objectcategory vs objectclass

  • Thread starter Thread starter inenewbl
  • Start date Start date
I

inenewbl

Guest
Hi all. I use the following to export names to my csv file.
"csvde -r objectclass=user, -l displayname, -f test.csv"
I found that computer objects are also exported even though i specifically
state objectclass=user. However if i use objectcategory=user instead of
objectclass=user, it will export only user objects and not computer objects.
Why is this so? Pls advise. Thks in advance.
 
Re: objectcategory vs objectclass

Because computer account is also a user account.
You can put them in groups
They are security principals (they have SID's).
You can include them in ACL's
They have passwords (and change them regularly).
etc

Dush

"inenewbl" <inenewbl@discussions.microsoft.com> wrote in message
news:4CE8076B-C74F-49FD-A617-411D09A6C092@microsoft.com...
> Hi all. I use the following to export names to my csv file.
> "csvde -r objectclass=user, -l displayname, -f test.csv"
> I found that computer objects are also exported even though i specifically
> state objectclass=user. However if i use objectcategory=user instead of
> objectclass=user, it will export only user objects and not computer
> objects.
> Why is this so? Pls advise. Thks in advance.
>
 
Re: objectcategory vs objectclass

Just to clarify, the objectClass attribute is multi-valued. Each object can
inherit from one or more classes. User objects have objectClass equal to
top, person, organizationalPerson, and user. Contact objects have
objectClass equal to top, person, organizationalPerson, and contact.
Computer objects have objectClass equal to top, person,
organizationalPerson, user, and computer. Thus, a computer object has all of
the attributes of a user object, plus some more inherited from the computer
class. Computer objects are security principals just like user objects. They
need to authenticate to the domain, have passwords (managed by the system),
and can be granted permissions.

The objectCategory attribute is single-valued. The value is a Distinguished
Name. For user objects objectCategory is
"cn=Person,cn=Schema,cn=configuration,dc=MyDomain,dc=com", where
MyDomain.com is the domain. For contact objects objectCategory is the same,
"cn=Person,cn=Schema,cn=configuration,dc=MyDomain,dc=com". For computer
objects objectCategory is
"cn=Computer,cn=Schema,cn=configuration,dc=MyDomain,dc=com".

When searching AD for objects it is more efficient to use objectCategory
because it is indexed (objectClass is not), but often a combination of
objectClass and objectCategory must be used. The standard search filters
are:

For user objects:
(&(objectCategory=person)(objectClass=user))

For contact objects:
(&(objectCategory=person)(objectClass=contact))

For user and contact objects:
(objectCategory=person)

For computer objects:
(objectCategory=computer)

For group objects:
(objectCategory=group)

The provider translates (objectCategory=person) into the correct DN
appropriate for the domain. Note that there is no such thing as
(objectCategory=user), but the provider translates this into
(objectCategory=person), so it includes contact objects. This may not be
what you want. Another filter for user objects is:

(sAMAccountType=805306368)

This is actually a bit more efficient (since it avoids objectClass), but is
harder to remember.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Dusko Savatovic" <nospam.savatovic@gmail.com> wrote in message
news:%23aRt0PFDJHA.4340@TK2MSFTNGP02.phx.gbl...
> Because computer account is also a user account.
> You can put them in groups
> They are security principals (they have SID's).
> You can include them in ACL's
> They have passwords (and change them regularly).
> etc
>
> Dush
>
> "inenewbl" <inenewbl@discussions.microsoft.com> wrote in message
> news:4CE8076B-C74F-49FD-A617-411D09A6C092@microsoft.com...
>> Hi all. I use the following to export names to my csv file.
>> "csvde -r objectclass=user, -l displayname, -f test.csv"
>> I found that computer objects are also exported even though i
>> specifically
>> state objectclass=user. However if i use objectcategory=user instead of
>> objectclass=user, it will export only user objects and not computer
>> objects.
>> Why is this so? Pls advise. Thks in advance.
>>
>
 
Re: objectcategory vs objectclass

Hi Richard,

Thk you for the detail explanation.
I believe i have to improve on my adsiedit foundation to better understand
this.
I have obtained an mcse but it did not seem to go very indept about adsiedit.
Can you advise any reading material/website so that i can brush up on this
area?
I am also looking at your website www.rlmueller.net for more info. Thks in
advance.

