increments the incorrect logon count.
LockoutThreshold String False DelimitedData The number of invalid logon attempts that are permitted before the account is locked out.
LSACreationTime String False DelimitedData The LSA-Creation-Time attribute is used to support replication to Windows�NT�4.0 domains.
LSAModifiedCount String False DelimitedData The LSA-Modified-Count attribute is used to support replication to Windows�NT�4.0 domains.
ManagedBy String False DelimitedData The distinguished name of the user that is assigned to manage this object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
MaxPwdAge String False DelimitedData The maximum amount of time, in 100-nanosecond intervals, a password is valid. This value is stored as a large integer that represents the number of 100-nanosecond intervals from the time the password was set before the password expires.
MinPwdAge String False DelimitedData The minimum amount of time, in 100-nanosecond intervals, that a password is valid.
MinPwdLength String False DelimitedData The minimum number of characters that a password must contain.
ModifiedCountAtLastProm String False DelimitedData The Net Logon Change Log serial number at last promotion.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
Ms-DS-MachineAccountQuota String False DelimitedData The number of computer accounts that a user is allowed to create in a domain.
NETBIOSName String False DelimitedData The name of the object to be used over NetBIOS.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NextRid String False DelimitedData The Next Rid field used by the mixed mode allocator.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
NTMixedDomain String False DelimitedData Indicates that the domain is in native mode or mixed mode. This attribute is found in the domainDNS (head) object for the domain.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PekKeyChangeInterval String False DelimitedData Password encryption key change interval.
PekList String False DelimitedData List of password encryption keys.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
PrivateKey String False DelimitedData An encrypted private key.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
PwdHistoryLength String False DelimitedData The number of old passwords to save.
PwdProperties String False DelimitedData Password Properties. Part of Domain Policy. A bitfield to indicate complexity and storage restrictions.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplicaSource String False DelimitedData This attribute contains the GUID of a replication source.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
RIDManagerReference String False DelimitedData The Distinguished Name for the RID Manager of an object.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
TreeName String False DelimitedData DNS name of the domain at the root of a tree.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

DomainPolicy

Defines the local security authority policy for one or more domains.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
AuthenticationOptions String False DelimitedData The authentication options used in ADSI to bind to directory services objects.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
DefaultLocalPolicyObject String False DelimitedData A reference to a Policy object that defines the local policy for the host object.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DomainCAs String False DelimitedData List of certification authorities for a given domain.
DomainPolicyReference String False DelimitedData The Distinguished Name of a domain policy object that a policy object copies from.
DomainWidePolicy String False DelimitedData This is for user extensible policy to be replicated to the clients.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
EFSPolicy String False DelimitedData The Encrypting File System Policy.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
ForceLogoff String False DelimitedData Used in computing the kick off time in SamIGetAccountRestrictions. Logoff time minus Force Log off equals kick off time.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IpsecPolicyReference String False DelimitedData The distinguished name of the related Internet Protocol security (IPsec) policy.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
LockoutDuration String False DelimitedData The amount of time that an account is locked due to the Lockout-Threshold being exceeded. This value is stored as a large integer that represents the negative of the number of 100-nanosecond intervals from the time the Lockout-Threshold is exceeded that must elapse before the account is unlocked.
LockOutObservationWindow String False DelimitedData The range of time, in 100-nanosecond intervals, in which the system increments the incorrect logon count.
LockoutThreshold String False DelimitedData The number of invalid logon attempts that are permitted before the account is locked out.
ManagedBy String False DelimitedData The distinguished name of the user that is assigned to manage this object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
MaxPwdAge String False DelimitedData The maximum amount of time, in 100-nanosecond intervals, a password is valid. This value is stored as a large integer that represents the number of 100-nanosecond intervals from the time the password was set before the password expires.
MaxRenewAge String False DelimitedData This attribute determines the time period, in days, during which a user's ticket-granting ticket (TGT) can be renewed for purposes of Kerberos authentication. The default setting is 7 days in the Default Domain Group Policy object (GPO).
MaxTicketAge String False DelimitedData This attribute determines the maximum amount of time, in hours, that a user's ticket-granting ticket (TGT) can be used for the purpose of Kerberos authentication. When a user's TGT expires, a new one must be requested, or the existing one must be renewed. By default, this setting is set to 10 hours in the Default Domain Group Policy object (GPO).
MinPwdAge String False DelimitedData The minimum amount of time, in 100-nanosecond intervals, that a password is valid.
MinPwdLength String False DelimitedData The minimum number of characters that a password must contain.
MinTicketAge String False DelimitedData This attribute determines the minimum time period, in hours, that a user's ticket-granting ticket (TGT) can be used for Kerberos authentication before a request can be made to renew the ticket.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
ProxyLifetime String False DelimitedData Contains the lifetime for a proxy object.
PublicKeyPolicy String False DelimitedData Reference to the Public Key policy for this domain.
PwdHistoryLength String False DelimitedData The number of old passwords to save.
PwdProperties String False DelimitedData Password Properties. Part of Domain Policy. A bitfield to indicate complexity and storage restrictions.
QualityOfService String False DelimitedData Local or domain quality of service bits on policy objects.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

DomainRelatedObject

The domainRelatedObject object class is used to define an entry that represents a series of documents.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
AssociatedDomain String False DelimitedData The associatedDomain attribute type specifies a DNS domain that is associated with an object.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MsCOM-PartitionSetLink String False DelimitedData A link used to associate a COM+ Partition with a COM+ PartitionSet object.
MsCOM-UserLink String False DelimitedData A link used to associate a COM+ PartitionSet with a User object.
MsDS-Approx-Immed-Subordinates String False DelimitedData The value returned by this attribute is based on index sizes. This may be off by +/-10% on large containers, and the error is theoretically unbounded, but using this attribute helps the UI display the contents of a container.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
MsDs-masteredBy String False DelimitedData Backward link for msDS-hasMasterNCs.
MsDS-MembersForAzRoleBL String False DelimitedData Backward link from member application group or user to Az-Role objects linking to it.
MsDS-NCReplCursors String False DelimitedData A list of past and present replication partners, and how current we are with each of them.
MsDS-NCReplInboundNeighbors String False DelimitedData Replication partners for this partition. This server obtains replication data from these other servers, which act as sources.
MsDS-NCReplOutboundNeighbors String False DelimitedData Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available.
MsDS-NonMembersBL String False DelimitedData Backward link from non-member group or user to Az groups that link to it (same functionality as Non-Security-Member-BL).
MsDS-ObjectReferenceBL String False DelimitedData Backward link for ms-DS-Object-Reference.
MsDS-OperationsForAzRoleBL String False DelimitedData Backward link from Az-Operation to Az-Role objects that link to it.
MsDS-OperationsForAzTaskBL String False DelimitedData Backward link from Az-Operation to Az-Task objects that link to it.
MsDS-ReplAttributeMetaData String False DelimitedData A list of metadata for each replicated attribute. The metadata indicates who changed the attribute last.
MsDS-ReplValueMetaData String False DelimitedData A list of metadata for each value of an attribute. The metadata indicates who changed the value last.
MsDS-TasksForAzRoleBL String False DelimitedData Backward link from Az-Task to Az-Role objects that link to it.
MsDS-TasksForAzTaskBL String False DelimitedData Backward link from Az-Task to the Az-Task objects that link to it.
OwnerBL String False DelimitedData The backward link to the owner attribute. Contains a list of owners for an object.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
StructuralObjectClass String False DelimitedData This constructed attribute stores a list of classes contained in a class hierarchy, including abstract classes. This list does contain dynamically linked auxiliary classes.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

ForeignSecurityPrincipal

The Security Principal from an external source.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows&nbps;NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
ForeignIdentifier String False DelimitedData The security properties used by a foreign system.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectSid String False DelimitedData A binary value that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Group

Stores a list of user names. Used to apply security principals on resources.

Table Specific Information
Select

All columns support server-side processing for the operators =, >= , <=, !=, LIKE, AND, and OR. Other filters are executed client side within the connector. For example, the following query is processed by Active Directory:

SELECT * FROM Group WHERE  GroupType != '-2147483644' AND  ObjectClass = 'top;group' LIMIT 5

You can turn off client-side execution by setting SupportEnhancedSQL to false in which case any search criteria that refer to any other operators will cause an error.

Insert

To add a Group, all fields can be specified except Id, DN, and BaseDN. Required fields that should be provided are RDN and ObjectClass. For example:

INSERT INTO Group (RDN, ObjectClass) VALUES ('CN=Domain Admins', 'group')
Update

All columns except Id, DN, and BaseDN can be updated by providing the ID in the WHERE clause. For example:

UPDATE Group SET Member = 'CN=SUPPORT_388945a0,CN=Users,DC=MyDC' WHERE ID = '1|CN=HelpServicesGroup,CN=Users,DC=MyDC'
Delete

Groups can be deleted by providing the ID of the Group in a DELETE statement. For example:

DELETE FROM Group WHERE ID = '1|CN=HelpServicesGroup,CN=Users,DC=MyDC'
Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
GroupType String False DelimitedData Contains a set of flags that define the type and scope of a group object. For the possible values for this attribute, see Remarks.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
SAMAccountName String False DelimitedData The logon name used to support clients and servers running earlier versions of the operating system, such as Windows�NT�4.0, Windows�95, Windows�98, and LAN Manager.
AccountNameHistory String False DelimitedData The length of time that the account has been active.
AdminCount String False DelimitedData Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively).
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
AltSecurityIdentities String False DelimitedData Contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Info String False DelimitedData The user's comments. This string can be a null string.
Cn String False DelimitedData The name that represents an object. Used to perform searches.
ControlAccessRights String False DelimitedData Used by DS Security to determine which users can perform specific operations on the host object.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DesktopProfile String False DelimitedData The location of the desktop profile for a user or group of users. Not used.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
Mail String False DelimitedData The list of email addresses for a contact.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
GarbageCollPeriod String False DelimitedData This attribute is located on the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,... object. It represents the time, in hours, between DS garbage collection runs.
GroupAttributes String False DelimitedData The Group-Attributes attribute is not currently used.
GroupMembershipSAM String False DelimitedData Windows�NT Security. Down level Windows�NT support.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
LegacyExchangeDN String False DelimitedData The distinguished name previously used by Exchange.
ManagedBy String False DelimitedData The distinguished name of the user that is assigned to manage this object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
Member String False DelimitedData The list of users that belong to the group.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMember String False DelimitedData Nonsecurity members of a group. Used for Exchange distribution lists.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
NTGroupMembers String False DelimitedData This attribute is not used.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectSid String False DelimitedData A binary value that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OperatorCount String False DelimitedData Operator count.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
PrimaryGroupToken String False DelimitedData A computed attribute that is used in retrieving the membership list of a group, such as Domain Users. The complete membership of such groups is not stored explicitly for scaling reasons.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
Rid String False DelimitedData The relative Identifier of an object.
SAMAccountType String False DelimitedData This attribute contains information about every account type object. You can enumerate a list of account types or you can use the Display Information API to create a list. Because computers, normal user accounts, and trust accounts can also be enumerated as user objects, the values for these accounts must be a contiguous range.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SecurityIdentifier String False DelimitedData A unique value of variable length used to identify a user account, group account, or logon session to which an ACE applies.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAddressBook String False DelimitedData This attribute is used to indicate in which MAPI address books an object will appear. It is usually maintained by the Exchange Recipient Update Service.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SIDHistory String False DelimitedData Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and that new SID becomes the objectSID. The previous SID is added to the sIDHistory property.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SupplementalCredentials String False DelimitedData Stored credentials for use in authenticating. The encrypted version of the user's password. This attribute is neither readable nor writable.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
TelephoneNumber String False DelimitedData The primary telephone number.
TextEncodedORAddress String False DelimitedData This attribute is used to support X.400 addresses in a text format.
UserCert String False DelimitedData Nortel v1 or DMS certificates.
UserSMIMECertificate String False DelimitedData Certificate distribution object or tagged certificates.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
UserCertificate String False DelimitedData Contains the DER-encoded X.509v3 certificates issued to the user. Note that this property contains the public key certificates issued to this user by Microsoft Certificate Service.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

GroupOfNames

Used to define entries that represent an unordered set of names that represent individual objects or other groups of names.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
BusinessCategory String False DelimitedData Descriptive text on an Organizational Unit.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
Member String False DelimitedData The list of users that belong to the group.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
Ou String False DelimitedData The name of the organizational unit.
O String False DelimitedData The name of the company or organization.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
Owner String False DelimitedData The distinguished name of an object that has ownership of an object.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

GroupOfUniqueNames

Defines the entries for a group of unique names. In general, used to store account objects.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows&nbps;NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
UniqueMember String False DelimitedData The distinguished name for the member of a group. Used by groupOfUniqueNames.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
BusinessCategory String False DelimitedData Descriptive text on an Organizational Unit.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MsCOM-PartitionSetLink String False DelimitedData A link used to associate a COM+ Partition with a COM+ PartitionSet object.
MsCOM-UserLink String False DelimitedData A link used to associate a COM+ PartitionSet with a User object.
MsDS-Approx-Immed-Subordinates String False DelimitedData The value returned by this attribute is based on index sizes. This may be off by +/-10% on large containers, and the error is theoretically unbounded, but using this attribute helps the UI display the contents of a container.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
MsDs-masteredBy String False DelimitedData Backward link for msDS-hasMasterNCs.
MsDS-MembersForAzRoleBL String False DelimitedData Backward link from member application group or user to Az-Role objects linking to it.
MsDS-NCReplCursors String False DelimitedData A list of past and present replication partners, and how current we are with each of them.
MsDS-NCReplInboundNeighbors String False DelimitedData Replication partners for this partition. This server obtains replication data from these other servers, which act as sources.
MsDS-NCReplOutboundNeighbors String False DelimitedData Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available.
MsDS-NonMembersBL String False DelimitedData Backward link from non-member group or user to Az groups that link to it (same functionality as Non-Security-Member-BL).
MsDS-ObjectReferenceBL String False DelimitedData Backward link for ms-DS-Object-Reference.
MsDS-OperationsForAzRoleBL String False DelimitedData Backward link from Az-Operation to Az-Role objects that link to it.
MsDS-OperationsForAzTaskBL String False DelimitedData Backward link from Az-Operation to Az-Task objects that link to it.
MsDS-ReplAttributeMetaData String False DelimitedData A list of metadata for each replicated attribute. The metadata indicates who changed the attribute last.
MsDS-ReplValueMetaData String False DelimitedData A list of metadata for each value of an attribute. The metadata indicates who changed the value last.
MsDS-TasksForAzRoleBL String False DelimitedData Backward link from Az-Task to Az-Role objects that link to it.
MsDS-TasksForAzTaskBL String False DelimitedData Backward link from Az-Task to the Az-Task objects that link to it.
OwnerBL String False DelimitedData The backward link to the owner attribute. Contains a list of owners for an object.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
Ou String False DelimitedData The name of the organizational unit.
O String False DelimitedData The name of the company or organization.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
Owner String False DelimitedData The distinguished name of an object that has ownership of an object.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
StructuralObjectClass String False DelimitedData This constructed attribute stores a list of classes contained in a class hierarchy, including abstract classes. This list does contain dynamically linked auxiliary classes.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

GroupPolicyContainer

This represents the Group Policy Object. It is used to define group polices.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
DefaultClassStore String False DelimitedData The default Class Store for a given user.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
GPCFileSysPath String False DelimitedData True if the object is enabled.
GPCFunctionalityVersion String False DelimitedData The version of the Group Policy Editor that created this object.
GPCMachineExtensionNames String False DelimitedData Used by the Group Policy Object for computer policies.
GPCUserExtensionNames String False DelimitedData Used by the Group Policy Object for user policies.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SchemaVersion String False DelimitedData The version number for the schema.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
VersionNumber String False DelimitedData A general purpose version number.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

