{"id":72557,"date":"2022-11-29T12:00:00","date_gmt":"2022-11-29T17:00:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=72557"},"modified":"2024-11-05T18:32:13","modified_gmt":"2024-11-05T23:32:13","slug":"active-directory-attributes","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/active-directory-attributes","title":{"rendered":"Active Directory Attributes"},"content":{"rendered":"\n

Active Directory (AD)<\/a> is a directory service\/identity provider (IdP) that administrators use to connect users to resources on Windows-based networks. It\u2019s built into Windows Server and works through Active Directory Domain Services<\/a> (AD DS) to secure PCs, file shares, and applications. AD DS stores information about network objects (e.g., users, groups, systems, etc.) and their relationship to one another. Your organization may still be using AD because it can provide user-based policies for access control and you feel that it\u2019s necessary. <\/p>\n\n\n\n

Attributes are what determine user permissions and make it possible for admins to query AD and produce compliance reports. Understanding how AD stores this user information makes it easier to manage multiple domains, configure single sign-on (SSO) when it\u2019s necessary to access external resources or create information barriers<\/a> between departments. <\/p>\n\n\n\n

SSO breaks down identity silos and makes it possible to centralize your policies and controls with groups. However, that\u2019s not possible if users aren\u2019t decorated with the right attributes, or attributes aren\u2019t mapped to a cloud directory that modernizes AD. This article focuses on users and how AD stores information that can be used for group management and flow into identity and access management (IAM) systems to make access decisions in your network and beyond. The goal is to increase IT efficiency and establish stronger security for users and devices.<\/p>\n\n\n\n

\n
\n \"JumpCloud\"\n <\/div>\n
\n

\n Breaking Up with Active Directory <\/p>\n

\n Don\u2019t let your directory hold you back. Learn why it\u2019s time to break up with AD. <\/p>\n <\/div>\n

\n Read Now<\/a>\n <\/div>\n<\/div>\n\n\n\n\n

Object Classes Defined<\/h2>\n\n\n\n

First, let\u2019s cover some core terminology:<\/p>\n\n\n\n

User objects:<\/strong> User objects represent individuals within your organization who are a part of the domain. The user object resides within the higher level user class, and attributes determine what information each class can hold. This concept is called a Directory Information Tree (DIT). These concepts are outlined in more detail below.<\/p>\n\n\n\n

Directory Service Tree:<\/strong> The DIT consists of the Distinguished Names (DNs) of directory service entries, a unique identifier that\u2019s familiar to AD administrators and PowerShell users. For example, a DN makes it possible to execute a command on an object such as a user account. Microsoft uses \u201ctree\u201d as terminology for when multiple domains are grouped together; multiple trees form a forest, which can encapsulate multiple locations and IT teams. Organizational units (OUs) organize groups, users, and devices at all levels of the AD forest.<\/p>\n\n\n\n

\"Microsoft
Image credit: Microsoft TechNet Wiki<\/em><\/figcaption><\/figure>\n\n\n\n

Object attributes:<\/strong> Object attributes define basic properties\/information about them, such as first or last name. Attributes are essential to how the directory functions. Think of them as key-value pairs in a database that have predefined names so that Lightweight Directory Access Protocol (LDAP) can function as an open protocol in an IdP. A collection of attributes is an entry, such as an individual user in AD. <\/p>\n\n\n\n

Entries are differentiated from one another using their DN. Attributes can belong to multiple classes in AD, because the classScheme and attributeSchema are defined separately. Windows admins who have the schema master role can use the Schema Management Microsoft Management Console (MMC) snap-in to introduce custom attributes by registering schemas.<\/p>\n\n\n\n

ObjectClasses:<\/strong> ObjectClasses are essentially a collection of attributes (a container). The LDAP standard<\/a> uses directory schemas to define ObjectClasses and class hierarchy to store and retrieve data. Attributes that are associated with ObjectClasses are used to describe something, such as a person, so a person would fall within the user class type. ObjectClasses can also be an attribute that\u2019s used in directory search operations and reporting. ObjectClasses are outlined by the LDAP standard<\/a>, which AD was built on, and fall into three categories: <\/p>\n\n\n\n