The following terms are commonly used to refer to the Active Directory schema.
- Attribute
Data items used to describe the objects that are represented by the classes that are defined in the
schema. Attributes are defined in the schema separately from the classes; this allows a single attribute
definition to be applied to many classes. For example,
Description is an attribute that can
be applied to any class in the schema. The
Description attribute is defined once
in the schema, assuring consistency, rather than having a differentdefinition for
Description of a user and
Description of a printer.
Note The term property is frequently used interchangeably with the term
attribute
- Attribute Instance
An occurrence of an attribute that is defined in the schema. This term is used to distinguish between the
definition of an attribute and a discrete occurrence of the attribute. For example, storing a User object for
"Jeff Smith" with the Common-Name
attribute set to "Jeff Smith" creates an instance of
Common-Name.
- Class
A formal description of a discrete, identifiable type of object stored in the directory service. For
example, User,
Print-Queue, and
Group are all classes. Furthermore,
there are 3 distinct categories of classes:
Structural Classes,
Abstract Classes, and
Auxiliary Classes.
- Class Instance
An occurrence of a class that is defined in the schema. This term is used to distinguish between the
definition of a class and a discrete occurrence of the class. For example, storing a
User object for "Jeff Smith" in the
directory service creates an instance of
User.
- Content Rules
The definition of the possible contents of the class instances that are stored in the directory service.
In NT Directory Services (NTDS), upon which Active Directory is based, the content rules are completely
expressed by the
Must-Contain and
May-Contain attributes of
the schema definitions for each class.
- Derivation
See Inheritance.
- Directory Information Tree
The directory itself, represented as a tree structure in which the vertices are the directory entries
(class instances) and the connecting lines the parent-child relationships between the entries.
- DIT
See Directory Information Tree.
- Control Access Rights
A class that describes an access right not tied to a resource, but an action. For example, a user can be
granted the right to create relative ID values.
- Inheritance
The ability to build new object classes from existing object classes. The new object is defined as a
subclass of the parent object. The parent object becomes a superclass of the new
object. A subclass inherits the attributes of the parent, including structure rules and content rules.
- LDAP
See Lightweight Directory Access Protocol.
- Lightweight Directory Access Protocol
A standard Internet communications protocol used to communicate with the NTDS. LDAP version 2 and version
3 are supported.
- NT Security Descriptor
See the entry for Security Descriptor.
- Object
A unit of data storage in the directory service. Directory service objects are not to be confused with
COM objects or other object-oriented system objects, which have an executable component and run-time behavior.
Directory service objects consist only of data. A directory service object is defined by a
Class-Schema object and a
group of Attribute-Schema
objects referenced by the
Class-Schema object.
Class-Schema and
Attribute-Schema objects
are themselves directory service objects, and have definitions in the schema like any other objects. See
Class.
- Object Identifier
Unique numeric values, issued by various issuing authorities, to uniquely identify data elements,
syntaxes, and various other parts of distributed applications. Object Identifiers (OIDs) are found in OSI
applications, X.500 Directories, SNMP, and other applications where uniqueness is important. OIDs are based on
a tree structure, in which a superior issuing authority, such as the ISO, allocates a branch of the tree to a
sub-authority, which in turn can allocate sub-branches.
OIDs in the NTDS include some issued by the ISO for X.500 classes and attributes, and some issued by
Microsoft. OID notation is a dotted string of numbers, for example "1.2.840.113556.1.5.4", which translates
as listed in the following table.
| Value | Description |
|---|
| 1 | ISO - the "root authority", issued "1.2" to ANSI, which in turn... |
| 2 | ANSI ...issued "1.2.840" to USA, which in turn... |
| 840 | USA ...issued "1.2.840.113556" to Microsoft... |
| 113556 | Microsoft ...where Microsoft internally manages several OID branches under "1.2.840.113556". |
| 1 | Microsoft DS |
| 5 | NTDS Classes |
| 4 | Builtin-Domain |
- OID
See
Object Identifier.
- Schema
A formal definition of the directory service contents and structure. The schema defines all attributes and
classes. For each class, the
Poss-Superiors,
Must-Contain, and
May-Contain attributes are
defined.
Poss-Superiors defines
the possible tree structures for the directory service by specifying what classes can be the parent for any
given class. Must-Contain
and May-Contain list the
attributes for a class that must be present to store the class and what additional attributes may optionally
be present.
- Security Descriptor
Information about the ownership of an object and the permissions that other users have on that object.
The NT-Security-Descriptor property of a schema entry
contains a string that represents the security descriptor of the object. For more information about the format
of the information in this field, see
Security Descriptor String Format.
- Structure Rules
The definition of the possible tree structure or structures. In the NTDS, the structure rules are
completely expressed by the Poss-superiors attribute present on each
Class-Schema object. See
Schema.
- Subclass
A Class-Schema object
that inherits from another
Class-Schema object. See
Inheritance.
- Superclass
A Class-Schema object
from which one or more other
Class-Schema objects inherit.
See Inheritance.
- Tree
See Directory Information Tree.
- X.500
A family of standards developed jointly by the ISO and ITU, formerly known as the CCITT, that specify the
naming, data representation, and communications protocols for a directory service.