IpHost

Represents an abstraction of a host or other IP device.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IpHostNumber String False DelimitedData Contains the IP address of the host in dotted decimal notation, omitting the leading zeros.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
L String False DelimitedData Represents the name of a locality, such as a town or city.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MsCOM-PartitionSetLink String False DelimitedData A link used to associate a COM+ Partition with a COM+ PartitionSet object.
MsCOM-UserLink String False DelimitedData A link used to associate a COM+ PartitionSet with a User object.
MsDFSR-ComputerReferenceBL String False DelimitedData Contains the backward link for the ms-DFSR-ComputerReference attribute.
MsDFSR-MemberReferenceBL String False DelimitedData Contains the backward link for the ms-DFSR-MemberReference attribute.
MsDS-Approx-Immed-Subordinates String False DelimitedData The value returned by this attribute is based on index sizes. This may be off by +/-10% on large containers, and the error is theoretically unbounded, but using this attribute helps the UI display the contents of a container.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
MsDs-masteredBy String False DelimitedData Backward link for msDS-hasMasterNCs.
MsDS-MembersForAzRoleBL String False DelimitedData Backward link from member application group or user to Az-Role objects linking to it.
MsDS-NCReplCursors String False DelimitedData A list of past and present replication partners, and how current we are with each of them.
MsDS-NCReplInboundNeighbors String False DelimitedData Replication partners for this partition. This server obtains replication data from these other servers, which act as sources.
MsDS-NCReplOutboundNeighbors String False DelimitedData Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available.
MsDS-NonMembersBL String False DelimitedData Backward link from non-member group or user to Az groups that link to it (same functionality as Non-Security-Member-BL).
MsDS-ObjectReferenceBL String False DelimitedData Backward link for ms-DS-Object-Reference.
MsDS-OperationsForAzRoleBL String False DelimitedData Backward link from Az-Operation to Az-Role objects that link to it.
MsDS-OperationsForAzTaskBL String False DelimitedData Backward link from Az-Operation to Az-Task objects that link to it.
MsDS-ReplAttributeMetaData String False DelimitedData A list of metadata for each replicated attribute. The metadata indicates who changed the attribute last.
MsDS-ReplValueMetaData String False DelimitedData A list of metadata for each value of an attribute. The metadata indicates who changed the value last.
MsDS-TasksForAzRoleBL String False DelimitedData Backward link from Az-Task to Az-Role objects that link to it.
MsDS-TasksForAzTaskBL String False DelimitedData Backward link from Az-Task to the Az-Task objects that link to it.
OwnerBL String False DelimitedData The backward link to the owner attribute. Contains a list of owners for an object.
MsSFU30PosixMemberOf String False DelimitedData Contains the display names of groups to which this user belongs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
StructuralObjectClass String False DelimitedData This constructed attribute stores a list of classes contained in a class hierarchy, including abstract classes. This list does contain dynamically linked auxiliary classes.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
Uid String False DelimitedData A user ID.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

IpNetwork

Represents an abstraction of a network. The distinguished name value of the Common-Name attribute denotes the canonical name of the network.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
IpNetworkNumber String False DelimitedData Contains an IP network number in dotted decimal notation, omitting the leading zeros.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IpNetmaskNumber String False DelimitedData Contains the IP netmask in dotted decimal notation, omitting the leading zeros.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
L String False DelimitedData Represents the name of a locality, such as a town or city.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MsCOM-PartitionSetLink String False DelimitedData A link used to associate a COM+ Partition with a COM+ PartitionSet object.
MsCOM-UserLink String False DelimitedData A link used to associate a COM+ PartitionSet with a User object.
MsDFSR-ComputerReferenceBL String False DelimitedData Contains the backward link for the ms-DFSR-ComputerReference attribute.
MsDFSR-MemberReferenceBL String False DelimitedData Contains the backward link for the ms-DFSR-MemberReference attribute.
MsDS-Approx-Immed-Subordinates String False DelimitedData The value returned by this attribute is based on index sizes. This may be off by +/-10% on large containers, and the error is theoretically unbounded, but using this attribute helps the UI display the contents of a container.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
MsDs-masteredBy String False DelimitedData Backward link for msDS-hasMasterNCs.
MsDS-MembersForAzRoleBL String False DelimitedData Backward link from member application group or user to Az-Role objects linking to it.
MsDS-NCReplCursors String False DelimitedData A list of past and present replication partners, and how current we are with each of them.
MsDS-NCReplInboundNeighbors String False DelimitedData Replication partners for this partition. This server obtains replication data from these other servers, which act as sources.
MsDS-NCReplOutboundNeighbors String False DelimitedData Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available.
MsDS-NonMembersBL String False DelimitedData Backward link from non-member group or user to Az groups that link to it (same functionality as Non-Security-Member-BL).
MsDS-ObjectReferenceBL String False DelimitedData Backward link for ms-DS-Object-Reference.
MsDS-OperationsForAzRoleBL String False DelimitedData Backward link from Az-Operation to Az-Role objects that link to it.
MsDS-OperationsForAzTaskBL String False DelimitedData Backward link from Az-Operation to Az-Task objects that link to it.
MsDS-ReplAttributeMetaData String False DelimitedData A list of metadata for each replicated attribute. The metadata indicates who changed the attribute last.
MsDS-ReplValueMetaData String False DelimitedData A list of metadata for each value of an attribute. The metadata indicates who changed the value last.
MsDS-TasksForAzRoleBL String False DelimitedData Backward link from Az-Task to Az-Role objects that link to it.
MsDS-TasksForAzTaskBL String False DelimitedData Backward link from Az-Task to the Az-Task objects that link to it.
OwnerBL String False DelimitedData The backward link to the owner attribute. Contains a list of owners for an object.
MsSFU30Aliases String False DelimitedData Contains part of the NIS mail map.
MsSFU30Name String False DelimitedData Contains the name of a map.
MsSFU30NisDomain String False DelimitedData Contains the NIS domain.
MsSFU30PosixMemberOf String False DelimitedData Contains the display names of groups to which this user belongs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NisMapName String False DelimitedData Contains the name of the map to which the object belongs.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
StructuralObjectClass String False DelimitedData This constructed attribute stores a list of classes contained in a class hierarchy, including abstract classes. This list does contain dynamically linked auxiliary classes.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
Uid String False DelimitedData A user ID.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Organization

Stores information about a company or organization.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
BusinessCategory String False DelimitedData Descriptive text on an Organizational Unit.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DestinationIndicator String False DelimitedData This is part of the X.500 specification and not used by NTDS.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
FacsimileTelephoneNumber String False DelimitedData Contains telephone number of the user's business fax machine.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
InternationalISDNNumber String False DelimitedData Specifies an International ISDN Number associated with an object.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
L String False DelimitedData Represents the name of a locality, such as a town or city.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
O String False DelimitedData The name of the company or organization.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PhysicalDeliveryOfficeName String False DelimitedData Contains the office location in the user's place of business.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
PostalAddress String False DelimitedData The mailing address for the object.
PostalCode String False DelimitedData The postal or zip code for mail delivery.
PostOfficeBox String False DelimitedData The post office box number for this object.
PreferredDeliveryMethod String False DelimitedData The X.500-preferred way to deliver to addressee.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
RegisteredAddress String False DelimitedData Specifies a mnemonic for an address associated with an object at a particular city location. The mnemonic is registered in the country/region in which the city is located and is used in the provision of the Public Telegram Service.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SearchGuide String False DelimitedData Specifies information of suggested search criteria, which may be included in some entries that are expected to be a convenient base-object for the search operation, for example, country/region or organization.
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
St String False DelimitedData The name of a user's state or province.
Street String False DelimitedData The street address.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
TelephoneNumber String False DelimitedData The primary telephone number.
TeletexTerminalIdentifier String False DelimitedData Specifies the Teletex terminal identifier and, optionally, parameters, for a teletex terminal associated with an object.
TelexNumber String False DelimitedData A list of alternate telex numbers.
UserPassword String False DelimitedData The user's password in UTF-8 format. This is a write-only attribute.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
X121Address String False DelimitedData The X.121 address for an object.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

OrganizationalPerson

This class is used for objects that contain organizational information about a user, such as the employee number, department, manager, title, office address, and so on.

Table Specific Information
Select

All columns support server-side processing for the operators =, >= , <=, !=, LIKE, AND, and OR. Other filters are executed client side within the connector. For example, the following query is processed by Active Directory:

SELECT * FROM OrganizationalPerson WHERE  CN != 'NewUser' AND  BaseDN = 'CN=Users,DC=MyDC' LIMIT 5

You can turn off client-side execution by setting SupportEnhancedSQL to false in which case any search criteria that refers to any other operators will cause an error.

Insert

To add a OrganizationalPerson, all fields can be specified except Id, DN, and BaseDN. Required fields that should be provided are RDN and ObjectClass. For example:

INSERT INTO OrganizationalPerson (RDN, ObjectClass) VALUES ('CN=NewUser', 'top;person;organizationalPerson;user;inetOrgPerson')
Update

All columns except Id, DN, and BaseDN can be updated by providing the ID in the WHERE clause. For example:

UPDATE OrganizationalPerson SET Description = 'desc' WHERE ID = '1|CN=NewUser,CN=Users,DC=MyDC'
Delete

OrganizationalPersons can be deleted by providing the ID of the OrganizationalPerson in a DELETE statement. For example:

DELETE FROM OrganizationalPerson WHERE ID = '1|CN=NewUser,CN=Users,DC=MyDC'
Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
StreetAddress String False DelimitedData The user's address.
HomePostalAddress String False DelimitedData A user's home address.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
Assistant String False DelimitedData The distinguished name of a user's administrative assistant.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
Company String False DelimitedData The user's company name.
CountryCode String False DelimitedData Specifies the country/region code for the user's language of choice. This value is not used by Windows�2000.
C String False DelimitedData The country/region in the address of the user. The country/region is represented as a 2-character code based on ISO-3166.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Department String False DelimitedData Contains the name for the department in which the user works.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DestinationIndicator String False DelimitedData This is part of the X.500 specification and not used by NTDS.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
Division String False DelimitedData The user's division.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
Mail String False DelimitedData The list of email addresses for a contact.
EmployeeID String False DelimitedData The ID of an employee.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
FacsimileTelephoneNumber String False DelimitedData Contains telephone number of the user's business fax machine.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
GenerationQualifier String False DelimitedData Indicates a person generation. For example, Jr. or II.
GivenName String False DelimitedData Contains the given name (first name) of the user.
Initials String False DelimitedData Contains the initials for parts of the user's full name. This may be used as the middle initial in the Windows Address Book.
InternationalISDNNumber String False DelimitedData Specifies an International ISDN Number associated with an object.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
L String False DelimitedData Represents the name of a locality, such as a town or city.
ThumbnailLogo String False DelimitedData BLOB that contains a logo for this object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
Manager String False DelimitedData Contains the distinguished name of the user who is the user's manager. The manager's user object contains a directReports property that contains references to all user objects that have their manager properties set to this distinguished name.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
MhsORAddress String False DelimitedData X.400 address.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
Ou String False DelimitedData The name of the organizational unit.
O String False DelimitedData The name of the company or organization.
OtherMailbox String False DelimitedData Contains other additional mail addresses in a form such as CCMAIL: BruceKeever.
MiddleName String False DelimitedData Additional names for a user. For example, middle name, patronymic, matronymic, or others.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PersonalTitle String False DelimitedData The user's title.
OtherFacsimileTelephoneNumber String False DelimitedData A list of alternate facsimile numbers.
OtherHomePhone String False DelimitedData A list of alternate home phone numbers.
HomePhone String False DelimitedData The user's main home phone number.
OtherIpPhone String False DelimitedData The list of alternate TCP/IP addresses for the phone. Used by Telephony.
IpPhone String False DelimitedData The TCP/IP address for the phone. Used by Telephony.
PrimaryInternationalISDNNumber String False DelimitedData The primary ISDN.
OtherMobile String False DelimitedData A list of alternate mobile phone numbers.
Mobile String False DelimitedData The primary mobile phone number.
OtherTelephone String False DelimitedData A list of alternate office phone numbers.
OtherPager String False DelimitedData A list of alternate pager numbers.
Pager String False DelimitedData The primary pager number.
PhysicalDeliveryOfficeName String False DelimitedData Contains the office location in the user's place of business.
ThumbnailPhoto String False DelimitedData An image of the user. A space-efficient format like JPEG or GIF is recommended.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
PostalAddress String False DelimitedData The mailing address for the object.
PostalCode String False DelimitedData The postal or zip code for mail delivery.
PostOfficeBox String False DelimitedData The post office box number for this object.
PreferredDeliveryMethod String False DelimitedData The X.500-preferred way to deliver to addressee.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
RegisteredAddress String False DelimitedData Specifies a mnemonic for an address associated with an object at a particular city location. The mnemonic is registered in the country/region in which the city is located and is used in the provision of the Public Telegram Service.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
St String False DelimitedData The name of a user's state or province.
Street String False DelimitedData The street address.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
Sn String False DelimitedData This attribute contains the family or last name for a user.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
TelephoneNumber String False DelimitedData The primary telephone number.
TeletexTerminalIdentifier String False DelimitedData Specifies the Teletex terminal identifier and, optionally, parameters, for a teletex terminal associated with an object.
TelexNumber String False DelimitedData A list of alternate telex numbers.
PrimaryTelexNumber String False DelimitedData The primary telex number.
Co String False DelimitedData The country/region in which the user is located.
Title String False DelimitedData Contains the user's job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as Esq. or DDS.
Comment String False DelimitedData The user's comments.
UserPassword String False DelimitedData The user's password in UTF-8 format. This is a write-only attribute.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
X121Address String False DelimitedData The X.121 address for an object.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

OrganizationalRole

This class is used for objects that contain information that pertains to a position or role within an organization, such as a system administrator, manager, and so on. It can also be used for a nonhuman identity in an organization.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DestinationIndicator String False DelimitedData This is part of the X.500 specification and not used by NTDS.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
FacsimileTelephoneNumber String False DelimitedData Contains telephone number of the user's business fax machine.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
InternationalISDNNumber String False DelimitedData Specifies an International ISDN Number associated with an object.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
L String False DelimitedData Represents the name of a locality, such as a town or city.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
Ou String False DelimitedData The name of the organizational unit.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PhysicalDeliveryOfficeName String False DelimitedData Contains the office location in the user's place of business.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
PostalAddress String False DelimitedData The mailing address for the object.
PostalCode String False DelimitedData The postal or zip code for mail delivery.
PostOfficeBox String False DelimitedData The post office box number for this object.
PreferredDeliveryMethod String False DelimitedData The X.500-preferred way to deliver to addressee.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
RegisteredAddress String False DelimitedData Specifies a mnemonic for an address associated with an object at a particular city location. The mnemonic is registered in the country/region in which the city is located and is used in the provision of the Public Telegram Service.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
RoleOccupant String False DelimitedData The distinguished name of an object that fulfills an organizational role.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
St String False DelimitedData The name of a user's state or province.
Street String False DelimitedData The street address.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
TelephoneNumber String False DelimitedData The primary telephone number.
TeletexTerminalIdentifier String False DelimitedData Specifies the Teletex terminal identifier and, optionally, parameters, for a teletex terminal associated with an object.
TelexNumber String False DelimitedData A list of alternate telex numbers.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
X121Address String False DelimitedData The X.121 address for an object.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

OrganizationalUnit

A container for storing users, computers, and other account objects.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
BusinessCategory String False DelimitedData Descriptive text on an Organizational Unit.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CountryCode String False DelimitedData Specifies the country/region code for the user's language of choice. This value is not used by Windows�2000.
C String False DelimitedData The country/region in the address of the user. The country/region is represented as a 2-character code based on ISO-3166.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
DefaultGroup String False DelimitedData The group to which this object is assigned when it is created.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DesktopProfile String False DelimitedData The location of the desktop profile for a user or group of users. Not used.
DestinationIndicator String False DelimitedData This is part of the X.500 specification and not used by NTDS.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
FacsimileTelephoneNumber String False DelimitedData Contains telephone number of the user's business fax machine.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
GPLink String False DelimitedData A sorted list of Group Policy options. Each option is a DWORD. Use of the UNICODE string is a convenience.
GPOptions String False DelimitedData Options that affect all group policies associated with the object hosting this property.
InternationalISDNNumber String False DelimitedData Specifies an International ISDN Number associated with an object.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
L String False DelimitedData Represents the name of a locality, such as a town or city.
ThumbnailLogo String False DelimitedData BLOB that contains a logo for this object.
ManagedBy String False DelimitedData The distinguished name of the user that is assigned to manage this object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
Ou String False DelimitedData The name of the organizational unit.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PhysicalDeliveryOfficeName String False DelimitedData Contains the office location in the user's place of business.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
PostalAddress String False DelimitedData The mailing address for the object.
PostalCode String False DelimitedData The postal or zip code for mail delivery.
PostOfficeBox String False DelimitedData The post office box number for this object.
PreferredDeliveryMethod String False DelimitedData The X.500-preferred way to deliver to addressee.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
RegisteredAddress String False DelimitedData Specifies a mnemonic for an address associated with an object at a particular city location. The mnemonic is registered in the country/region in which the city is located and is used in the provision of the Public Telegram Service.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SearchGuide String False DelimitedData Specifies information of suggested search criteria, which may be included in some entries that are expected to be a convenient base-object for the search operation, for example, country/region or organization.
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
St String False DelimitedData The name of a user's state or province.
Street String False DelimitedData The street address.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
TelephoneNumber String False DelimitedData The primary telephone number.
TeletexTerminalIdentifier String False DelimitedData Specifies the Teletex terminal identifier and, optionally, parameters, for a teletex terminal associated with an object.
TelexNumber String False DelimitedData A list of alternate telex numbers.
Co String False DelimitedData The country/region in which the user is located.
UPNSuffixes String False DelimitedData The list of User-Principal-Name suffixes for a domain.
UserPassword String False DelimitedData The user's password in UTF-8 format. This is a write-only attribute.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
X121Address String False DelimitedData The X.121 address for an object.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Person

Contains personal information about a user.

