[cifs-protocol] Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes

Bill Wesse billwe at microsoft.com
Wed Jul 2 20:35:12 GMT 2008

Good afternoon Pascal. We have completed our research concerning your questions about AD attribute string forms. The below information is the complete list of special syntaxes. Please let me know if you this answers your question satisfactorily; if so, I will consider your question resolved.


1] objectGUID

There is no special syntax for using this attribute in a search filter. You search as for any other binary-valued attribute.

       Example of Hexadecimal string representation of the binary format of the GUID is  "FD221F0A-5B5D-484A-99FE-DEB4B3F90C32"

       LDAP filter form:   (objectGUID=\0A\1F\22\FD\5D\5B\4A\48\99\FE\DE\B4\B3\F9\0C\32)

However, there is a special DN syntax which allows you to specify the objectGUID (or objectSID) in the DN instead of a 'conventional' LDAP DN.  This is documented in Section of the [MS-ADTS] document.

If your question about the use of this attribute in search filters has not been addressed by the above, please provide us with a specific example of the search so that we may investigate further.

2] objectSID

The alternative form for attributes of syntax type String(SID), including objectSID, is documented in [MS-ADTS] as shown below:

[MS-ADTS]        Alternative Form of SIDs
                Attributes of String(SID) syntax contain a SID in binary form. However, a client may instead specify a value for such an attribute as a UTF-8 string that is a valid SDDL SID string beginning with "S-" (see [MS-DTYP] sections 2.4.2 and 2.5.1). The server will convert such a string to the binary form of the SID  and use that binary form as the value of the attribute.

3] objectCategory

[MS-ADTS]        Searches Using the objectCategory Attribute
                When an LDAP search filter F contains a clause C of the form "(objectCategory=V)", if V is not a DN but there exists an object O such that O!objectClass = classSchema and O!lDAPDisplayName = V, then the server treats the search filter as if clause C was replaced in F with the clause "(objectCategory=V')", where V' is O!defaultObjectCategory.

More information about the cifs-protocol mailing list