3.1.1.2.5.1.2 Safety Checks
The following checks reduce the possibility of schema updates by one application breaking another application.
These checks apply to all schema objects:
A Modify adds no attributes to the mustContain or systemMustContain of an existing class.
A Modify does not add an auxiliary class to the auxiliaryClass or systemAuxiliaryClass of an existing class, if doing so would effectively add either mustContain or systemMustContain attributes to the class.
A Modify does not change the objectClassCategory of an existing class.
A Modify does not change a constructed attribute (an attribute with FLAG_ATTR_IS_CONSTRUCTED in systemFlags).
A Modify does not change class top, except to add back link attributes as may-contains, either by adding back link attributes to mayContain of top, or by adding auxiliary classes to auxiliaryClass of top whose only effect on top is adding back link attributes as may-contains.
A Modify does not change the fRODCFilteredAttribute bit of the searchFlags attribute of an attributeSchema object, if the DC functional level is DS_BEHAVIOR_WIN2008 or higher, and the attributeSchema object cannot be a member of the filtered attribute set (see section 3.1.1.2.3.5).
These checks apply to schema objects that include FLAG_SCHEMA_BASE_OBJECT in the systemFlags attribute:
A Modify does not change the lDAPDisplayName or cn of an attributeSchema or classSchema object, or the defaultObjectCategory of a classSchema object.
A Modify does not change the classSchema objects attributeSchema, classSchema, subSchema and dMD.
A Modify does not change the fCONFIDENTIAL bit of the searchFlags attribute of an attributeSchema object.
A Modify does not change the attributeSecurityGUID on the following fixed list of attributeSchema objects: accountExpires, badPwdCount, codePage, countryCode, description, displayName, domainReplica, forceLogoff, homeDirectory, homeDrive, memberOf, lastLogoff, lastLogon, lockOutObservationWindow, lockoutDuration, lockoutThreshold, logonCount, logonHours, logonWorkstation, maxPwdAge, member, minPwdAge, minPwdLength, modifiedCount, objectSid, oEMInformation, profilePath, primaryGroupID, pwdHistoryLength, pwdProperties, sAMAccountName, scriptPath, serverState, serverRole, uASCompat, comment, pwdLastSet, userAccountControl, userParameters.