Attributes for AD Users : objectClass
The Active Directory attribute objectClass represents the classification of user objects in the Active Directory schema hierarchy. Besides the class 'user', all higher-ranking classes, from which the user class is derived, are listet here.
|In Global Catalog?||Yes|
|AD DB attribute name||Object-Class|
|ADSI datatype||3 - String(Object Identifier)|
|LDAP syntax||184.108.40.206.4.1.14220.127.116.11.38 - OID|
|Used in ...||> W2K|
|Schema Info||Microsoft - MSDN|
The object class of a user object is always the following array:
The schema class organizationalPerson represents hereby the actual object class of the mailbox - this is the class you must provide when you want to create a user object. This main class (also called structural class) is always the last array member in Active Directory environments - this is a difference to Exchange 5.5 object classes). If you want to make sure that the object you deal with actually is a user you have to use the following script code:
Even easier would be the use of the ADSI-Interface attribute Class because then the actual object class 'user' is returned without array and the check for the object class would look like this:
Note: If you use the LDAP filter "(objectClass=user)" to search the directory for user objects, you get as a result user AND computer objects. This is because computer objects have (amongst others) the objectclass "user", too. The filter for the "real" users should be like this: "((&objectClass=user)(objectCategory=Person))" . You can get more information about this point in the SelfADSI tutorial in topic "Searching Objects".
The other classes "organizationalPerson", "person" and "Top" are the superior classes from which user is deduced hierarchically. When a user object is created, the attribute objectClass can't be changed afterwards.