[cifs-protocol] RE: Answer: SRX080609601575 : [MS-ADA3]: 2.43 2.44 string forms of AD attributes

Bill Wesse billwe at microsoft.com
Mon Jul 14 20:43:44 GMT 2008

Good afternoon Andrew. I have included a modified response, containing the sections in [MS-ADA3] and [MS-ADTS] covering the objectCategory and objectSID attributes (I omitted the objectGUID notes, since there are no special semantics for this).

The decision has been made to not change the document by adding additional cross references, in order to keep the inter-document maintenance complexity in check. Please let me know if you this answers your question satisfactorily; if so, I will consider your question resolved.


[MS-ADTS] Searches Using the objectCategory Attribute
When an LDAP search filter F contains a clause C of the form "(objectCategory=V)", if V is not a DN but there exists an object O such that O!objectClass = classSchema and O!lDAPDisplayName = V, then the server treats the search filter as if clause C was replaced in F with the clause "(objectCategory=V')", where V' is O!defaultObjectCategory.

2.38 Attribute objectCategory
                This attribute specifies an object class name that is used to group objects of this or derived classes. Every object in Active Directory has this attribute. See [MS-ADTS] for more information about how Active Directory uses this attribute.


The alternative form for attributes of syntax type String(SID), including objectSID, is documented in [MS-ADTS] as shown below:

[MS-ADTS] Alternative Form of SIDs
Attributes of String(SID) syntax contain a SID in binary form. However, a client may instead specify a value for such an attribute as a UTF-8 string that is a valid SDDL SID string beginning with "S-" (see [MS-DTYP] sections 2.4.2 and 2.5.1). The server will convert such a string to the binary form of the SID  and use that binary form as the value of the attribute.

2.44 Attribute objectSid
This attribute specifies a binary value that specifies the security identifier (SID) of the user. The SID is a unique value used to identify the user as a security principal. For more information on the SID data type, refer to [MS-DTYP] section 2.4.2. SID usage is also discussed in [MS-ADTS], in particular in section

Bill Wesse
MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  980-776-8200
CELL: 704-661-5438
FAX:  704-665-9606

More information about the cifs-protocol mailing list