Table Specific Information
Select

All columns support server-side processing for the operators =, >= , <=, !=, LIKE, AND, and OR. Other filters are executed client side within the connector. For example, the following query is processed by Active Directory:

SELECT * FROM Person WHERE  ObjectClass = 'top' AND  CN  LIKE '%NewUser%' LIMIT 5

You can turn off client-side execution by setting SupportEnhancedSQL to false in which case any search criteria that refers to any other operators will cause an error.

Insert

To add a Person, all fields can be specified except Id, DN, and BaseDN. Required fields that should be provided are RDN and ObjectClass. For example:

INSERT INTO Person (RDN, ObjectClass) VALUES ('CN=Domain Admins', 'Person')
Update

All columns except Id, DN, and BaseDN can be updated by providing the ID in the WHERE clause. For example:

UPDATE Person SET Description = 'desc' WHERE ID = '1|CN=NewUser,CN=Users,DC=MyDC'
Delete

Person rows can be deleted by providing the ID of the Person in a DELETE statement. For example:

DELETE FROM Person WHERE ID = '1|CN=NewUser,CN=Users,DC=MyDC'
Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
Sn String False DelimitedData This attribute contains the family or last name for a user.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
TelephoneNumber String False DelimitedData The primary telephone number.
UserPassword String False DelimitedData The user's password in UTF-8 format. This is a write-only attribute.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

PosixAccount

Represents an abstraction of an account with Portable Operating System Interface (POSIX) attributes.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
Gecos String False DelimitedData Contains the information that is stored in the GECOS field.
GidNumber String False DelimitedData Contains an integer value that uniquely identifies a group in an administrative domain.
HomeDirectory String False DelimitedData The home directory for the account. If homeDrive is set and specifies a drive letter, homeDirectory must be a UNC path. Otherwise, homeDirectory is a fully qualified local path including the drive letter (for example, DriveLetter:\Directory\Folder). This value can be a null string.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
LoginShell String False DelimitedData Contains the path to the login shell.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MsCOM-PartitionSetLink String False DelimitedData A link used to associate a COM+ Partition with a COM+ PartitionSet object.
MsCOM-UserLink String False DelimitedData A link used to associate a COM+ PartitionSet with a User object.
MsDFSR-ComputerReferenceBL String False DelimitedData Contains the backward link for the ms-DFSR-ComputerReference attribute.
MsDFSR-MemberReferenceBL String False DelimitedData Contains the backward link for the ms-DFSR-MemberReference attribute.
MsDS-Approx-Immed-Subordinates String False DelimitedData The value returned by this attribute is based on index sizes. This may be off by +/-10% on large containers, and the error is theoretically unbounded, but using this attribute helps the UI display the contents of a container.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
MsDs-masteredBy String False DelimitedData Backward link for msDS-hasMasterNCs.
MsDS-MembersForAzRoleBL String False DelimitedData Backward link from member application group or user to Az-Role objects linking to it.
MsDS-NCReplCursors String False DelimitedData A list of past and present replication partners, and how current we are with each of them.
MsDS-NCReplInboundNeighbors String False DelimitedData Replication partners for this partition. This server obtains replication data from these other servers, which act as sources.
MsDS-NCReplOutboundNeighbors String False DelimitedData Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available.
MsDS-NonMembersBL String False DelimitedData Backward link from non-member group or user to Az groups that link to it (same functionality as Non-Security-Member-BL).
MsDS-ObjectReferenceBL String False DelimitedData Backward link for ms-DS-Object-Reference.
MsDS-OperationsForAzRoleBL String False DelimitedData Backward link from Az-Operation to Az-Role objects that link to it.
MsDS-OperationsForAzTaskBL String False DelimitedData Backward link from Az-Operation to Az-Task objects that link to it.
MsDS-ReplAttributeMetaData String False DelimitedData A list of metadata for each replicated attribute. The metadata indicates who changed the attribute last.
MsDS-ReplValueMetaData String False DelimitedData A list of metadata for each value of an attribute. The metadata indicates who changed the value last.
MsDS-TasksForAzRoleBL String False DelimitedData Backward link from Az-Task to Az-Role objects that link to it.
MsDS-TasksForAzTaskBL String False DelimitedData Backward link from Az-Task to the Az-Task objects that link to it.
OwnerBL String False DelimitedData The backward link to the owner attribute. Contains a list of owners for an object.
MsSFU30PosixMemberOf String False DelimitedData Contains the display names of groups to which this user belongs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
StructuralObjectClass String False DelimitedData This constructed attribute stores a list of classes contained in a class hierarchy, including abstract classes. This list does contain dynamically linked auxiliary classes.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
Uid String False DelimitedData A user ID.
UidNumber String False DelimitedData Contains an integer that uniquely identifies a user in an administrative domain.
UnixHomeDirectory String False DelimitedData Contains the absolute path to the home directory.
UnixUserPassword String False DelimitedData Contains a user password that is compatible with a UNIX system.
UserPassword String False DelimitedData The user's password in UTF-8 format. This is a write-only attribute.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

PosixGroup

Represents an abstraction of a group of accounts.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
GidNumber String False DelimitedData Contains an integer value that uniquely identifies a group in an administrative domain.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
MemberUid String False DelimitedData Contains the login names of the members of a group.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MsCOM-PartitionSetLink String False DelimitedData A link used to associate a COM+ Partition with a COM+ PartitionSet object.
MsCOM-UserLink String False DelimitedData A link used to associate a COM+ PartitionSet with a User object.
MsDFSR-ComputerReferenceBL String False DelimitedData Contains the backward link for the ms-DFSR-ComputerReference attribute.
MsDFSR-MemberReferenceBL String False DelimitedData Contains the backward link for the ms-DFSR-MemberReference attribute.
MsDS-Approx-Immed-Subordinates String False DelimitedData The value returned by this attribute is based on index sizes. This may be off by +/-10% on large containers, and the error is theoretically unbounded, but using this attribute helps the UI display the contents of a container.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
MsDs-masteredBy String False DelimitedData Backward link for msDS-hasMasterNCs.
MsDS-MembersForAzRoleBL String False DelimitedData Backward link from member application group or user to Az-Role objects linking to it.
MsDS-NCReplCursors String False DelimitedData A list of past and present replication partners, and how current we are with each of them.
MsDS-NCReplInboundNeighbors String False DelimitedData Replication partners for this partition. This server obtains replication data from these other servers, which act as sources.
MsDS-NCReplOutboundNeighbors String False DelimitedData Replication partners for this partition. This server sends replication data to these other servers, which act as destinations. This server will notify these other servers when new data is available.
MsDS-NonMembersBL String False DelimitedData Backward link from non-member group or user to Az groups that link to it (same functionality as Non-Security-Member-BL).
MsDS-ObjectReferenceBL String False DelimitedData Backward link for ms-DS-Object-Reference.
MsDS-OperationsForAzRoleBL String False DelimitedData Backward link from Az-Operation to Az-Role objects that link to it.
MsDS-OperationsForAzTaskBL String False DelimitedData Backward link from Az-Operation to Az-Task objects that link to it.
MsDS-ReplAttributeMetaData String False DelimitedData A list of metadata for each replicated attribute. The metadata indicates who changed the attribute last.
MsDS-ReplValueMetaData String False DelimitedData A list of metadata for each value of an attribute. The metadata indicates who changed the value last.
MsDS-TasksForAzRoleBL String False DelimitedData Backward link from Az-Task to Az-Role objects that link to it.
MsDS-TasksForAzTaskBL String False DelimitedData Backward link from Az-Task to the Az-Task objects that link to it.
OwnerBL String False DelimitedData The backward link to the owner attribute. Contains a list of owners for an object.
MsSFU30PosixMemberOf String False DelimitedData Contains the display names of groups to which this user belongs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
StructuralObjectClass String False DelimitedData This constructed attribute stores a list of classes contained in a class hierarchy, including abstract classes. This list does contain dynamically linked auxiliary classes.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
UnixUserPassword String False DelimitedData Contains a user password that is compatible with a UNIX system.
UserPassword String False DelimitedData The user's password in UTF-8 format. This is a write-only attribute.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

PrintQueue

Contains information about a print queue.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
PrinterName String False DelimitedData The display name of an attached printer.
ServerName String False DelimitedData The name of a server.
ShortServerName String False DelimitedData Pre-Windows�2000 compatible server name for print servers.
UNCName String False DelimitedData The universal naming convention name for shared volumes and printers.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
AssetNumber String False DelimitedData The tracking number for the object.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
BytesPerMinute String False DelimitedData Printer data transfer rate.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
DefaultPriority String False DelimitedData The default priority (of a process, print job, and so on).
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DriverName String False DelimitedData The device driver name.
DriverVersion String False DelimitedData The Version number of device driver.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
Keywords String False DelimitedData A list of keywords that can be used to locate a given connection point.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
Location String False DelimitedData The user's location, such as office number.
ManagedBy String False DelimitedData The distinguished name of the user that is assigned to manage this object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OperatingSystem String False DelimitedData The Operating System name, for example, Windows�Vista Enterprise.
OperatingSystemHotfix String False DelimitedData The hotfix level of the operating system.
OperatingSystemServicePack String False DelimitedData The operating system service pack ID string (for example, SP3).
OperatingSystemVersion String False DelimitedData The operating system version string, for example, 4.0.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PhysicalLocationObject String False DelimitedData Used to map a device (for example, a printer, computer, and so on) to a physical location.
PortName String False DelimitedData List of port names. For example, for printer ports or comm ports.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
PrintAttributes String False DelimitedData A bitmask of printer attributes.
PrintBinNames String False DelimitedData A list of printer bin names.
PrintCollate String False DelimitedData TRUE if a printer has collating bins.
PrintColor String False DelimitedData TRUE if a printer can print in color.
PrintDuplexSupported String False DelimitedData Indicates the type of duplex support a printer has.
PrintEndTime String False DelimitedData The time a print queue stops servicing jobs.
PrintFormName String False DelimitedData The name of the currently loaded form.
PrintKeepPrintedJobs String False DelimitedData TRUE if printed jobs are kept.
PrintLanguage String False DelimitedData The supported page description language (for example, PostScript, PCL).
PrintMACAddress String False DelimitedData The user-supplied MAC address.
PrintMaxCopies String False DelimitedData The maximum number of copies a device can print.
PrintMaxResolutionSupported String False DelimitedData The maximum printer resolution.
PrintMaxXExtent String False DelimitedData The maximum horizontal print region.
PrintMaxYExtent String False DelimitedData The maximum vertical print region.
PrintMediaReady String False DelimitedData A list of available media for a printer.
PrintMediaSupported String False DelimitedData A list of media supported by a printer.
PrintMemory String False DelimitedData The amount of memory installed in a printer.
PrintMinXExtent String False DelimitedData The minimum horizontal print region.
PrintMinYExtent String False DelimitedData The minimum vertical print region.
PrintNetworkAddress String False DelimitedData The user-supplied network address.
PrintNotify String False DelimitedData A user-supplied string that specifies the notification contact.
PrintNumberUp String False DelimitedData The number of page images per sheet.
PrintOrientationsSupported String False DelimitedData The page rotation for landscape printing.
PrintOwner String False DelimitedData A user-supplied owner string.
PrintPagesPerMinute String False DelimitedData Driver-supplied print rate in pages per minute.
PrintRate String False DelimitedData Driver-supplied print rate.
PrintRateUnit String False DelimitedData Driver-supplied print rate unit.
PrintSeparatorFile String False DelimitedData The file path of the printer separator page.
PrintShareName String False DelimitedData The printer's share name.
PrintSpooling String False DelimitedData A string that represents the type of printer spooling.
PrintStaplingSupported String False DelimitedData TRUE if the printer supports stapling. Supplied by the driver.
PrintStartTime String False DelimitedData The time a print queue begins servicing jobs.
PrintStatus String False DelimitedData Status from the print spooler. Currently unused.
Priority String False DelimitedData The current priority (of a process, print job, and so on).
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
VersionNumber String False DelimitedData A general purpose version number.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

SecurityObject

This is an auxiliary class that is used to identify security principals.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

SecurityPrincipal

Contains the security information for an object.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
SAMAccountName String False DelimitedData The logon name used to support clients and servers running earlier versions of the operating system, such as Windows�NT�4.0, Windows�95, Windows�98, and LAN Manager.
AccountNameHistory String False DelimitedData The length of time that the account has been active.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
AltSecurityIdentities String False DelimitedData Contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectSid String False DelimitedData A binary value that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
Rid String False DelimitedData The relative Identifier of an object.
SAMAccountType String False DelimitedData This attribute contains information about every account type object. You can enumerate a list of account types or you can use the Display Information API to create a list. Because computers, normal user accounts, and trust accounts can also be enumerated as user objects, the values for these accounts must be a contiguous range.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SecurityIdentifier String False DelimitedData A unique value of variable length used to identify a user account, group account, or logon session to which an ACE applies.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SIDHistory String False DelimitedData Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and that new SID becomes the objectSID. The previous SID is added to the sIDHistory property.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SupplementalCredentials String False DelimitedData Stored credentials for use in authenticating. The encrypted version of the user's password. This attribute is neither readable nor writable.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Server

This class represents a server computer in a site.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
BridgeheadTransportList String False DelimitedData Transports for which this server is a bridgehead.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DNSHostName String False DelimitedData Name of computer as registered in DNS.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedBy String False DelimitedData The distinguished name of the user that is assigned to manage this object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SerialNumber String False DelimitedData Part of X.500 specification. Not used by Active Directory.
ServerReference String False DelimitedData Found in a site computer object. Contains the distinguished name of the domain controller in the domain naming context.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
MailAddress String False DelimitedData Generic mail address attribute. Used in the box as an optional attribute of server objects, where it is consumed by mail-based DS replication (if the computers are so configured).
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Site

A container for storing server objects. Represents a physical location that contains computers. Used to manage replication.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
GPLink String False DelimitedData A sorted list of Group Policy options. Each option is a DWORD. Use of the UNICODE string is a convenience.
GPOptions String False DelimitedData Options that affect all group policies associated with the object hosting this property.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
Location String False DelimitedData The user's location, such as office number.
ManagedBy String False DelimitedData The distinguished name of the user that is assigned to manage this object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
MSMQInterval1 String False DelimitedData In MSMQ mixed-mode, default replication time within a site.
MSMQInterval2 String False DelimitedData In MSMQ mixed-mode, default replication time between sites.
MSMQNt4Stub String False DelimitedData The MSMQ-Nt4-Stub attribute contains MSMQ mixed-mode information.
MSMQSiteForeign String False DelimitedData A Boolean value that indicates whether it is a foreign MSMQ site.
MSMQSiteID String False DelimitedData The MSMQ-Site-ID attribute contains MSMQ mixed-mode information.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
NotificationList String False DelimitedData The Notification-List attribute is not currently used.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Top

The top level class from which all classes are derived.

