Printout Header
RSS Feed

Object Attributes of category 'Constructed'


On this web page we want to have a look at the so called Constructed Attributes in Active Directory Services environments. These attributes do not really exist in the directory database, they rather will be cretaed by the directory server in the specific moment of the LDAP clients request for such an attribute. There are a few limitations which applies according to Constructed Attributes:

The following operational attributes are contained in an Windows 2003 AD, which schema have been extended by an Exchange 2003 setup:



allowedAttributes
allowedAttributesEffective
allowedChildClasses
allowedChildClassesEffective
aNR
attributeTypes
canonicalName
createTimeStamp
dITContentRules
entryTTL
extendedAttributeInfo
extendedClassInfo
fromEntry
modifyTimeStamp
ms-DS-Approx-Immed-Subordinates
ms-DS-Auxiliary-Classes
ms-DS-KeyVersionNumber
ms-DS-NC-Repl-Cursors
ms-DS-NC-Repl-Inbound-Neighbors
ms-DS-NC-Repl-Outbound-Neighbors
ms-DS-Principal-Name
ms-DS-Quota-Effective
ms-DS-Quota-Used
ms-DS-Repl-Attribute-Meta-Data
ms-DS-Repl-Value-Meta-Data
ms-DS-Resultant-PSO
ms-DS-Revealed-List
ms-DS-Revealed-List-BL
ms-DS-SiteName
ms-DS-Top-Quota-Usage
ms-DS-User-Account-Control-Computed
ms-DS-User-Password-Expiry-Time-Computed
objectClasses
parentGUID
possibleInferiors
possibleInferiors
sDRightsEffective
structuralObjectClass
subSchemaSubEntry
tokenGroups
tokenGroupsGlobalAndUniversal
tokenGroupsNoGCAcceptable

Other directory services like, for example, Sun's Directory Server or Novell's eDirectory don't have such Constructed Attributes. But in these LDAP services there are other special attribute types (known also in Active Directory) which also has to be taken care of: The so-called Operational Attributes.


To see whether an attribut is constructed or not, the System-Flags in the schema definition of this attribute has to be analyzed. This is a bit field stored as systemFlags in the schema entry, for constructed attributes, the third bit in this field is set to 1.


You can detect all the Constructed Attributes in your Active Directory enviroment with the following script:


Set ado = CreateObject("ADODB.Connection") 'prepare ADO search ado.Provider = "ADSDSOObject" ado.Properties("User ID") = "administrator" 'pass credentials - omit these 2 lines to use your current credentials! ado.Properties("Password") = "geheim" ado.Properties("Encrypt Password") = True ado.Open "AD-Search" 'use any name for the connection serverName = "dc1.cerrotorre.de" 'detect search context for the schema container Set root = GetObject("LDAP://" & serverName & "/RootDSE") baseStr = "<LDAP://" & serverName & "/" & root.Get("SchemaNamingContext") & ">" 'third bit has to be set => 'search for attributes with flag 0x00000004 filterStr = "(&(objectcategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.804:=4))" 'perform search Set objectList = ado.Execute(baseStr & ";" & filterStr & ";cn;SubTree") 'show results While Not objectList.EOF WScript.Echo objectList.Fields("cn") objectList.MoveNext Wend

Tweet