Build6000.com - Schema changes in Windows Server 2008 Active Directory

Schema changes in Windows Server 2008 Active Directory

Monday, 03 December 2007

Use this page as a quick reference guide to the new schema attributes and

classes that are found in Windows Server 2008 Active Directory. The following table contain the new attributes as compared to a Windows Server 2003 R2 Active Directory.
This list is compiled using the latest pre-release version of Windows Server 2008. Microsoft may change the server configuration prior to full retail release.
This information is provided for information purposes only and will be updated once the full retail product has been released.

Windows Server 2003 has 1070 attributes, Windows Server 2003 R2 has 1151 attributes. Windows Server 2008 now has 1269 attributes.
Click here for a list of the new attributes.

Windows Server 2003 has 191 classes, Windows Server 2003 R2 has 220 classes. Windows Server 2008 now has 226 classes.
Click here for a list of the new classes.

Windows Server 2003 and Windows Server 2003 R2 have 150 attributes listed in the Global Catalogue. Windows Server 2008 now has 160 attributes listed in the Global Catalogue.
Click here for a list of the new GC attributes.

New Attributes in Windows 2008

Attribute Name	Description	OID	Syntax
ms-DS-AuthenticatedAt-DC	Forward link for ms-DS-AuthenticatedTo-Accountlist; for a User, identifies which DC a user has authenticated to	1.2.840.113556.1.4.1958	2.5.5.1
ms-DS-AuthenticatedTo-Accountlist	Back link for ms-DS-AuthenticatedAt-DC; for a Computer, identifies which users have authenticated to this Computer	1.2.840.113556.1.4.1957	2.5.5.1
ms-DS-Az-Object-Guid	The unique and portable identifier of AzMan objects	1.2.840.113556.1.4.1949	2.5.5.10
ms-DS-Az-Generic-Data	AzMan specific generic data	1.2.840.113556.1.4.1950	2.5.5.12
ms-DS-isGC	For a Directory instance (DSA), Identifies the state of the Global Catalogue on the DSA	1.2.840.113556.1.4.1959	2.5.5.8
ms-DS-isRODC	For a Directory instance (DSA), Identifies whether the DSA is a Read-Only DSA	1.2.840.113556.1.4.1960	2.5.5.8
ms-DS-Maximum-Password-Age	Maximum password age for user accounts.	1.2.840.113556.1.4.2011	2.5.5.16
ms-DS-Minimum-Password-Age	Minimum password age for user accounts.	1.2.840.113556.1.4.2012	2.5.5.16
ms-DS-Minimum-Password-Length	Minimum password length for user accounts.	1.2.840.113556.1.4.2013	2.5.5.9
ms-DS-Password-History-Length	Password history length for user accounts.	1.2.840.113556.1.4.2014	2.5.5.9
ms-DS-Password-Complexity-Enabled	Password complexity status for user accounts.	1.2.840.113556.1.4.2015	2.5.5.8
ms-DS-Password-Reversible-Encryption-Enabled	Password reversible encryption status for user accounts.	1.2.840.113556.1.4.2016	2.5.5.8
ms-DS-Lockout-Observation-Window	Observation window for lockout of user accounts.	1.2.840.113556.1.4.2017	2.5.5.16
ms-DS-Lockout-Duration	Duration of lockout for locked out user accounts.	1.2.840.113556.1.4.2018	2.5.5.16
ms-DS-Lockout-Threshold	Lockout threshold for user accounts.	1.2.840.113556.1.4.2019	2.5.5.9
ms-DS-PSO-Applies-To	Links to objects that this password settings object applies to.	1.2.840.113556.1.4.2020	2.5.5.1
ms-DS-PSO-Applied	Password settings object applied to this object.	1.2.840.113556.1.4.2021	2.5.5.1
ms-DS-Resultant-PSO	Resultant password settings object applied to this object.	1.2.840.113556.1.4.2022	2.5.5.1
ms-DS-Password-Settings-Precedence	Password settings precedence.	1.2.840.113556.1.4.2023	2.5.5.9
ms-DS-NC-Type	A bit field that maintains information about aspects of a NC replica that is relevant to replication.	1.2.840.113556.1.4.2024	2.5.5.9
ms-DS-Phonetic-First-Name	Contains the phonetic given name or first name of the person.	1.2.840.113556.1.4.1942	2.5.5.12
ms-DS-Phonetic-Last-Name	Contains the phonetic last name of the person.	1.2.840.113556.1.4.1943	2.5.5.12
ms-DS-Phonetic-Department	Contains the phonetic department name where the person works.	1.2.840.113556.1.4.1944	2.5.5.12
ms-DS-Phonetic-Company-Name	Contains the phonetic company name where the person works.	1.2.840.113556.1.4.1945	2.5.5.12
ms-DS-Phonetic-Display-Name	The phonetic display name of an object. In the absence of a phonetic display name the existing display name is used.	1.2.840.113556.1.4.1946	2.5.5.12
ms-DS-HAB-Seniority-Index	Contains the seniority index as applied by the organisation where the person works.	1.2.840.113556.1.4.1997	2.5.5.9