Table Specific Information
Select

All columns support server-side processing for the following operators =, >= , <=, !=, LIKE, AND, and OR. Other filters are executed client side within the connector. For example, the following query is processed by Active Directory:

SELECT * FROM Top WHERE  CN != 'NewUser' AND  BaseDN = 'CN=Users,DC=MyDC' LIMIT 5

You can turn off client-side execution by setting SupportEnhancedSQL to false in which case any search criteria that refers to any other operators will cause an error.

Insert

To add a Top record, all fields can be specified except Id, DN, and BaseDN. Required fields that should be provided are RDN and ObjectClass. For example:

INSERT INTO Top (RDN, ObjectClass) VALUES ('CN=NewUser', 'top;person;organizationalPerson;user;inetOrgPerson')
Update

All columns except Id, DN, and BaseDN can be updated by providing the ID in the WHERE clause. For example:

UPDATE Top SET Description = 'test' WHERE ID = '1|CN=NewUser,CN=Users,DC=MyDC'
Delete

Top records can be deleted by providing the ID of the Top record in a DELETE statement. For example:

DELETE FROM Top WHERE ID = '1|CN=NewUser,CN=Users,DC=MyDC'
Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

TrustedDomain

An object that represents a domain trusted by (or trusting) the local domain.

Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
AdditionalTrustedServiceNames String False DelimitedData A list of services in the domain that can be trusted. Not used by AD.
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Cn String False DelimitedData The name that represents an object. Used to perform searches.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DomainCrossRef String False DelimitedData This is a reference from a trusted domain object to the cross reference object of the trusted domain.
DomainIdentifier String False DelimitedData Domain Sid that identifies the domain.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
Flags String False DelimitedData To be used by the object to store bit information.
FlatName String False DelimitedData For Windows�NT domains, the flat name is the NetBIOS name. For links with non-Windows�NT domains, the flat name is the identifying name of that domain, or it is NULL.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
InitialAuthIncoming String False DelimitedData Contains information about an initial incoming authentication request by a client to this server. This request is then sent by this server to the authentication server for the domain.
InitialAuthOutgoing String False DelimitedData Contains information about an initial outgoing authentication sent by the authentication server for this domain to the client that requested authentication. The server that uses this attribute receives the authorization from the authentication server and sends it to the client.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SecurityIdentifier String False DelimitedData A unique value of variable length used to identify a user account, group account, or logon session to which an ACE applies.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
TrustAttributes String False DelimitedData This attribute stores the trust attributes for a trusted domain. Possible attribute values are as follows:
TrustAuthIncoming String False DelimitedData Authentication information for the incoming portion of a trust.
TrustAuthOutgoing String False DelimitedData Authentication information for the outgoing portion of a trust.
TrustDirection String False DelimitedData The direction of a trust.
TrustPartner String False DelimitedData The name of the domain with which a trust exists.
TrustPosixOffset String False DelimitedData The Portable Operating System Interface (POSIX) offset for the trusted domain.
TrustType String False DelimitedData The type of trust, for example, Windows�NT or MIT.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

User

This class is used to store information about an employee or contractor who works for an organization. It is also possible to apply this class to long term visitors.

Table Specific Information
Select

All columns support server-side processing for the operators =, >= , <=, !=, LIKE, AND, and OR. Other filters are executed client side within the connector. For example, the following query is processed by Active Directory:

SELECT * FROM User WHERE  Title Like '%abc%' AND  AdminCount != '1' LIMIT 5

You can turn off client-side execution by setting SupportEnhancedSQL to false in which case any search criteria that refers to any other operators will cause an error.

Insert

To add a User, all fields can be specified except Id, DN, and BaseDN. Required fields that should be provided are RDN and ObjectClass. For example:

INSERT INTO [User] (RDN, ObjectClass) VALUES ('CN=TestUser', 'Top; Person; OrganizationalPerson; User')
Update

All columns except Id, DN, and BaseDN can be updated by providing the ID in the WHERE clause. For example:

UPDATE User SET PostalCode = '94042' WHERE ID = '1|CN=NewUser,CN=Users,DC=MyDC'
Delete

Users can be deleted by providing the ID of the User in a DELETE statement. For example:

DELETE FROM User WHERE ID = '1|CN=NewUser,CN=Users,DC=MyDC'
Columns
Name Type ReadOnly References DataFormat Description
Id [KEY] String True Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String True The full distinguished name.
RDN String False The relative distinguished name.
BaseDN String True The base distinguished name.
InstanceType String False DelimitedData A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String False DelimitedData The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String False DelimitedData An object class name used to group objects of this or derived classes.
ObjectClass String False DelimitedData The list of classes from which this class is derived.
SAMAccountName String False DelimitedData The logon name used to support clients and servers running earlier versions of the operating system, such as Windows�NT�4.0, Windows�95, Windows�98, and LAN Manager.
AccountExpires String False DelimitedData The date when the account expires. This value represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires.
AccountNameHistory String False DelimitedData The length of time that the account has been active.
ACSPolicyName String False DelimitedData String name of an ACS policy that applies to this user.
StreetAddress String False DelimitedData The user's address.
HomePostalAddress String False DelimitedData A user's home address.
AdminCount String False DelimitedData Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively).
AdminDescription String False DelimitedData The description displayed on admin screens.
AdminDisplayName String False DelimitedData The name to be displayed on admin screens.
AllowedAttributes String False DelimitedData Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String False DelimitedData A list of attributes that can be modified on the object.
AllowedChildClasses String False DelimitedData Classes that can be contained by a class.
AllowedChildClassesEffective String False DelimitedData A list of classes that can be modified.
AltSecurityIdentities String False DelimitedData Contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication.
Assistant String False DelimitedData The distinguished name of a user's administrative assistant.
BadPasswordTime String False DelimitedData The last time and date that an attempt to log on to this account was made with a password that is not valid. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last time a incorrect password was used is unknown.
BadPwdCount String False DelimitedData The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown.
BridgeheadServerListBL String False DelimitedData The list of servers that are bridgeheads for replication.
CanonicalName String False DelimitedData The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
CodePage String False DelimitedData Specifies the code page for the user's language of choice. This value is not used by Windows�2000.
Info String False DelimitedData The user's comments. This string can be a null string.
Cn String False DelimitedData The name that represents an object. Used to perform searches.
Company String False DelimitedData The user's company name.
ControlAccessRights String False DelimitedData Used by DS Security to determine which users can perform specific operations on the host object.
CountryCode String False DelimitedData Specifies the country/region code for the user's language of choice. This value is not used by Windows�2000.
C String False DelimitedData The country/region in the address of the user. The country/region is represented as a 2-character code based on ISO-3166.
CreateTimeStamp String False DelimitedData The date when this object was created. This value is replicated.
DBCSPwd String False DelimitedData The account's LAN Manager password.
DefaultClassStore String False DelimitedData The default Class Store for a given user.
Department String False DelimitedData Contains the name for the department in which the user works.
Description String False DelimitedData Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DesktopProfile String False DelimitedData The location of the desktop profile for a user or group of users. Not used.
DestinationIndicator String False DelimitedData This is part of the X.500 specification and not used by NTDS.
DisplayName String False DelimitedData The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String False DelimitedData The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
Division String False DelimitedData The user's division.
DSASignature String False DelimitedData The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String False DelimitedData The DS-Core-Propagation-Data attribute is for internal use only.
DynamicLDAPServer String False DelimitedData DNS name of server handing dynamic properties for this account.
Mail String False DelimitedData The list of email addresses for a contact.
EmployeeID String False DelimitedData The ID of an employee.
EmployeeNumber String False DelimitedData The number for an employee.
EmployeeType String False DelimitedData The job category for an employee.
ExtensionName String False DelimitedData The name of a property page used to extend the UI of a directory object.
FacsimileTelephoneNumber String False DelimitedData Contains telephone number of the user's business fax machine.
Flags String False DelimitedData To be used by the object to store bit information.
FromEntry String False DelimitedData This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String False DelimitedData Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String False DelimitedData Reference to subscriber objects for this member.
FSMORoleOwner String False DelimitedData Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
GarbageCollPeriod String False DelimitedData This attribute is located on the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,... object. It represents the time, in hours, between DS garbage collection runs.
GenerationQualifier String False DelimitedData Indicates a person generation. For example, Jr. or II.
GivenName String False DelimitedData Contains the given name (first name) of the user.
GroupMembershipSAM String False DelimitedData Windows�NT Security. Down level Windows�NT support.
GroupPriority String False DelimitedData The Group-Priority attribute is not currently used.
GroupsToIgnore String False DelimitedData The Groups-to-Ignore attribute is not currently used.
HomeDirectory String False DelimitedData The home directory for the account. If homeDrive is set and specifies a drive letter, homeDirectory must be a UNC path. Otherwise, homeDirectory is a fully qualified local path including the drive letter (for example, DriveLetter:\Directory\Folder). This value can be a null string.
HomeDrive String False DelimitedData Specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the form DriveLetter: where DriveLetter is the letter of the drive to map. The DriveLetter must be a single, uppercase letter and the colon (:) is required.
Initials String False DelimitedData Contains the initials for parts of the user's full name. This may be used as the middle initial in the Windows Address Book.
InternationalISDNNumber String False DelimitedData Specifies an International ISDN Number associated with an object.
IsCriticalSystemObject String False DelimitedData If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String False DelimitedData If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String False DelimitedData The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String False DelimitedData Backward link to privileges held by a given principal.
LastKnownParent String False DelimitedData The Distinguished Name (DN) of the last known parent of an orphaned object.
LastLogoff String False DelimitedData This attribute is not used.
LastLogon String False DelimitedData The last time the user logged on. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last logon time is unknown.
LegacyExchangeDN String False DelimitedData The distinguished name previously used by Exchange.
LmPwdHistory String False DelimitedData The password history of the user in LAN Manager (LM) one-way format (OWF). The LM OWF is used for compatibility with LAN Manager 2.x clients, Windows�95, and Windows�98.
LocaleID String False DelimitedData This attribute contains a list of locale IDs supported by this application. A locale ID represents a geographic location, such as a country/region, city, county, and so on.
L String False DelimitedData Represents the name of a locality, such as a town or city.
LockoutTime String False DelimitedData The date and time (UTC) that this account was locked out. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the account is not currently locked out.
ThumbnailLogo String False DelimitedData BLOB that contains a logo for this object.
LogonCount String False DelimitedData The number of times the account has successfully logged on. A value of 0 indicates that the value is unknown.
LogonHours String False DelimitedData The hours that the user is allowed to logon to the domain.
LogonWorkstation String False DelimitedData This attribute is not used. See the User-Workstations attribute.
ManagedObjects String False DelimitedData Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
Manager String False DelimitedData Contains the distinguished name of the user who is the user's manager. The manager's user object contains a directReports property that contains references to all user objects that have their manager properties set to this distinguished name.
MasteredBy String False DelimitedData Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
MaxStorage String False DelimitedData The maximum amount of disk space the user can use. Use the value specified in USER_MAXSTORAGE_UNLIMITED to use all available disk space.
MhsORAddress String False DelimitedData X.400 address.
ModifyTimeStamp String False DelimitedData A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String False DelimitedData This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
MS-DS-CreatorSID String False DelimitedData The security ID of the creator of the object that contains this attribute.
MSMQDigests String False DelimitedData An array of digests of the corresponding certificates in attribute mSMQ-Sign-Certificates. They are used for mapping a digest into a certificate.
MSMQDigestsMig String False DelimitedData In MSMQ mixed-mode, contains the previous value of mSMQDigests.
MSMQSignCertificates String False DelimitedData This attribute contains a number of certificates. A user can generate a certificate per computer. For each certificate we also keep a digest.
MSMQSignCertificatesMig String False DelimitedData In MSMQ mixed-mode, the attribute contains the previous value of mSMQSignCertificates. MSMQ supports migration from the MSMQ 1.0 DS to the Windows�2000 DS, and mixed mode specifies a state in which some of the DS severs were not upgraded to Windows�2000.
MsNPAllowDialin String False DelimitedData Indicates whether the account has permission to dial in to the RAS server. Do not modify this value directly. Use the appropriate RAS administration function to modify this value.
MsNPCallingStationID String False DelimitedData The msNPCallingStationID attribute is used internally. Do not modify this value directly.
MsNPSavedCallingStationID String False DelimitedData The msNPSavedCallingStationID attribute is used internally. Do not modify this value directly.
MsRADIUSCallbackNumber String False DelimitedData The msRADIUSCallbackNumber attribute is used internally. Do not modify this value directly.
MsRADIUSFramedIPAddress String False DelimitedData The msRADIUSFramedIPAddress attribute is used internally. Do not modify this value directly.
MsRADIUSFramedRoute String False DelimitedData The msRADIUSFramedRoute attribute is used internally. Do not modify this value directly.
MsRADIUSServiceType String False DelimitedData The msRADIUSServiceType attribute is used internally. Do not modify this value directly.
MsRASSavedCallbackNumber String False DelimitedData The msRASSavedCallbackNumber attribute is used internally. Do not modify this value directly.
MsRASSavedFramedIPAddress String False DelimitedData The msRASSavedFramedIPAddress attribute is used internally. Do not modify this value directly.
MsRASSavedFramedRoute String False DelimitedData The msRASSavedFramedRoute attribute is used internally. Do not modify this value directly.
NetbootSCPBL String False DelimitedData A list of service connection points that reference this NetBoot server.
NetworkAddress String False DelimitedData The TCP/IP address for a network segment. Also called the subnet address.
NonSecurityMemberBL String False DelimitedData List of nonsecurity-members for an Exchange distribution list.
NtPwdHistory String False DelimitedData The password history of the user in Windows�NT one-way format (OWF). Windows�2000 uses the Windows�NT OWF.
DistinguishedName String False DelimitedData Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String False DelimitedData The unique identifier for an object.
ObjectSid String False DelimitedData A binary value that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal.
ObjectVersion String False DelimitedData This can be used to store a version number for the object.
OperatorCount String False DelimitedData Operator count.
Ou String False DelimitedData The name of the organizational unit.
O String False DelimitedData The name of the company or organization.
OtherLoginWorkstations String False DelimitedData Non-Windows�NT or LAN Manager workstations from which a user can log on.
OtherMailbox String False DelimitedData Contains other additional mail addresses in a form such as CCMAIL: BruceKeever.
MiddleName String False DelimitedData Additional names for a user. For example, middle name, patronymic, matronymic, or others.
OtherWellKnownObjects String False DelimitedData Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String False DelimitedData Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PersonalTitle String False DelimitedData The user's title.
OtherFacsimileTelephoneNumber String False DelimitedData A list of alternate facsimile numbers.
OtherHomePhone String False DelimitedData A list of alternate home phone numbers.
HomePhone String False DelimitedData The user's main home phone number.
OtherIpPhone String False DelimitedData The list of alternate TCP/IP addresses for the phone. Used by Telephony.
IpPhone String False DelimitedData The TCP/IP address for the phone. Used by Telephony.
PrimaryInternationalISDNNumber String False DelimitedData The primary ISDN.
OtherMobile String False DelimitedData A list of alternate mobile phone numbers.
Mobile String False DelimitedData The primary mobile phone number.
OtherTelephone String False DelimitedData A list of alternate office phone numbers.
OtherPager String False DelimitedData A list of alternate pager numbers.
Pager String False DelimitedData The primary pager number.
PhysicalDeliveryOfficeName String False DelimitedData Contains the office location in the user's place of business.
ThumbnailPhoto String False DelimitedData An image of the user. A space-efficient format like JPEG or GIF is recommended.
PossibleInferiors String False DelimitedData The list of objects that this object can contain.
PostalAddress String False DelimitedData The mailing address for the object.
PostalCode String False DelimitedData The postal or zip code for mail delivery.
PostOfficeBox String False DelimitedData The post office box number for this object.
PreferredDeliveryMethod String False DelimitedData The X.500-preferred way to deliver to addressee.
PreferredOU String False DelimitedData The Organizational Unit to show by default on user' s desktop.
PrimaryGroupID String False DelimitedData Contains the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group.
ProfilePath String False DelimitedData Specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path.
ProxiedObjectName String False DelimitedData This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String False DelimitedData A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
PwdLastSet String False DelimitedData The date and time that the password for this account was last changed. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon.
QueryPolicyBL String False DelimitedData List of all objects holding references to a given Query-Policy.
Name String False DelimitedData The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
RegisteredAddress String False DelimitedData Specifies a mnemonic for an address associated with an object at a particular city location. The mnemonic is registered in the country/region in which the city is located and is used in the provision of the Public Telegram Service.
ReplPropertyMetaData String False DelimitedData Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String False DelimitedData Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String False DelimitedData Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String False DelimitedData Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String False DelimitedData Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String False DelimitedData The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
Rid String False DelimitedData The relative Identifier of an object.
SAMAccountType String False DelimitedData This attribute contains information about every account type object. You can enumerate a list of account types or you can use the Display Information API to create a list. Because computers, normal user accounts, and trust accounts can also be enumerated as user objects, the values for these accounts must be a contiguous range.
ScriptPath String False DelimitedData This attribute specifies the path for the user's logon script. The string can be null.
SDRightsEffective String False DelimitedData This constructed attribute returns a single DWORD value that can have up to three bits set:
SecurityIdentifier String False DelimitedData A unique value of variable length used to identify a user account, group account, or logon session to which an ACE applies.
SeeAlso String False DelimitedData List of distinguished names that are related to an object.
ServerReferenceBL String False DelimitedData Found in the domain naming context. The distinguished name of a computer under the sites folder.
ServicePrincipalName String False DelimitedData List of principal names used for mutual authentication with an instance of a service on this computer.
ShowInAddressBook String False DelimitedData This attribute is used to indicate in which MAPI address books an object will appear. It is usually maintained by the Exchange Recipient Update Service.
ShowInAdvancedViewOnly String False DelimitedData TRUE if this attribute is to be visible in the Advanced mode of the UI.
SIDHistory String False DelimitedData Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and that new SID becomes the objectSID. The previous SID is added to the sIDHistory property.
SiteObjectBL String False DelimitedData The list of distinguished names for subnets that belong to this site.
St String False DelimitedData The name of a user's state or province.
Street String False DelimitedData The street address.
SubRefs String False DelimitedData List of subordinate references of a Naming Context.
SubSchemaSubEntry String False DelimitedData The distinguished name for the location of the subschema object where a class or attribute is defined.
SupplementalCredentials String False DelimitedData Stored credentials for use in authenticating. The encrypted version of the user's password. This attribute is neither readable nor writable.
Sn String False DelimitedData This attribute contains the family or last name for a user.
SystemFlags String False DelimitedData An integer value that contains flags that define additional properties of the class. See Remarks.
TelephoneNumber String False DelimitedData The primary telephone number.
TeletexTerminalIdentifier String False DelimitedData Specifies the Teletex terminal identifier and, optionally, parameters, for a teletex terminal associated with an object.
TelexNumber String False DelimitedData A list of alternate telex numbers.
PrimaryTelexNumber String False DelimitedData The primary telex number.
TerminalServer String False DelimitedData Opaque data used by the Windows�NT terminal server.
Co String False DelimitedData The country/region in which the user is located.
TextEncodedORAddress String False DelimitedData This attribute is used to support X.400 addresses in a text format.
Title String False DelimitedData Contains the user's job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as Esq. or DDS.
UnicodePwd String False DelimitedData The password of the user in Windows�NT one-way format (OWF). Windows�2000 uses the Windows�NT OWF. This property is used only by the operating system. Note that you cannot derive the clear password back from the OWF form of the password.
UserAccountControl String False DelimitedData Flags that control the behavior of the user account.
UserCert String False DelimitedData Nortel v1 or DMS certificates.
Comment String False DelimitedData The user's comments.
UserParameters String False DelimitedData Parameters of the user. Points to a Unicode string that is set aside for use by applications. This string can be a null string, or it can have any number of characters before the terminating null character. Microsoft products use this member to store user data specific to the individual program.
UserPassword String False DelimitedData The user's password in UTF-8 format. This is a write-only attribute.
UserPrincipalName String False DelimitedData This attribute contains the UPN that is an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user email name. The value set for this attribute is equal to the length of the user's ID and the domain name. For more information about this attribute, see User Naming Attributes.
UserSharedFolder String False DelimitedData Specifies a UNC path to the user's shared documents folder. The path must be a network UNC path of the form \Server\Share\Directory. This value can be a null string.
UserSharedFolderOther String False DelimitedData Specifies a UNC path to the user's additional shared documents folder. The path must be a network UNC path of the form \Server\Share\Directory. This value can be a null string.
UserSMIMECertificate String False DelimitedData Certificate distribution object or tagged certificates.
UserWorkstations String False DelimitedData Contains the NetBIOS or DNS names of the computers running Windows�NT Workstation or Windows�2000 Professional from which the user can log on. Each NetBIOS name is separated by a comma. Multiple names should be separated by commas.
USNChanged String False DelimitedData The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String False DelimitedData The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String False DelimitedData Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String False DelimitedData The update sequence number (USN) for inter-site replication.
USNLastObjRem String False DelimitedData Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String False DelimitedData Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String False DelimitedData References to objects in other ADSI namespaces.
WellKnownObjects String False DelimitedData This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String False DelimitedData The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String False DelimitedData The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String False DelimitedData A web page that is the primary landing page of a website.
Url String False DelimitedData A list of alternate webpages.
X121Address String False DelimitedData The X.121 address for an object.
UserCertificate String False DelimitedData Contains the DER-encoded X.509v3 certificates issued to the user. Note that this property contains the public key certificates issued to this user by Microsoft Certificate Service.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String Defines the LDAP filter explicitly, overriding any other values set in the WHERE clause.