"Richard Mueller [MVP]" wrote:

> Just to clarify, the objectClass attribute is multi-valued. Each object can
> inherit from one or more classes. User objects have objectClass equal to
> top, person, organizationalPerson, and user. Contact objects have
> objectClass equal to top, person, organizationalPerson, and contact.
> Computer objects have objectClass equal to top, person,
> organizationalPerson, user, and computer. Thus, a computer object has all of
> the attributes of a user object, plus some more inherited from the computer
> class. Computer objects are security principals just like user objects. They
> need to authenticate to the domain, have passwords (managed by the system),
> and can be granted permissions.
>
> The objectCategory attribute is single-valued. The value is a Distinguished
> Name. For user objects objectCategory is
> "cn=Person,cn=Schema,cn=configuration,dc=MyDomain,dc=com", where
> MyDomain.com is the domain. For contact objects objectCategory is the same,
> "cn=Person,cn=Schema,cn=configuration,dc=MyDomain,dc=com". For computer
> objects objectCategory is
> "cn=Computer,cn=Schema,cn=configuration,dc=MyDomain,dc=com".
>
> When searching AD for objects it is more efficient to use objectCategory
> because it is indexed (objectClass is not), but often a combination of
> objectClass and objectCategory must be used. The standard search filters
> are:
>
> For user objects:
> (&(objectCategory=person)(objectClass=user))
>
> For contact objects:
> (&(objectCategory=person)(objectClass=contact))
>
> For user and contact objects:
> (objectCategory=person)
>
> For computer objects:
> (objectCategory=computer)
>
> For group objects:
> (objectCategory=group)
>
> The provider translates (objectCategory=person) into the correct DN
> appropriate for the domain. Note that there is no such thing as
> (objectCategory=user), but the provider translates this into
> (objectCategory=person), so it includes contact objects. This may not be
> what you want. Another filter for user objects is:
>
> (sAMAccountType=805306368)
>
> This is actually a bit more efficient (since it avoids objectClass), but is
> harder to remember.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
> "Dusko Savatovic" <nospam.savatovic@gmail.com> wrote in message
> news:%23aRt0PFDJHA.4340@TK2MSFTNGP02.phx.gbl...
> > Because computer account is also a user account.
> > You can put them in groups
> > They are security principals (they have SID's).
> > You can include them in ACL's
> > They have passwords (and change them regularly).
> > etc
> >
> > Dush
> >
> > "inenewbl" <inenewbl@discussions.microsoft.com> wrote in message
> > news:4CE8076B-C74F-49FD-A617-411D09A6C092@microsoft.com...
> >> Hi all. I use the following to export names to my csv file.
> >> "csvde -r objectclass=user, -l displayname, -f test.csv"
> >> I found that computer objects are also exported even though i
> >> specifically
> >> state objectclass=user. However if i use objectcategory=user instead of
> >> objectclass=user, it will export only user objects and not computer
> >> objects.
> >> Why is this so? Pls advise. Thks in advance.
> >>
> >
>
>
>
 
