3.1.4.2.2 ActiveDirectoryObject
The DistinguishedName element is populated from the directory object's distinguishedName attribute. If the DistinguishedName attribute is not present on the directory object or cannot be read due to the client lacking access rights to read the attribute, then the server MUST return a SOAP fault corresponding to the custom action that was requested as described in sections 3.4.4.2.8.1, 3.4.4.3.8.1, and 3.4.4.4.8.1. For the GetADDomain (section 3.4.4.2) custom action defined in section 3.4.4.2, however, if the distinguishedName attribute is not present on the directory object or cannot be read due to the client lacking access rights to read the attribute, then the server returns a null ActiveDirectoryObject/DistinguishedName element. Therefore, except in the response to the GetADDomain custom action, the DistinguishedName element MUST NOT be null in any other custom action response.
The Name element is populated from the group!name, user!name, or computer!name attribute on the group object, user object, or computer object depending on which type of directory object a response encapsulates. If the attribute is not present on the directory object or cannot be read due to the client lacking access rights to read the attribute, then the server returns a null ActiveDirectoryObject/Name element.
The ObjectClass element is populated from the directory object's objectClass attribute. This element contains the most specific structural object class ([MS-ADTS] section 3.1.1.4) among the set of classes in the multivalued objectClass attribute's values. If the objectClass attribute is not present on the directory object or cannot be read due to the client lacking access rights to read the attribute, and:
The custom action is GetADDomain or GetADPrincipalAuthorizationGroup, then the server MUST return a SOAP fault corresponding to the custom action that was requested as described in sections 3.3.4.3.8.5 and 3.4.4.2.8.1.
The custom action is GetADGroupMember or GetADPrincipalGroupMembership, then the server omits the object when constructing the response (sections 3.3.4.2.2.6 and 3.3.4.4.2.7).
The ObjectClass element MUST NOT be null in any custom action response.
The ObjectGuid element is populated from the directory object's objectGUID attribute, converted to UUID string form ([RFC4122] section 3). If the objectGUID attribute is not present on the directory object or cannot be read due to the client lacking access rights to read the attribute, then the server MUST return a SOAP faultĀ corresponding to the custom action that was requested as described in sections 3.3.4.2.8.1, 3.3.4.3.8.1, and 3.3.4.4.8.5. For the GetADDomain custom action defined in section 3.4.4.2, however, if the objectGUID attribute is not present on the directory object or cannot be read due to the client lacking access rights to read the attribute, then the server populates theĀ ActiveDirectoryObject/ObjectGuid element with a value of 00000000-0000-0000-0000-000000000000. The ObjectGuid element MUST NOT be null in any custom action response.
The ObjectTypes element is populated from the directory object's objectClass multivalued attribute. The values in the array are ordered in the same sequence as values in the objectClass attribute ([MS-ADTS] section 3.1.1.2.4.3). If the objectClass multivalued attribute is not present on the directory object or cannot be read due to the client lacking access rights to read the attribute, and:
The custom action is GetADDomain or GetADPrincipalAuthorizationGroup, then the server MUST return a SOAP fault corresponding to the custom action that was requested as described in sections 3.3.4.3.8.5 and 3.4.4.2.8.1.
The custom action is GetADGroupMember or GetADPrincipalGroupMembership, then the server omits the object when constructing the response (sections 3.3.4.2.2.6 and 3.3.4.4.2.7).
The ObjectTypes element MUST NOT be null in any custom action response.
The ReferenceServer element is populated as follows:
If the directory instance is AD DS and:
The custom actions is not GetADDomain (section 3.4.4.2), then the element is populated by converting from the rootDSE!defaultNamingContext attribute (fully qualified domain name (FQDN) (1)) to a canonical name following the syntactic transformation described in [MS-ADTS] section 3.1.1.1.7, but with any trailing "/" omitted. If the rootDSE!defaultNamingContext attribute is not present or cannot be read due to the client lacking access rights to read the attribute, then the server MUST return a SOAP fault corresponding to the custom action that was requested as described in sections 3.3.4.2.8.5, 3.3.4.3.8.5, and 3.3.4.4.8.6.
The custom action is GetADDomain, then the element is populated with the value of the ActiveDirectoryPartition/DNSRoot (section 3.4.4.2.3.2.3) element of the response.
If the directory instance is AD LDS, the element is populated from the server name, concatenated with a colon (:) followed by the base 10 representation of the TCP port number that AD LDS is using. Note that the port number string is equal to the Server element port number that was received in the message header. The server name is populated from the Active Directory instance's computer!dNSHostName attribute, for the computer object representing this DC. If the dNSHostName attribute is not present on the computer object or cannot be read due to the client lacking access rights to read the attribute, then the server MUST return a SOAP fault corresponding to the custom action that was requested as described in sections 3.3.4.2.8.5, 3.3.4.3.8.5, 3.3.4.4.8.6, and 3.4.4.2.8.2.