Views

Views are composed of columns and pseudo columns. Views are similar to tables in the way that data is represented; however, views do not support updates. Entities that are represented as views are typically read-only entities. Often, a stored procedure* is available to update the data if such functionality is applicable to the data source.

Queries can be executed against a view as if it were a normal table, and the data that comes back is similar in that regard. To find out more about tables and stored procedures, please navigate to their corresponding entries in this help document.

Active Directory Connector Views

Name Description
Group_Membership Stores a list of user names. Used to apply security principals on resources. This view returns one row for each Member of the Group.
User_Membership This class is used to store information about an employee or contractor who works for an organization. It is also possible to apply this class to long term visitors. This view returns one row for each Group the User is a member of.

Group_Membership

Stores a list of user names. Used to apply security principals on resources. This view returns one row for each Member of the Group.

Columns
Name Type References Description
Id [KEY] String Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String The full distinguished name.
RDN String The relative distinguished name.
BaseDN String The base distinguished name.
GroupType String Contains a set of flags that define the type and scope of a group object. For the possible values for this attribute, see Remarks.
InstanceType String A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String An object class name used to group objects of this or derived classes.
ObjectClass String The list of classes from which this class is derived.
SAMAccountName String The logon name used to support clients and servers running earlier versions of the operating system, such as Windows�NT�4.0, Windows�95, Windows�98, and LAN Manager.
AccountNameHistory String The length of time that the account has been active.
AdminCount String Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively).
AdminDescription String The description displayed on admin screens.
AdminDisplayName String The name to be displayed on admin screens.
AllowedAttributes String Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String A list of attributes that can be modified on the object.
AllowedChildClasses String Classes that can be contained by a class.
AllowedChildClassesEffective String A list of classes that can be modified.
AltSecurityIdentities String Contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication.
BridgeheadServerListBL String The list of servers that are bridgeheads for replication.
CanonicalName String The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
Info String The user's comments. This string can be a null string.
Cn String The name that represents an object. Used to perform searches.
ControlAccessRights String Used by DS Security to determine which users can perform specific operations on the host object.
CreateTimeStamp String The date when this object was created. This value is replicated.
Description String Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DesktopProfile String The location of the desktop profile for a user or group of users. Not used.
DisplayName String The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
DSASignature String The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String The DS-Core-Propagation-Data attribute is for internal use only.
Mail String The list of email addresses for a contact.
ExtensionName String The name of a property page used to extend the UI of a directory object.
Flags String To be used by the object to store bit information.
FromEntry String This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String Reference to subscriber objects for this member.
FSMORoleOwner String Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
GarbageCollPeriod String This attribute is located on the CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, ... object. It represents the time, in hours, between DS garbage collection runs.
GroupAttributes String The Group-Attributes attribute is not currently used.
GroupMembershipSAM String Windows�NT Security. Down level Windows�NT support.
IsCriticalSystemObject String If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String Backward link to privileges held by a given principal.
LastKnownParent String The Distinguished Name (DN) of the last known parent of an orphaned object.
LegacyExchangeDN String The distinguished name previously used by Exchange.
ManagedBy String The distinguished name of the user that is assigned to manage this object.
ManagedObjects String Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
MasteredBy String Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
Member String The list of users that belong to the group.
ModifyTimeStamp String A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
NetbootSCPBL String A list of service connection points that reference this NetBoot server.
NonSecurityMember String Nonsecurity members of a group. Used for Exchange distribution lists.
NonSecurityMemberBL String List of nonsecurity-members for an Exchange distribution list.
NTGroupMembers String This attribute is not used.
DistinguishedName String Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String The unique identifier for an object.
ObjectSid String A binary value that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal.
ObjectVersion String This can be used to store a version number for the object.
OperatorCount String Operator count.
OtherWellKnownObjects String Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PossibleInferiors String The list of objects that this object can contain.
PrimaryGroupToken String A computed attribute that is used in retrieving the membership list of a group, such as Domain Users. The complete membership of such groups is not stored explicitly for scaling reasons.
ProxiedObjectName String This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
QueryPolicyBL String List of all objects holding references to a given Query-Policy.
Name String The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
ReplPropertyMetaData String Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
Rid String The relative Identifier of an object.
SAMAccountType String This attribute contains information about every account type object. You can enumerate a list of account types or you can use the Display Information API to create a list. Because computers, normal user accounts, and trust accounts can also be enumerated as user objects, the values for these accounts must be a contiguous range.
SDRightsEffective String This constructed attribute returns a single DWORD value that can have up to three bits set:
SecurityIdentifier String A unique value of variable length used to identify a user account, group account, or logon session to which an ACE applies.
ServerReferenceBL String Found in the domain naming context. The distinguished name of a computer under the sites folder.
ShowInAddressBook String This attribute is used to indicate in which MAPI address books an object will appear. It is usually maintained by the Exchange Recipient Update Service.
ShowInAdvancedViewOnly String TRUE if this attribute is to be visible in the Advanced mode of the UI.
SIDHistory String Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and that new SID becomes the objectSID. The previous SID is added to the sIDHistory property.
SiteObjectBL String The list of distinguished names for subnets that belong to this site.
SubRefs String List of subordinate references of a Naming Context.
SubSchemaSubEntry String The distinguished name for the location of the subschema object where a class or attribute is defined.
SupplementalCredentials String Stored credentials for use in authenticating. The encrypted version of the user's password. This attribute is neither readable nor writable.
SystemFlags String An integer value that contains flags that define additional properties of the class. See Remarks.
TelephoneNumber String The primary telephone number.
TextEncodedORAddress String This attribute is used to support X.400 addresses in a text format.
UserCert String Nortel v1 or DMS certificates.
UserSMIMECertificate String Certificate distribution object or tagged certificates.
USNChanged String The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String The update sequence number (USN) for inter-site replication.
USNLastObjRem String Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String References to objects in other ADSI namespaces.
WellKnownObjects String This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String A web page that is the primary landing page of a website.
Url String A list of alternate webpages.
UserCertificate String Contains the DER-encoded X.509v3 certificates issued to the user. Note that this property contains the public key certificates issued to this user by Microsoft Certificate Service.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String

User_Membership

This class is used to store information about an employee or contractor who works for an organization. It is also possible to apply this class to long term visitors. This view returns one row for each Group the User is a member of.