Re: objectcategory vs objectclass

ADSI Edit is part of the Support Tools included on the Windows Server 2003
CD (also Windows 2000 Server). On the CD navigate to the \Support\Tools
folder and click SupTools.msi to install.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"inenewbl" <inenewbl@discussions.microsoft.com> wrote in message
news:EFF4EFAF-B89F-40D4-A34A-51023CC01D6F@microsoft.com...
> Hi Richard,
>
> Thk you for the detail explanation.
> I believe i have to improve on my adsiedit foundation to better understand
> this.
> I have obtained an mcse but it did not seem to go very indept about
> adsiedit.
> Can you advise any reading material/website so that i can brush up on this
> area?
> I am also looking at your website www.rlmueller.net for more info. Thks in
> advance.
>
> "Richard Mueller [MVP]" wrote:
>
>> Just to clarify, the objectClass attribute is multi-valued. Each object
>> can
>> inherit from one or more classes. User objects have objectClass equal to
>> top, person, organizationalPerson, and user. Contact objects have
>> objectClass equal to top, person, organizationalPerson, and contact.
>> Computer objects have objectClass equal to top, person,
>> organizationalPerson, user, and computer. Thus, a computer object has all
>> of
>> the attributes of a user object, plus some more inherited from the
>> computer
>> class. Computer objects are security principals just like user objects.
>> They
>> need to authenticate to the domain, have passwords (managed by the
>> system),
>> and can be granted permissions.
>>
>> The objectCategory attribute is single-valued. The value is a
>> Distinguished
>> Name. For user objects objectCategory is
>> "cn=Person,cn=Schema,cn=configuration,dc=MyDomain,dc=com", where
>> MyDomain.com is the domain. For contact objects objectCategory is the
>> same,
>> "cn=Person,cn=Schema,cn=configuration,dc=MyDomain,dc=com". For computer
>> objects objectCategory is
>> "cn=Computer,cn=Schema,cn=configuration,dc=MyDomain,dc=com".
>>
>> When searching AD for objects it is more efficient to use objectCategory
>> because it is indexed (objectClass is not), but often a combination of
>> objectClass and objectCategory must be used. The standard search filters
>> are:
>>
>> For user objects:
>> (&(objectCategory=person)(objectClass=user))
>>
>> For contact objects:
>> (&(objectCategory=person)(objectClass=contact))
>>
>> For user and contact objects:
>> (objectCategory=person)
>>
>> For computer objects:
>> (objectCategory=computer)
>>
>> For group objects:
>> (objectCategory=group)
>>
>> The provider translates (objectCategory=person) into the correct DN
>> appropriate for the domain. Note that there is no such thing as
>> (objectCategory=user), but the provider translates this into
>> (objectCategory=person), so it includes contact objects. This may not be
>> what you want. Another filter for user objects is:
>>
>> (sAMAccountType=805306368)
>>
>> This is actually a bit more efficient (since it avoids objectClass), but
>> is
>> harder to remember.
>>
>> --
>> Richard Mueller
>> MVP Directory Services
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>> "Dusko Savatovic" <nospam.savatovic@gmail.com> wrote in message
>> news:%23aRt0PFDJHA.4340@TK2MSFTNGP02.phx.gbl...
>> > Because computer account is also a user account.
>> > You can put them in groups
>> > They are security principals (they have SID's).
>> > You can include them in ACL's
>> > They have passwords (and change them regularly).
>> > etc
>> >
>> > Dush
>> >
>> > "inenewbl" <inenewbl@discussions.microsoft.com> wrote in message
>> > news:4CE8076B-C74F-49FD-A617-411D09A6C092@microsoft.com...
>> >> Hi all. I use the following to export names to my csv file.
>> >> "csvde -r objectclass=user, -l displayname, -f test.csv"
>> >> I found that computer objects are also exported even though i
>> >> specifically
>> >> state objectclass=user. However if i use objectcategory=user instead
>> >> of
>> >> objectclass=user, it will export only user objects and not computer
>> >> objects.
>> >> Why is this so? Pls advise. Thks in advance.
>> >>
>> >
>>
>>
>>
 

Similar threads

C
Google Pixel 6 vs Pixel 6 Pro: Is it worth spending more for the Pro?
Replies
0
Views
129
Christian de Looper
C
A
Here’s why I use Facebook Messenger over iMessage almost every time
Replies
0
Views
98
Andy Meek
A
N
VS Extension - Creation
Replies
0
Views
170
NachoShaw
N
W
Xamarin - iOS - VS 2019 - cant connect to mac/ios
Replies
0
Views
435
wil70
W
N
VS Community Edition says 'Your evaluation period has ended.'
Replies
0
Views
166
Naomi N
N
Back
Top