User accounts are one of the most frequently used types of objects in
Active Directory. Because Windows 2000 and Windows 2003 systems
manage users through Active Directory, many key issues that system
administrators have to deal with are covered in this chapter. In
particular, Active Directory manages all the information regarding
passwords, group membership, the disabling or expiration of accounts,
and when users have logged in.
Table 6-1. Attributes of user objects
|
accountExpires
|
Large integer representing when the user's account
is going to expire. See Recipe 6.25 for more
information.
|
cn
|
Relative distinguished name of user objects. This
is commonly the username of the user.
|
displayName
|
Typically the full name of a user. This attribute is used in
administrative tools to display a user's descriptive
"name."
|
givenName
|
First name of the user.
|
homeDirectory
|
Local or UNC path of user's home directory. See
Recipe 6.29 for more information.
|
homeDrive
|
Defines the drive letter to map the user's home
directory to. See Recipe 6.29 for more
information.
|
lastLogon
|
Last logon timestamp, which is not replicated among domain
controllers.
|
lastLogonTimestamp
|
Approximate last logon timestamp, which is replicated among domain
controllers. This attribute is new in Windows Server 2003. See
Recipe 6.27 for more information.
|
managedObjects
|
Multivalued linked attribute (with managedBy) that
contains a list of DNs of objects the user manages.
|
lockoutTime
|
Large integer representation of the timestamp for when a user was
locked out. See Recipe 6.9 for more
information.
|
memberOf
|
List of DNs of the groups the user is a member of. See Recipe 6.14 for more information.
|
objectSID
|
Octet string representing the SID of the user.
|
primaryGroupID
|
ID of the primary group for the user. See Recipe 6.15 for more information.
|
profilePath
|
UNC path to profile directory. See Recipe 6.29 for more information.
|
pwdLastSet
|
Large integer that can be translated into the last time the
user's password was set. See Recipe 6.23 for more information.
|
sAMAccountName
|
NetBIOS style name of the user.
|
sidHistory
|
Multivalued attribute that contains a list of SIDs that is associated
with the user.
|
scriptPath
|
Path to logon script. See Recipe 6.29 for
more information.
|
sn
|
Last name of user.
|
tokenGroups
|
List of SIDs for the groups in the domain the user is a member of
(both directly and via nesting).
|
unicodePwd
|
Octet string that contains the password for the user. This attribute
cannot be directly queried.
|
userAccountControl
|
Account flags that define such things as account status and password
change status.
|
userPrincipalName
|
Email-style account name for user, which a user can use to logon to a
computer.
|
userWorkstations
|
Multivalued list of computers a user can logon to.
|