Which object attributes are included in the global catalog?
The global catalog stores only a subset of the attributes for each object in the Active Directory forest. Otherwise the data handling would be too much overhead for the GC servers - a global catalog should only represent a kind of yellow pages for the environment.
Whether an attribute is included in the global catalog or not is decided by the systemFlags property of the schema object of each object attribute. If the 2. bit is set here (flag FLAG_ATTR_REQ_PARTIAL_SET_MEMBER), then the attribute is contained in the global catalog. Even easier - check the attribute isMemberOfPartialAttributeSet, for global catalog attributes is the value set to TRUE.
Here is a list of attributes which are
part of the global catalog by default in a Windows 2008 R2 Active Directory:
| altSecurityIdentities | cn | c (country) | dc |
| dSCorePropagationData | frsComputerReference | fRSMemberReference | groupType |
| instanceType | isDeleted | isRecycled | l (location) |
| member | mSMQUserSid | nTSecurityDescriptor | distinguishedName |
| objectCategory | objectClass | objectGUID | objectSid |
| ou | o | partialAttributeDeletionList | partialAttributeSet |
| primaryGroupID | proxiedObjectName | name | replPropertyMetaData |
| replUpToDateVector | repsFrom | repsTo | sAMAccountName |
| sAMAccountType | servicePrincipalName | sIDHistory | st |
| street | subRefs | systemPossSuperiors | userAccountControl |
| userPrincipalName | uSNChanged | uSNCreated | uSNLastObjRem |
| wellKnownObjects | whenChanged | whenCreated |
You can also evaluate the current set of attributes in the global catalog easily with this script:
ldapFilter = "(&(objectClass=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))"
Set rootDSE = GetObject("LDAP://rootDSE")
schemaDN = rootDSE.Get("schemaNamingContext")
Set attrList = CreateObject( "System.Collections.Sortedlist" )
Set ado = CreateObject("ADODB.Connection")
ado.Provider = "ADSDSOObject"
ado.Open "ADSearch"
Set objectList = ado.Execute("<LDAP://" & schemaDN & ">;" & ldapFilter & ";lDAPDisplayName;subtree")
While Not objectList.EOF
attrName = objectList.Fields("lDAPDisplayName")
attrList.Add attrName, 0
objectList.MoveNext
Wend
For i=0 To attrList.Count - 1
WScript.Echo attrList.GetKey(i)
Next
Without the alphabetic sort of the attribute names the script is getting more simple:
ldapFilter = "(&(objectClass=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))"
Set rootDSE = GetObject("LDAP://rootDSE")
schemaDN = rootDSE.Get("schemaNamingContext")
Set ado = CreateObject("ADODB.Connection")
ado.Provider = "ADSDSOObject"
ado.Open "ADSearch"
Set objectList = ado.Execute("<LDAP://" & schemaDN & ">;" & ldapFilter & ";lDAPDisplayName;subtree")
While Not objectList.EOF
attrName = objectList.Fields("lDAPDisplayName")
WScript.Echo attrName
objectList.MoveNext
Wend