ms-DS-Promotion-Settings	For a Computer, contains a XML string to be used for delegated DSA promotion	1.2.840.113556.1.4.1962	2.5.5.12
ms-DS-SiteName	For a Directory instance (DSA), Identifies the site name that contains the DSA	1.2.840.113556.1.4.1961	2.5.5.12
ms-DS-Supported-Encryption-Types	The encryption algorithms supported by user, computer or trust accounts. The KDC uses this information while generating a service ticket for this account. Services/Computers may automatically update this attribute on their respective accounts in Active Directory, and therefore need write access to this attribute.	1.2.840.113556.1.4.1963	2.5.5.9
ms-DS-Principal-Name	Account name for the security principal (constructed).	1.2.840.113556.1.4.1865	2.5.5.12
ms-DS-NC-RO-Replica-Locations	A linked attribute on a cross ref object for a partition. This attribute lists the DSA instances which should host the partition in a read-only manner.	1.2.840.113556.1.4.1967	2.5.5.1
ms-DS-NC-RO-Replica-Locations-BL	Back link attribute for ms-DS-NC-RO-Replica-Locations.	1.2.840.113556.1.4.1968	2.5.5.1
ms-DS-User-Password-Expiry-Time-Computed	Contains the expiry time for the user's current password	1.2.840.113556.1.4.1996	2.5.5.16
ms-DS-KrbTgt-Link	For a computer, Identifies the user object (krbtgt), acting as the domain or secondary domain master secret. Depends on which domain or secondary domain the computer resides in.	1.2.840.113556.1.4.1923	2.5.5.1
ms-DS-Revealed-Users	For a Directory instance (DSA), Identifies the user objects whose secrets have been disclosed to that instance	1.2.840.113556.1.4.1924	2.5.5.7
ms-DS-Has-Full-Replica-NCs	For a Directory instance (DSA), identifies the partitions held as full replicas	1.2.840.113556.1.4.1925	2.5.5.1
ms-DS-Never-Reveal-Group	For a Directory instance (DSA), identifies the security group whose users will never have their secrets disclosed to that instance	1.2.840.113556.1.4.1926	2.5.5.1
ms-DS-Reveal-OnDemand-Group	For a Directory instance (DSA), identifies the security group whose users may have their secrets disclosed to that instance	1.2.840.113556.1.4.1928	2.5.5.1
ms-DS-Secondary-KrbTgt-Number	For a user object (krbtgt), acting as a secondary domain master secret, identifies the protocol identification number associated with the secondary domain.	1.2.840.113556.1.4.1929	2.5.5.9
ms-DS-Revealed-DSAs	Back link for ms-DS-Revealed-Users; for a user, identifies which Directory instances (DSA) hold that user's secret	1.2.840.113556.1.4.1930	2.5.5.1
ms-DS-KrbTgt-Link-BL	Back link for ms-DS-KrbTgt-Link; for a user object (krbtgt) acting as a domain or secondary domain master secret, identifies which computers are in that domain or secondary domain	1.2.840.113556.1.4.1931	2.5.5.1
ms-DS-Is-Full-Replica-For	Back link for ms-Ds-Has-Full-Replica-NCs; for a partition root object, identifies which Directory instances (DSA) hold that partition as a full replica	1.2.840.113556.1.4.1932	2.5.5.1
ms-DS-Is-Domain-For	Back link for ms-DS-Has-Domain-NCs; for a partition root object, identifies which Directory instances (DSA) hold that partition as their primary domain	1.2.840.113556.1.4.1933	2.5.5.1
ms-DS-Is-Partial-Replica-For	Back link for has-Partial-Replica-NCs; for a partition root object, identifies which Directory instances (DSA) hold that partition as a partial replica	1.2.840.113556.1.4.1934	2.5.5.1
ms-DS-Is-User-Cachable-At-Rodc	For a Read-only (RO) directory Instance (DSA) identifies whether the specified user's secrets are cacheable.	1.2.840.113556.1.4.2025	2.5.5.9
ms-DS-Revealed-List	For a Directory instance (DSA), Identifies the user objects whose secrets have been disclosed to that instance	1.2.840.113556.1.4.1940	2.5.5.14
ms-DS-Revealed-List-BL	Back link attribute for ms-DS-Revealed-List.	1.2.840.113556.1.4.1975	2.5.5.1
ms-DS-Last-Successful-Interactive-Logon-Time	The time that the correct password was presented during a C-A-D logon.	1.2.840.113556.1.4.1970	2.5.5.16
ms-DS-Last-Failed-Interactive-Logon-Time	The time that an incorrect password was presented during a C-A-D logon.	1.2.840.113556.1.4.1971	2.5.5.16
ms-DS-Failed-Interactive-Logon-Count	The total number of failed interactive logons since this feature was turned on.	1.2.840.113556.1.4.1972	2.5.5.9
ms-DS-Failed-Interactive-Logon-Count-At-Last-Successful-Logon	The total number of failed interactive logons up until the last successful C-A-D logon.	1.2.840.113556.1.4.1973	2.5.5.9