Columns
Name Type References Description
Id [KEY] String Combined index and DN. Multiple indices are only possible when a column is set to SplitDataByRow.
DN String The full distinguished name.
RDN String The relative distinguished name.
BaseDN String The base distinguished name.
InstanceType String A bitfield that dictates how the object is instantiated on a particular server. The value of this attribute can differ on different replicas even if the replicas are in sync.
NTSecurityDescriptor String The Windows�NT security descriptor for the schema object. A security descriptor is a data structure that contains security information about an object, such as the ownership and permissions of the object.
ObjectCategory String An object class name used to group objects of this or derived classes.
ObjectClass String The list of classes from which this class is derived.
SAMAccountName String The logon name used to support clients and servers running earlier versions of the operating system, such as Windows�NT�4.0, Windows�95, Windows�98, and LAN Manager.
AccountExpires String The date when the account expires. This value represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires.
AccountNameHistory String The length of time that the account has been active.
ACSPolicyName String String name of an ACS policy that applies to this user.
StreetAddress String The user's address.
HomePostalAddress String A user's home address.
AdminCount String Indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively).
AdminDescription String The description displayed on admin screens.
AdminDisplayName String The name to be displayed on admin screens.
AllowedAttributes String Attributes that will be permitted to be assigned to a class.
AllowedAttributesEffective String A list of attributes that can be modified on the object.
AllowedChildClasses String Classes that can be contained by a class.
AllowedChildClassesEffective String A list of classes that can be modified.
AltSecurityIdentities String Contains mappings for X.509 certificates or external Kerberos user accounts to this user for the purpose of authentication.
Assistant String The distinguished name of a user's administrative assistant.
BadPasswordTime String The last time and date that an attempt to log on to this account was made with a password that is not valid. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last time a incorrect password was used is unknown.
BadPwdCount String The number of times the user tried to log on to the account using an incorrect password. A value of 0 indicates that the value is unknown.
BridgeheadServerListBL String The list of servers that are bridgeheads for replication.
CanonicalName String The name of the object in canonical format. myserver2.fabrikam.com/users/jeffsmith is an example of a distinguished name in canonical format. This is a constructed attribute. The results returned are identical to those returned by the following Active Directory function: DsCrackNames(NULL, DS_NAME_FLAG_SYNTACTICAL_ONLY, DS_FQDN_1779_NAME, DS_CANONICAL_NAME, ...).
CodePage String Specifies the code page for the user's language of choice. This value is not used by Windows�2000.
Info String The user's comments. This string can be a null string.
Cn String The name that represents an object. Used to perform searches.
Company String The user's company name.
ControlAccessRights String Used by DS Security to determine which users can perform specific operations on the host object.
CountryCode String Specifies the country/region code for the user's language of choice. This value is not used by Windows�2000.
C String The country/region in the address of the user. The country/region is represented as a 2-character code based on ISO-3166.
CreateTimeStamp String The date when this object was created. This value is replicated.
DBCSPwd String The account's LAN Manager password.
DefaultClassStore String The default Class Store for a given user.
Department String Contains the name for the department in which the user works.
Description String Contains the description to display for an object. This value is restricted as single-valued for backward compatibility in some cases but is allowed to be multi-valued in others. See Remarks.
DesktopProfile String The location of the desktop profile for a user or group of users. Not used.
DestinationIndicator String This is part of the X.500 specification and not used by NTDS.
DisplayName String The display name for an object. This is usually the combination of the users first name, middle initial, and last name.
DisplayNamePrintable String The printable display name for an object. The printable display name is usually the combination of the user's first name, middle initial, and last name.
Division String The user's division.
DSASignature String The DSA-Signature of an object is the Invocation-ID of the last directory to modify the object.
DSCorePropagationData String The DS-Core-Propagation-Data attribute is for internal use only.
DynamicLDAPServer String DNS name of server handing dynamic properties for this account.
Mail String The list of email addresses for a contact.
EmployeeID String The ID of an employee.
EmployeeNumber String The number for an employee.
EmployeeType String The job category for an employee.
ExtensionName String The name of a property page used to extend the UI of a directory object.
FacsimileTelephoneNumber String Contains telephone number of the user's business fax machine.
Flags String To be used by the object to store bit information.
FromEntry String This is a constructed attribute that is TRUE if the object is writable and FALSE if it is read-only, for example, a GC replica instance.
FrsComputerReferenceBL String Reference to replica sets to which this computer belongs.
FRSMemberReferenceBL String Reference to subscriber objects for this member.
FSMORoleOwner String Flexible Single-Master Operation: The distinguished name of the DC where the schema can be modified.
GarbageCollPeriod String This attribute is located on the CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, ... object. It represents the time, in hours, between DS garbage collection runs.
GenerationQualifier String Indicates a person generation. For example, Jr. or II.
GivenName String Contains the given name (first name) of the user.
GroupMembershipSAM String Windows�NT Security. Down level Windows�NT support.
GroupPriority String The Group-Priority attribute is not currently used.
GroupsToIgnore String The Groups-to-Ignore attribute is not currently used.
HomeDirectory String The home directory for the account. If homeDrive is set and specifies a drive letter, homeDirectory must be a UNC path. Otherwise, homeDirectory is a fully qualified local path including the drive letter (for example, DriveLetter:\Directory\Folder). This value can be a null string.
HomeDrive String Specifies the drive letter to which to map the UNC path specified by homeDirectory. The drive letter must be specified in the form DriveLetter: where DriveLetter is the letter of the drive to map. The DriveLetter must be a single, uppercase letter and the colon (:) is required.
Initials String Contains the initials for parts of the user's full name. This may be used as the middle initial in the Windows Address Book.
InternationalISDNNumber String Specifies an International ISDN Number associated with an object.
IsCriticalSystemObject String If TRUE, the object hosting this attribute must be replicated during installation of a new replica.
IsDeleted String If TRUE, this object has been marked for deletion and cannot be instantiated. After the tombstone period has expired, it will be removed from the system.
MemberOf String The distinguished name of the groups to which this object belongs.
IsPrivilegeHolder String Backward link to privileges held by a given principal.
LastKnownParent String The Distinguished Name (DN) of the last known parent of an orphaned object.
LastLogoff String This attribute is not used.
LastLogon String The last time the user logged on. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the last logon time is unknown.
LegacyExchangeDN String The distinguished name previously used by Exchange.
LmPwdHistory String The password history of the user in LAN Manager (LM) one-way format (OWF). The LM OWF is used for compatibility with LAN Manager 2.x clients, Windows�95, and Windows�98.
LocaleID String This attribute contains a list of locale IDs supported by this application. A locale ID represents a geographic location, such as a country/region, city, county, and so on.
L String Represents the name of a locality, such as a town or city.
LockoutTime String The date and time (UTC) that this account was locked out. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the account is not currently locked out.
ThumbnailLogo String BLOB that contains a logo for this object.
LogonCount String The number of times the account has successfully logged on. A value of 0 indicates that the value is unknown.
LogonHours String The hours that the user is allowed to logon to the domain.
LogonWorkstation String This attribute is not used. See the User-Workstations attribute.
ManagedObjects String Contains the list of objects that are managed by the user. The objects listed are those that have the property managedBy property set to this user. Each item in the list is a linked reference to the managed object.
Manager String Contains the distinguished name of the user who is the user's manager. The manager's user object contains a directReports property that contains references to all user objects that have their manager properties set to this distinguished name.
MasteredBy String Backward link for Has-Master-NCs attribute. The distinguished name for its NTDS Settings objects.
MaxStorage String The maximum amount of disk space the user can use. Use the value specified in USER_MAXSTORAGE_UNLIMITED to use all available disk space.
MhsORAddress String X.400 address.
ModifyTimeStamp String A computed attribute that represents the date when this object was last changed. This value is not replicated.
MS-DS-ConsistencyChildCount String This attribute is used to check consistency between the directory and another object, database, or application, by comparing a count of child objects.
MS-DS-ConsistencyGuid String This attribute is used to check consistency between the directory and another object, database, or application, by comparing GUIDs.
MS-DS-CreatorSID String The security ID of the creator of the object that contains this attribute.
MSMQDigests String An array of digests of the corresponding certificates in attribute mSMQ-Sign-Certificates. They are used for mapping a digest into a certificate.
MSMQDigestsMig String In MSMQ mixed-mode, contains the previous value of mSMQDigests.
MSMQSignCertificates String This attribute contains a number of certificates. A user can generate a certificate per computer. For each certificate we also keep a digest.
MSMQSignCertificatesMig String In MSMQ mixed-mode, the attribute contains the previous value of mSMQSignCertificates. MSMQ supports migration from the MSMQ 1.0 DS to the Windows�2000 DS, and mixed mode specifies a state in which some of the DS severs were not upgraded to Windows�2000.
MsNPAllowDialin String Indicates whether the account has permission to dial in to the RAS server. Do not modify this value directly. Use the appropriate RAS administration function to modify this value.
MsNPCallingStationID String The msNPCallingStationID attribute is used internally. Do not modify this value directly.
MsNPSavedCallingStationID String The msNPSavedCallingStationID attribute is used internally. Do not modify this value directly.
MsRADIUSCallbackNumber String The msRADIUSCallbackNumber attribute is used internally. Do not modify this value directly.
MsRADIUSFramedIPAddress String The msRADIUSFramedIPAddress attribute is used internally. Do not modify this value directly.
MsRADIUSFramedRoute String The msRADIUSFramedRoute attribute is used internally. Do not modify this value directly.
MsRADIUSServiceType String The msRADIUSServiceType attribute is used internally. Do not modify this value directly.
MsRASSavedCallbackNumber String The msRASSavedCallbackNumber attribute is used internally. Do not modify this value directly.
MsRASSavedFramedIPAddress String The msRASSavedFramedIPAddress attribute is used internally. Do not modify this value directly.
MsRASSavedFramedRoute String The msRASSavedFramedRoute attribute is used internally. Do not modify this value directly.
NetbootSCPBL String A list of service connection points that reference this NetBoot server.
NetworkAddress String The TCP/IP address for a network segment. Also called the subnet address.
NonSecurityMemberBL String List of nonsecurity-members for an Exchange distribution list.
NtPwdHistory String The password history of the user in Windows�NT one-way format (OWF). Windows�2000 uses the Windows�NT OWF.
DistinguishedName String Same as the Distinguished Name for an object. Used by Exchange.
ObjectGUID String The unique identifier for an object.
ObjectSid String A binary value that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal.
ObjectVersion String This can be used to store a version number for the object.
OperatorCount String Operator count.
Ou String The name of the organizational unit.
O String The name of the company or organization.
OtherLoginWorkstations String Non-Windows�NT or LAN Manager workstations from which a user can log on.
OtherMailbox String Contains other additional mail addresses in a form such as CCMAIL: BruceKeever.
MiddleName String Additional names for a user. For example, middle name, patronymic, matronymic, or others.
OtherWellKnownObjects String Contains a list of containers by GUID and Distinguished Name. This permits retrieving an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name.
PartialAttributeDeletionList String Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Used when the GC is in the process of removing attributes from the objects in its partial replica NCs.
PartialAttributeSet String Tracks the internal replication state of partial replicas (that is, on GCs). Attribute of the partial replica NC object. Defines the set of attributes present on a particular partial replica NC.
PersonalTitle String The user's title.
OtherFacsimileTelephoneNumber String A list of alternate facsimile numbers.
OtherHomePhone String A list of alternate home phone numbers.
HomePhone String The user's main home phone number.
OtherIpPhone String The list of alternate TCP/IP addresses for the phone. Used by Telephony.
IpPhone String The TCP/IP address for the phone. Used by Telephony.
PrimaryInternationalISDNNumber String The primary ISDN.
OtherMobile String A list of alternate mobile phone numbers.
Mobile String The primary mobile phone number.
OtherTelephone String A list of alternate office phone numbers.
OtherPager String A list of alternate pager numbers.
Pager String The primary pager number.
PhysicalDeliveryOfficeName String Contains the office location in the user's place of business.
ThumbnailPhoto String An image of the user. A space-efficient format like JPEG or GIF is recommended.
PossibleInferiors String The list of objects that this object can contain.
PostalAddress String The mailing address for the object.
PostalCode String The postal or zip code for mail delivery.
PostOfficeBox String The post office box number for this object.
PreferredDeliveryMethod String The X.500-preferred way to deliver to addressee.
PreferredOU String The Organizational Unit to show by default on user' s desktop.
PrimaryGroupID String Contains the relative identifier (RID) for the primary group of the user. By default, this is the RID for the Domain Users group.
ProfilePath String Specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path.
ProxiedObjectName String This attribute is used internally by Active Directory to help track interdomain moves.
ProxyAddresses String A proxy address is the address by which a Microsoft Exchange Server recipient object is recognized in a foreign mail system. Proxy addresses are required for all recipient objects, such as custom recipients and distribution lists.
PwdLastSet String The date and time that the password for this account was last changed. This value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC). If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon.
QueryPolicyBL String List of all objects holding references to a given Query-Policy.
Name String The Relative Distinguished Name (RDN) of an object. An RDN is the relative portion of a distinguished name (DN), which uniquely identifies an LDAP object.
RegisteredAddress String Specifies a mnemonic for an address associated with an object at a particular city location. The mnemonic is registered in the country/region in which the city is located and is used in the provision of the Public Telegram Service.
ReplPropertyMetaData String Tracks internal replication state information for DS objects. Information here can be extracted in public form through the public API DsReplicaGetInfo(). Present on all DS objects.
ReplUpToDateVector String Tracks internal replication state information for an entire NC. Information here can be extracted in public form through the API DsReplicaGetInfo(). Present on all NC root objects.
DirectReports String Contains the list of users that directly report to the user. The users listed as reports are those that have the property manager property set to this user. Each item in the list is a linked reference to the object that represents the user.
RepsFrom String Lists the servers from which the directory will accept changes for the defined naming context.
RepsTo String Lists the servers that the directory will notify of changes and servers to which the directory will send changes on Request for the defined naming context.
Revision String The revision level for a security descriptor or other change. Only used in the sam-server and ds-ui-settings objects.
Rid String The relative Identifier of an object.
SAMAccountType String This attribute contains information about every account type object. You can enumerate a list of account types or you can use the Display Information API to create a list. Because computers, normal user accounts, and trust accounts can also be enumerated as user objects, the values for these accounts must be a contiguous range.
ScriptPath String This attribute specifies the path for the user's logon script. The string can be null.
SDRightsEffective String This constructed attribute returns a single DWORD value that can have up to three bits set:
SecurityIdentifier String A unique value of variable length used to identify a user account, group account, or logon session to which an ACE applies.
SeeAlso String List of distinguished names that are related to an object.
ServerReferenceBL String Found in the domain naming context. The distinguished name of a computer under the sites folder.
ServicePrincipalName String List of principal names used for mutual authentication with an instance of a service on this computer.
ShowInAddressBook String This attribute is used to indicate in which MAPI address books an object will appear. It is usually maintained by the Exchange Recipient Update Service.
ShowInAdvancedViewOnly String TRUE if this attribute is to be visible in the Advanced mode of the UI.
SIDHistory String Contains previous SIDs used for the object if the object was moved from another domain. Whenever an object is moved from one domain to another, a new SID is created and that new SID becomes the objectSID. The previous SID is added to the sIDHistory property.
SiteObjectBL String The list of distinguished names for subnets that belong to this site.
St String The name of a user's state or province.
Street String The street address.
SubRefs String List of subordinate references of a Naming Context.
SubSchemaSubEntry String The distinguished name for the location of the subschema object where a class or attribute is defined.
SupplementalCredentials String Stored credentials for use in authenticating. The encrypted version of the user's password. This attribute is neither readable nor writable.
Sn String This attribute contains the family or last name for a user.
SystemFlags String An integer value that contains flags that define additional properties of the class. See Remarks.
TelephoneNumber String The primary telephone number.
TeletexTerminalIdentifier String Specifies the Teletex terminal identifier and, optionally, parameters, for a teletex terminal associated with an object.
TelexNumber String A list of alternate telex numbers.
PrimaryTelexNumber String The primary telex number.
TerminalServer String Opaque data used by the Windows�NT terminal server.
Co String The country/region in which the user is located.
TextEncodedORAddress String This attribute is used to support X.400 addresses in a text format.
Title String Contains the user's job title. This property is commonly used to indicate the formal job title, such as Senior Programmer, rather than occupational class, such as programmer. It is not typically used for suffix titles such as Esq. or DDS.
UnicodePwd String The password of the user in Windows�NT one-way format (OWF). Windows�2000 uses the Windows�NT OWF. This property is used only by the operating system. Note that you cannot derive the clear password back from the OWF form of the password.
UserAccountControl String Flags that control the behavior of the user account.
UserCert String Nortel v1 or DMS certificates.
Comment String The user's comments.
UserParameters String Parameters of the user. Points to a Unicode string that is set aside for use by applications. This string can be a null string, or it can have any number of characters before the terminating null character. Microsoft products use this member to store user data specific to the individual program.
UserPassword String The user's password in UTF-8 format. This is a write-only attribute.
UserPrincipalName String This attribute contains the UPN that is an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user email name. The value set for this attribute is equal to the length of the user's ID and the domain name. For more information about this attribute, see User Naming Attributes.
UserSharedFolder String Specifies a UNC path to the user's shared documents folder. The path must be a network UNC path of the form \Server\Share\Directory. This value can be a null string.
UserSharedFolderOther String Specifies a UNC path to the user's additional shared documents folder. The path must be a network UNC path of the form \Server\Share\Directory. This value can be a null string.
UserSMIMECertificate String Certificate distribution object or tagged certificates.
UserWorkstations String Contains the NetBIOS or DNS names of the computers running Windows�NT Workstation or Windows�2000 Professional from which the user can log on. Each NetBIOS name is separated by a comma. Multiple names should be separated by commas.
USNChanged String The update sequence number (USN) assigned by the local directory for the latest change, including creation. See also , USN-Created.
USNCreated String The update sequence number (USN) assigned at object creation. See also, USN-Changed.
USNDSALastObjRemoved String Contains the update sequence number (USN) for the last system object that was removed from a server.
USNIntersite String The update sequence number (USN) for inter-site replication.
USNLastObjRem String Contains the update sequence number (USN) for the last non-system object that was removed from a server.
USNSource String Value of the USN-Changed attribute of the object from the remote directory that replicated the change to the local server.
WbemPath String References to objects in other ADSI namespaces.
WellKnownObjects String This attribute contains a list of well-known object containers by GUID and distinguished name. The well-known objects are system containers. This information is used to retrieve an object after it has been moved by using just the GUID and the domain name. Whenever the object is moved, the system automatically updates the Distinguished Name portion of the Well-Known-Objects values that referred to the object. The file Ntdsapi.h contains the following definitions, which can be used to retrieve an object (the GUIDs that are associated to these objects are contained in Ntdsapi.h):
WhenChanged String The date when this object was last changed. This value is not replicated and exists in the global catalog.
WhenCreated String The date when this object was created. This value is replicated and is in the global catalog.
WWWHomePage String A web page that is the primary landing page of a website.
Url String A list of alternate webpages.
X121Address String The X.121 address for an object.
UserCertificate String Contains the DER-encoded X.509v3 certificates issued to the user. Note that this property contains the public key certificates issued to this user by Microsoft Certificate Service.
Pseudo-Columns

Pseudo column fields are used in the WHERE clause of SELECT statements and offer a more granular control over the tuples that are returned from the data source.

Name Type Description
Filter String

Stored Procedures

Stored procedures* are available to complement the data available from the Data Model. It may be necessary to update data available from a view using a stored procedure* because the data does not provide for direct, table-like, two-way updates. In these situations, the retrieval of the data is done using the appropriate view or table, while the update is done by calling a stored procedure. Stored procedures* take a list of parameters and return back a dataset that contains the collection of tuples that constitute the response.

Active Directory Connector Stored Procedures

Name Description
ChangePassword Changes the password of the current user, provided the current password is known. To set the password without a current password (requires an administrator), use ResetPassword. Note that the User set in the connection settings must be a valid DN. Additionally, you must be connected to the server using SSL.
CreateTableFromSchema Converts an LDAP RFC 2242 compliant schema into a table.
GetAttributes Returns all the attribute names and values of the specified DN.
MoveToDN Moves objects from one DN to another one.
ResetPassword Resets the password of a specific user specified by DN. Use ChangePassword instead if the current password is to be authenticated first. Note that the User set in the connection settings or the AdminUser, if set when calling this procedure, must be a valid DN. Additionally, you must be connected to the server using SSL.

ChangePassword

Changes the password of the current user, provided the current password is known. To set the password without a current password (requires an administrator), use ResetPassword. Note that the User set in the connection settings must be a valid DN. Additionally, you must be connected to the server using SSL.

Input
Name Type Description
NewPassword String The new password for the user specified by DN.
Result Set Columns
Name Type Description
Success String Indicates whether the attributes were modified successfully or not.

CreateTableFromSchema

Converts an LDAP RFC 2242 compliant schema into a table.

Input
Name Type Description
Schema String RFC 2252 compliant schema.
Result Set Columns
Name Type Description
Script String The output .rsd script. You will need to set the Location connection property to the folder containing your schema files.

GetAttributes

Returns all the attribute names and values of the specified DN.

Input
Name Type Description
DN String Distinguished name of the desired LDAP object. If unspecified, the BaseDN from the connection string will be used.
Result Set Columns
Name Type Description
AttributeName String Attribute names of the DN.
AttributeValue String Corresponding attribute value of the DN.

MoveToDN

Moves objects from one DN to another one.

Input
Name Type Description
DN String The current DN of the object to be moved on the server (for example, cn=Bob F, ou=Employees, dc=Domain).
NewParentDN String The new parent DN of the object(for example ou=Test Org, dc=Domain).
Result Set Columns
Name Type Description
Success String Indicates whether movement was successfull or not.

ResetPassword

Resets the password of a specific user specified by DN. Use ChangePassword instead if the current password is to be authenticated first. Note that the User set in the connection settings or the AdminUser, if set when calling this procedure, must be a valid DN. Additionally, you must be connected to the server using SSL.

Input
Name Type Description
AdminUser String An administrator account or DN with which to bind to the server (for example, Domain\BobF or cn=Bob F, ou=Employees, dc=Domain).
AdminPassword String An administrator account password used to authenticate to the LDAP server.
User String The DN of the account to be modified on the server (for example, Domain\BobF or cn=Bob F, ou=Employees, dc=Domain).
NewPassword String The new password for the user specified by DN.
Result Set Columns
Name Type Description
Success String Indicates whether the attributes were modified successfully or not.

System Tables

You can query the system tables described in this section to access schema information, information on data source functionality, and batch operation statistics.

Schema Tables

The following tables return database metadata for Active Directory:

Data Source Tables

The following tables return information about how to connect to and query the data source:

  • sys_connection_props: Returns information on the available connection properties.
  • sys_sqlinfo: Describes the SELECT queries that the connector can offload to the data source.

Query Information Tables

The following table returns query statistics for data modification queries:

  • sys_identity: Returns information about batch operations or single updates.

sys_catalogs

Lists the available databases.

The following query retrieves all databases determined by the connection string:

SELECT * FROM sys_catalogs
Columns
Name Type Description
CatalogName String The database name.

sys_schemas

Lists the available schemas.

The following query retrieves all available schemas:

SELECT * FROM sys_schemas
Columns
Name Type Description
CatalogName String The database name.
SchemaName String The schema name.

sys_tables

Lists the available tables.

The following query retrieves the available tables and views:

SELECT * FROM sys_tables
Columns
Name Type Description
CatalogName String The database containing the table or view.
SchemaName String The schema containing the table or view.
TableName String The name of the table or view.
TableType String The table type (table or view).
Description String A description of the table or view.
IsUpdateable Boolean Whether the table can be updated.

sys_tablecolumns

Describes the columns of the available tables and views.

The following query returns the columns and data types for the User table:

SELECT ColumnName, DataTypeName FROM sys_tablecolumns WHERE TableName='User'
Columns
Name Type Description
CatalogName String The name of the database containing the table or view.
SchemaName String The schema containing the table or view.
TableName String The name of the table or view containing the column.
ColumnName String The column name.
DataTypeName String The data type name.
DataType Int32 An integer indicating the data type. This value is determined at run time based on the environment.
Length Int32 The storage size of the column.
DisplaySize Int32 The designated column's normal maximum width in characters.
NumericPrecision Int32 The maximum number of digits in numeric data. The column length in characters for character and date-time data.
NumericScale Int32 The column scale or number of digits to the right of the decimal point.
IsNullable Boolean Whether the column can contain null.
Description String A brief description of the column.
Ordinal Int32 The sequence number of the column.
IsAutoIncrement String Whether the column value is assigned in fixed increments.
IsGeneratedColumn String Whether the column is generated.
IsHidden Boolean Whether the column is hidden.
IsArray Boolean Whether the column is an array.

sys_procedures

Lists the available stored procedures.

The following query retrieves the available stored procedures:

SELECT * FROM sys_procedures
Columns
Name Type Description
CatalogName String The database containing the stored procedure.
SchemaName String The schema containing the stored procedure.
ProcedureName String The name of the stored procedure.
Description String A description of the stored procedure.
ProcedureType String The type of the procedure, such as PROCEDURE or FUNCTION.

sys_procedureparameters

Describes stored procedure* parameters.

The following query returns information about all of the input parameters for the ChangePassword stored procedure:

SELECT * FROM sys_procedureparameters WHERE ProcedureName='ChangePassword' AND Direction=1 OR Direction=2
Columns
Name Type Description
CatalogName String The name of the database containing the stored procedure.
SchemaName String The name of the schema containing the stored procedure.
ProcedureName String The name of the stored procedure* containing the parameter.
ColumnName String The name of the stored procedure* parameter.
Direction Int32 An integer corresponding to the type of the parameter: input (1), input/output (2), or output(4). input/output type parameters can be both input and output parameters.
DataTypeName String The name of the data type.
DataType Int32 An integer indicating the data type. This value is determined at run time based on the environment.
Length Int32 The number of characters allowed for character data. The number of digits allowed for numeric data.
NumericPrecision Int32 The maximum precision for numeric data. The column length in characters for character and date-time data.
NumericScale Int32 The number of digits to the right of the decimal point in numeric data.
IsNullable Boolean Whether the parameter can contain null.
IsRequired Boolean Whether the parameter is required for execution of the procedure.
IsArray Boolean Whether the parameter is an array.
Description String The description of the parameter.
Ordinal Int32 The index of the parameter.

sys_keycolumns

Describes the primary and foreign keys.

The following query retrieves the primary key for the User table:

SELECT * FROM sys_keycolumns WHERE IsKey='True' AND TableName='User'
Columns
Name Type Description
CatalogName String The name of the database containing the key.
SchemaName String The name of the schema containing the key.
TableName String The name of the table containing the key.
ColumnName String The name of the key column.
IsKey Boolean Whether the column is a primary key in the table referenced in the TableName field.
IsForeignKey Boolean Whether the column is a foreign key referenced in the TableName field.
PrimaryKeyName String The name of the primary key.
ForeignKeyName String The name of the foreign key.
ReferencedCatalogName String The database containing the primary key.
ReferencedSchemaName String The schema containing the primary key.
ReferencedTableName String The table containing the primary key.
ReferencedColumnName String The column name of the primary key.

sys_foreignkeys

Describes the foreign keys.

The following query retrieves all foreign keys which refer to other tables:

SELECT * FROM sys_foreignkeys WHERE ForeignKeyType = 'FOREIGNKEY_TYPE_IMPORT'
Columns
Name Type Description
CatalogName String The name of the database containing the key.
SchemaName String The name of the schema containing the key.
TableName String The name of the table containing the key.
ColumnName String The name of the key column.
PrimaryKeyName String The name of the primary key.
ForeignKeyName String The name of the foreign key.
ReferencedCatalogName String The database containing the primary key.
ReferencedSchemaName String The schema containing the primary key.
ReferencedTableName String The table containing the primary key.
ReferencedColumnName String The column name of the primary key.
ForeignKeyType String Designates whether the foreign key is an import (points to other tables) or export (referenced from other tables) key.

sys_indexes

Describes the available indexes. By filtering on indexes, you can write more selective queries with faster query response times.

The following query retrieves all indexes that are not primary keys:

SELECT * FROM sys_indexes WHERE IsPrimary='false'
Columns
Name Type Description
CatalogName String The name of the database containing the index.
SchemaName String The name of the schema containing the index.
TableName String The name of the table containing the index.
IndexName String The index name.
ColumnName String The name of the column associated with the index.
IsUnique Boolean True if the index is unique. False otherwise.
IsPrimary Boolean True if the index is a primary key. False otherwise.
Type Int16 An integer value corresponding to the index type: statistic (0), clustered (1), hashed (2), or other (3).
SortOrder String The sort order: A for ascending or D for descending.
OrdinalPosition Int16 The sequence number of the column in the index.

sys_connection_props

Returns information on the available connection properties and those set in the connection string.

When querying this table, the config connection string should be used:

jdbc:cdata:activedirectory:config:

This connection string enables you to query this table without a valid connection.

The following query retrieves all connection properties that have been set in the connection string or set through a default value:

SELECT * FROM sys_connection_props WHERE Value <> ''
Columns
Name Type Description
Name String The name of the connection property.
ShortDescription String A brief description.
Type String The data type of the connection property.
Default String The default value if one is not explicitly set.
Values String A comma-separated list of possible values. A validation error is thrown if another value is specified.
Value String The value you set or a preconfigured default.
Required Boolean Whether the property is required to connect.
Category String The category of the connection property.
IsSessionProperty String Whether the property is a session property, used to save information about the current connection.
Sensitivity String The sensitivity level of the property. This informs whether the property is obfuscated in logging and authentication forms.
PropertyName String A camel-cased truncated form of the connection property name.
Ordinal Int32 The index of the parameter.
CatOrdinal Int32 The index of the parameter category.
Hierarchy String Shows dependent properties associated that need to be set alongside this one.
Visible Boolean Informs whether the property is visible in the connection UI.
ETC String Various miscellaneous information about the property.

sys_sqlinfo

Describes the SELECT query processing that the connector can offload to the data source.

Collaborative Query Processing

When working with data sources that do not support SQL-92, you can query the sys_sqlinfo view to determine the query capabilities of the underlying APIs, expressed in SQL syntax. The connector offloads as much of the SELECT statement processing as possible to the server and then processes the rest of the query in memory.

Discovering the Data Source's SELECT Capabilities

Below is an example data set of SQL capabilities. The following result set indicates the SELECT functionality that the connector can offload to the data source or process client side. Your data source may support additional SQL syntax. Some aspects of SELECT functionality are returned in a comma-separated list if supported; otherwise, the column contains NO.

Name Description Possible Values
AGGREGATE_FUNCTIONS Supported aggregation functions. AVG, COUNT, MAX, MIN, SUM, DISTINCT
COUNT Whether COUNT function is supported. YES, NO
IDENTIFIER_QUOTE_OPEN_CHAR The opening character used to escape an identifier. [
IDENTIFIER_QUOTE_CLOSE_CHAR The closing character used to escape an identifier. ]
SUPPORTED_OPERATORS A list of supported SQL operators. =, >, <, >=, <=, <>, !=, LIKE, NOT LIKE, IN, NOT IN, IS NULL, IS NOT NULL, AND, OR
GROUP_BY Whether GROUP BY is supported, and, if so, the degree of support. NO, NO_RELATION, EQUALS_SELECT, SQL_GB_COLLATE
STRING_FUNCTIONS Supported string functions. LENGTH, CHAR, LOCATE, REPLACE, SUBSTRING, RTRIM, LTRIM, RIGHT, LEFT, UCASE, SPACE, SOUNDEX, LCASE, CONCAT, ASCII, REPEAT, OCTET, BIT, POSITION, INSERT, TRIM, UPPER, REGEXP, LOWER, DIFFERENCE, CHARACTER, SUBSTR, STR, REVERSE, PLAN, UUIDTOSTR, TRANSLATE, TRAILING, TO, STUFF, STRTOUUID, STRING, SPLIT, SORTKEY, SIMILAR, REPLICATE, PATINDEX, LPAD, LEN, LEADING, KEY, INSTR, INSERTSTR, HTML, GRAPHICAL, CONVERT, COLLATION, CHARINDEX, BYTE
NUMERIC_FUNCTIONS Supported numeric functions. ABS, ACOS, ASIN, ATAN, ATAN2, CEILING, COS, COT, EXP, FLOOR, LOG, MOD, SIGN, SIN, SQRT, TAN, PI, RAND, DEGREES, LOG10, POWER, RADIANS, ROUND, TRUNCATE
TIMEDATE_FUNCTIONS Supported date/time functions. NOW, CURDATE, DAYOFMONTH, DAYOFWEEK, DAYOFYEAR, MONTH, QUARTER, WEEK, YEAR, CURTIME, HOUR, MINUTE, SECOND, TIMESTAMPADD, TIMESTAMPDIFF, DAYNAME, MONTHNAME, CURRENT_DATE, CURRENT_TIME, CURRENT_TIMESTAMP, EXTRACT
REPLICATION_SKIP_TABLES Indicates tables skipped during replication.
REPLICATION_TIMECHECK_COLUMNS A string array containing a list of columns which will be used to check for (in the given order) to use as a modified column during replication.
IDENTIFIER_PATTERN String value indicating what string is valid for an identifier.
SUPPORT_TRANSACTION Indicates if the provider supports transactions such as commit and rollback. YES, NO
DIALECT Indicates the SQL dialect to use.
KEY_PROPERTIES Indicates the properties which identify the uniform database.
SUPPORTS_MULTIPLE_SCHEMAS Indicates if multiple schemas may exist for the provider. YES, NO
SUPPORTS_MULTIPLE_CATALOGS Indicates if multiple catalogs may exist for the provider. YES, NO
DATASYNCVERSION The Data Sync version needed to access this driver. Standard, Starter, Professional, Enterprise
DATASYNCCATEGORY The Data Sync category of this driver. Source, Destination, Cloud Destination
SUPPORTSENHANCEDSQL Whether enhanced SQL functionality beyond what is offered by the API is supported. TRUE, FALSE
SUPPORTS_BATCH_OPERATIONS Whether batch operations are supported. YES, NO
SQL_CAP All supported SQL capabilities for this driver. SELECT, INSERT, DELETE, UPDATE, TRANSACTIONS, ORDERBY, OAUTH, ASSIGNEDID, LIMIT, LIKE, BULKINSERT, COUNT, BULKDELETE, BULKUPDATE, GROUPBY, HAVING, AGGS, OFFSET, REPLICATE, COUNTDISTINCT, JOINS, DROP, CREATE, DISTINCT, INNERJOINS, SUBQUERIES, ALTER, MULTIPLESCHEMAS, GROUPBYNORELATION, OUTERJOINS, UNIONALL, UNION, UPSERT, GETDELETED, CROSSJOINS, GROUPBYCOLLATE, MULTIPLECATS, FULLOUTERJOIN, MERGE, JSONEXTRACT, BULKUPSERT, SUM, SUBQUERIESFULL, MIN, MAX, JOINSFULL, XMLEXTRACT, AVG, MULTISTATEMENTS, FOREIGNKEYS, CASE, LEFTJOINS, COMMAJOINS, WITH, LITERALS, RENAME, NESTEDTABLES, EXECUTE, BATCH, BASIC, INDEX
PREFERRED_CACHE_OPTIONS A string value specifies the preferred cacheOptions.
ENABLE_EF_ADVANCED_QUERY Indicates if the driver directly supports advanced queries coming from Entity Framework. If not, queries will be handled client side. YES, NO
PSEUDO_COLUMNS A string array indicating the available pseudo columns.
MERGE_ALWAYS If the value is true, The Merge Mode is forcibly executed in Data Sync. TRUE, FALSE
REPLICATION_MIN_DATE_QUERY A select query to return the replicate start datetime.
REPLICATION_MIN_FUNCTION Allows a provider to specify the formula name to use for executing a server side min.
REPLICATION_START_DATE Allows a provider to specify a replicate startdate.
REPLICATION_MAX_DATE_QUERY A select query to return the replicate end datetime.
REPLICATION_MAX_FUNCTION Allows a provider to specify the formula name to use for executing a server side max.
IGNORE_INTERVALS_ON_INITIAL_REPLICATE A list of tables which will skip dividing the replicate into chunks on the initial replicate.
CHECKCACHE_USE_PARENTID Indicates whether the CheckCache statement should be done against the parent key column. TRUE, FALSE
CREATE_SCHEMA_PROCEDURES Indicates stored procedures* that can be used for generating schema files.

The following query retrieves the operators that can be used in the WHERE clause:

SELECT * FROM sys_sqlinfo WHERE Name='SUPPORTED_OPERATORS'

Note that individual tables may have different limitations or requirements on the WHERE clause; refer to the Data Model section for more information.

Columns
Name Type Description
NAME String A component of SQL syntax, or a capability that can be processed on the server.
VALUE String Detail on the supported SQL or SQL syntax.

sys_identity

Returns information about attempted modifications.

The following query retrieves the Ids of the modified rows in a batch operation:

SELECT * FROM sys_identity
Columns
Name Type Description
Id String The database-generated ID returned from a data modification operation.
Batch String An identifier for the batch. 1 for a single operation.
Operation String The result of the operation in the batch: INSERTED, UPDATED, or DELETED.
Message String SUCCESS or an error message if the update in the batch failed.

Advanced Configurations Properties

The advanced configurations properties are the various options that can be used to establish a connection. This section provides a complete list of the options you can configure. Click the links for further details.

Authentication

Property Description
Server The domain name or IP of the Active Directory server.
Port The port the Active Directory server is running on.
User The distinguished name of a user.
Password The password for the distinguished name of the specified user.
UseSSL Whether or not to use SSL to connect to the server.
BaseDN The base portion of the distinguished name, used for limiting results to specific subtrees.
AuthMechanism The authentication mechanism to be used when connecting to the Active Directory server.
Scope Whether to limit the scope of the search to the whole subtree (BaseDN and all of its descendants), a single level (BaseDN and its direct descendants), or the base object (BaseDN only).
LDAPVersion The LDAP version used to connect to and communicate with the server.

SSL

Property Description
SSLServerCert The certificate to be accepted from the server when connecting using TLS/SSL.

Schema

Property Description
Location A path to the directory that contains the schema files defining tables, views, and stored procedures.
BrowsableSchemas This property restricts the schemas reported to a subset of the available schemas. For example, BrowsableSchemas=SchemaA, SchemaB, SchemaC.
Tables This property restricts the tables reported to a subset of the available tables. For example, Tables=TableA, TableB, TableC.
Views Restricts the views reported to a subset of the available tables. For example, Views=ViewA, ViewB, ViewC.

Miscellaneous

Property Description
FollowReferrals Whether or not to follow referrals returned by the Active Directory server.
FriendlyGUID Whether to return GUID attribute values in a human readable format.
FriendlySID Whether to return SID attribute values in a human readable format.
MaxRows Limits the number of rows returned rows when no aggregation or group by is used in the query. This helps avoid performance issues at design time.
Other These hidden properties are used only in specific use cases.
PseudoColumns This property indicates whether or not to include pseudo columns as columns to the table.
Timeout The value in seconds until the timeout error is thrown, canceling the operation.

Authentication

This section provides a complete list of authentication properties you can configure.

Property Description
Server The domain name or IP of the Active Directory server.
Port The port the Active Directory server is running on.
User The distinguished name of a user.
Password The password for the distinguished name of the specified user.
UseSSL Whether or not to use SSL to connect to the server.
BaseDN The base portion of the distinguished name, used for limiting results to specific subtrees.
AuthMechanism The authentication mechanism to be used when connecting to the Active Directory server.
Scope Whether to limit the scope of the search to the whole subtree (BaseDN and all of its descendants), a single level (BaseDN and its direct descendants), or the base object (BaseDN only).
LDAPVersion The LDAP version used to connect to and communicate with the server.

Server

The domain name or IP of the Active Directory server.

Data Type

string

Default Value

""

Remarks

Note: This does not need to include the LDAP:\ portion, only the server domain name or IP.

Port

The port the Active Directory server is running on.

Data Type

string

Default Value

389

Remarks

The port the Active Directory server is running on. Together with Server, this property is used to specify the Active Directory server.

User

The distinguished name of a user.

Data Type

string

Default Value

""

Remarks

Together with Password, this field is used to authenticate against the Active Directory server.

Password

The password for the distinguished name of the specified user.

Data Type

string

Default Value

""

Remarks

Together with User, this field is used to authenticate against the Active Directory server.

UseSSL

Whether or not to use SSL to connect to the server.

Data Type

bool

Default Value

false

Remarks

Whether or not to use SSL to connect to the server. Note that a port of 636 will always use SSL.

BaseDN

The base portion of the distinguished name, used for limiting results to specific subtrees.

Data Type

string

Default Value

""

Remarks

Specifying a base DN may greatly improve performance when returning entries for large servers by limiting the number of entries that need to be examined.

AuthMechanism

The authentication mechanism to be used when connecting to the Active Directory server.

Possible Values

SIMPLE, DIGESTMD5, NEGOTIATE

Data Type

string

Default Value

SIMPLE

Remarks

By default, AuthMechanism is SIMPLE, and default plaintext authentication is used to log in to the server. If AuthMechanism is set to DIGESTMD5, the more secure DIGEST-MD5 authentication is used. If AuthMechanism is set to NEGOTIATE, NTLM/Negotiate authentication will be used.

  • SIMPLE
  • DIGESTMD5
  • NEGOTIATE

Scope

Whether to limit the scope of the search to the whole subtree (BaseDN and all of its descendants), a single level (BaseDN and its direct descendants), or the base object (BaseDN only).

Possible Values

WHOLESUBTREE, SINGLELEVEL, BASEOBJECT

Data Type

string

Default Value

WHOLESUBTREE

Remarks

Whether to limit the scope of the search to the whole subtree (BaseDN and all of its descendants), a single level (BaseDN and its direct descendants), or the base object (BaseDN only). Limiting scope can greatly improve the search performance.

  • WholeSubtree
  • SingleLevel
  • BaseObject

LDAPVersion

The LDAP version used to connect to and communicate with the server.

Possible Values

2, 3

Data Type

string

Default Value

2

Remarks

Valid options are 2 and 3 for LDAP versions 2 and 3.

SSL

This section provides a complete list of SSL properties you can configure.

Property Description
SSLServerCert The certificate to be accepted from the server when connecting using TLS/SSL.

SSLServerCert

The certificate to be accepted from the server when connecting using TLS/SSL.

Data Type

string

Default Value

""

Remarks

If using a TLS/SSL connection, this property can be used to specify the TLS/SSL certificate to be accepted from the server. Any other certificate that is not trusted by the machine is rejected.

This property can take the following forms:

Description Example
A full PEM Certificate (example shortened for brevity) -----BEGIN CERTIFICATE----- MIIChTCCAe4CAQAwDQYJKoZIhv......Qw== -----END CERTIFICATE-----
A path to a local file containing the certificate C:\cert.cer
The public key (example shortened for brevity) -----BEGIN RSA PUBLIC KEY----- MIGfMA0GCSq......AQAB -----END RSA PUBLIC KEY-----
The MD5 Thumbprint (hex values can also be either space or colon separated) ecadbdda5a1529c58a1e9e09828d70e4
The SHA1 Thumbprint (hex values can also be either space or colon separated) 34a929226ae0819f2ec14b4a3d904f801cbb150d

If not specified, any certificate trusted by the machine is accepted.

Certificates are validated as trusted by the machine based on the System's trust store. The trust store used is the 'javax.net.ssl.trustStore' value specified for the system. If no value is specified for this property, Java's default trust store is used (for example, JAVA_HOME\lib\security\cacerts).

Use '*' to signify to accept all certificates. Note that this is not recommended due to security concerns.

Schema

This section provides a complete list of schema properties you can configure.

Property Description
Location A path to the directory that contains the schema files defining tables, views, and stored procedures.
BrowsableSchemas This property restricts the schemas reported to a subset of the available schemas. For example, BrowsableSchemas=SchemaA, SchemaB, SchemaC.
Tables This property restricts the tables reported to a subset of the available tables. For example, Tables=TableA, TableB, TableC.
Views Restricts the views reported to a subset of the available tables. For example, Views=ViewA, ViewB, ViewC.

Location

A path to the directory that contains the schema files defining tables, views, and stored procedures.

Data Type

string

Default Value

%APPDATA%\ActiveDirectory Data Provider\Schema

Remarks

The path to a directory which contains the schema files for the connector (.rsd files for tables and views, .rsb files for stored procedures). The folder location can be a relative path from the location of the executable. The Location property is only needed if you want to customize definitions (for example, change a column name, ignore a column, and so on) or extend the data model with new tables, views, or stored procedures.

If left unspecified, the default location is "%APPDATA%\ActiveDirectory Data Provider\Schema" with %APPDATA% being set to the user's configuration directory:

Platform %APPDATA%
Windows The value of the APPDATA environment variable
Mac ~/Library/Application Support
Linux ~/.config

BrowsableSchemas

This property restricts the schemas reported to a subset of the available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC.

Data Type

string

Default Value

""

Remarks

Listing the schemas from databases can be expensive. Providing a list of schemas in the connection string improves the performance.

Tables

This property restricts the tables reported to a subset of the available tables. For example, Tables=TableA,TableB,TableC.

Data Type

string

Default Value

""

Remarks

Listing the tables from some databases can be expensive. Providing a list of tables in the connection string improves the performance of the connector.

This property can also be used as an alternative to automatically listing views if you already know which ones you want to work with and there would otherwise be too many to work with.

Specify the tables you want in a comma-separated list. Each table should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Tables=TableA,[TableB/WithSlash],WithCatalog.WithSchema.`TableC With Space`.

Note that when connecting to a data source with multiple schemas or catalogs, you will need to provide the fully qualified name of the table in this property, as in the last example here, to avoid ambiguity between tables that exist in multiple catalogs or schemas.

Views

Restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC.

Data Type

string

Default Value

""

Remarks

Listing the views from some databases can be expensive. Providing a list of views in the connection string improves the performance of the connector.

This property can also be used as an alternative to automatically listing views if you already know which ones you want to work with and there would otherwise be too many to work with.

Specify the views you want in a comma-separated list. Each view should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Views=ViewA,[ViewB/WithSlash],WithCatalog.WithSchema.`ViewC With Space`.

Note that when connecting to a data source with multiple schemas or catalogs, you will need to provide the fully qualified name of the table in this property, as in the last example here, to avoid ambiguity between tables that exist in multiple catalogs or schemas.

Miscellaneous

This section provides a complete list of miscellaneous properties you can configure.

Property Description
FollowReferrals Whether or not to follow referrals returned by the Active Directory server.
FriendlyGUID Whether to return GUID attribute values in a human readable format.
FriendlySID Whether to return SID attribute values in a human readable format.
MaxRows Limits the number of rows returned rows when no aggregation or group by is used in the query. This helps avoid performance issues at design time.
Other These hidden properties are used only in specific use cases.
PseudoColumns This property indicates whether or not to include pseudo columns as columns to the table.
Timeout The value in seconds until the timeout error is thrown, canceling the operation.

FollowReferrals

Whether or not to follow referrals returned by the Active Directory server.

Data Type

bool

Default Value

false

Remarks

When following referrals, you will only be able to return data from the referral servers. INSERT/UPDATE/DELETE will not be available without updating the connection string to connect directly to that server.

FriendlyGUID

Whether to return GUID attribute values in a human readable format.

Data Type

bool

Default Value

false

Remarks

When inspecting object attributes this setting determines whether GUID attributes such as "objectGUID" are returned as binary objects or converted into a human readable string such as "708d9374-d64a-49b2-97ea-489ddc717703". When set to True a friendly string value is returned. When set to False (default) a base 64 encoded string of the binary object is returned.

FriendlySID

Whether to return SID attribute values in a human readable format.

Data Type

bool

Default Value

false

Remarks

When inspecting object attributes this setting determines whether SID attributes such as "objectSid" are returned as binary objects or converted into a human readable string such as "S-1-5-21-4272240814-246508344-1325542772-12464". When set to True a friendly string value is returned. When set to False (default) a base 64 encoded string of the binary object is returned.

MaxRows

Limits the number of rows returned rows when no aggregation or group by is used in the query. This helps avoid performance issues at design time.

Data Type

int

Default Value

-1

Remarks

Limits the number of rows returned rows when no aggregation or group by is used in the query. This helps avoid performance issues at design time.

Other

These hidden properties are used only in specific use cases.

Data Type

string

Default Value

""

Remarks

The properties listed below are available for specific use cases. Normal driver use cases and functionality should not require these properties.

Specify multiple properties in a semicolon-separated list.

Integration and Formatting
Property Description
DefaultColumnSize Sets the default length of string fields when the data source does not provide column length in the metadata. The default value is 2000.
ConvertDateTimeToGMT Determines whether to convert date-time values to GMT, instead of the local time of the machine.
RecordToFile=filename Records the underlying socket data transfer to the specified file.

PseudoColumns

This property indicates whether or not to include pseudo columns as columns to the table.

Data Type

string

Default Value

""

Remarks

This setting is particularly helpful in Entity Framework, which does not allow you to set a value for a pseudo column unless it is a table column. The value of this connection setting is of the format "Table1=Column1, Table1=Column2, Table2=Column3". You can use the "*" character to include all tables and all columns; for example, "*=*".

Timeout

The value in seconds until the timeout error is thrown, canceling the operation.

Data Type

int

Default Value

60

Remarks

If Timeout = 0, operations do not time out. The operations run until they complete successfully or until they encounter an error condition.

If Timeout expires and the operation is not yet complete, the connector throws an exception.