ms-DFSR-Priority	Priority level	1.2.840.113556.1.6.13.3.25	2.5.5.9
ms-DFSR-DeletedPath	Full path of the Deleted directory	1.2.840.113556.1.6.13.3.26	2.5.5.12
ms-DFSR-DeletedSizeInMb	Size of the Deleted directory in MB	1.2.840.113556.1.6.13.3.27	2.5.5.16
ms-DFSR-ReadOnly	Specify whether the content is read-only or read-write	1.2.840.113556.1.6.13.3.28	2.5.5.8
ms-DFSR-CachePolicy	On-demand cache policy options	1.2.840.113556.1.6.13.3.29	2.5.5.9
ms-DFSR-MinDurationCacheInMin	Minimum time in minutes before truncating files	1.2.840.113556.1.6.13.3.30	2.5.5.9
ms-DFSR-MaxAgeInCacheInMin	Maximum time in minutes to keep files in full form	1.2.840.113556.1.6.13.3.31	2.5.5.9
ms-FVE-RecoveryPassword	This attribute contains the password required to recover a Full Volume Encryption (FVE) volume.	1.2.840.113556.1.4.1964	2.5.5.12
ms-FVE-VolumeGuid	This attribute contains the GUID that is associated with the Bit locker-supported volume.	1.2.840.113556.1.4.1998	2.5.5.10
ms-FVE-KeyPackage	This attribute contains a volume's Bit locker encryption key, secured by the corresponding password.	1.2.840.113556.1.4.1999	2.5.5.10
ms-FVE-RecoveryGuid	This attribute contains the GUID associated with a Full Volume Encryption (FVE) recovery password.	1.2.840.113556.1.4.1965	2.5.5.10
ms-TPM-OwnerInformation	This attribute contains the owner information for a particular TPM.	1.2.840.113556.1.4.1966	2.5.5.12
ms-net-ieee-80211-GP-PolicyGUID	This attribute contains a GUID which identifies a specific 802.11 group policy object on the domain.	1.2.840.113556.1.4.1951	2.5.5.12
ms-net-ieee-80211-GP-PolicyData	This attribute contains all of the settings and data which comprise a group policy configuration for 802.11 wireless networks.	1.2.840.113556.1.4.1952	2.5.5.12
ms-net-ieee-80211-GP-PolicyReserved	Reserved for future use	1.2.840.113556.1.4.1953	2.5.5.10
ms-net-ieee-8023-GP-PolicyGUID	This attribute contains a GUID which identifies a specific 802.3 group policy object on the domain.	1.2.840.113556.1.4.1954	2.5.5.12
ms-net-ieee-8023-GP-PolicyData	This attribute contains all of the settings and data which comprise a group policy configuration for 802.3 wired networks.	1.2.840.113556.1.4.1955	2.5.5.12
ms-net-ieee-8023-GP-PolicyReserved	Reserved for future use	1.2.840.113556.1.4.1956	2.5.5.10
ms-PKI-RoamingTimeStamp	Time stamp for last change to roaming tokens	1.2.840.113556.1.4.1892	2.5.5.10
ms-PKI-DPAPIMasterKeys	Storage of encrypted DPAPI Master Keys for user	1.2.840.113556.1.4.1893	2.5.5.7
ms-PKI-AccountCredentials	Storage of encrypted user credential token blobs for roaming	1.2.840.113556.1.4.1894	2.5.5.7
ms-RADIUS-FramedInterfaceId	This Attribute indicates the IPv6 interface identifier to be configured for the user.	1.2.840.113556.1.4.1913	2.5.5.5
ms-RADIUS-SavedFramedInterfaceId	This Attribute indicates the IPv6 interface identifier to be configured for the user.	1.2.840.113556.1.4.1914	2.5.5.5
ms-RADIUS-FramedIpv6Prefix	This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user.	1.2.840.113556.1.4.1915	2.5.5.5
ms-RADIUS-SavedFramedIpv6Prefix	This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user.	1.2.840.113556.1.4.1916	2.5.5.5
ms-RADIUS-FramedIpv6Route	This Attribute provides routing information to be configured for the user on the NAS.	1.2.840.113556.1.4.1917	2.5.5.5
ms-RADIUS-SavedFramedIpv6Route	This Attribute provides routing information to be configured for the user on the NAS.	1.2.840.113556.1.4.1918	2.5.5.5
SAM-Domain-Updates	Contains a bitmask of performed SAM operations on active directory	1.2.840.113556.1.4.1969	2.5.5.10
ms-TS-Profile-Path	Terminal Services Profile Path specifies a roaming or mandatory profile path to use when the user logs on to the Terminal Server. The profile path is in the following network path format: \\servername\profiles folder name\username	1.2.840.113556.1.4.1976	2.5.5.12
ms-TS-Home-Directory	Terminal Services Home Directory specifies the Home directory for the user. Each user on a Terminal Server has a unique home directory. This ensures that application information is stored separately for each user in a multi-user environment. To set a home directory on the local computer, specify a local path; for example, C:\Path. To set a home directory in a network environment, you must first set the TerminalServicesHomeDrive property, and then set this property to a UNC path.	1.2.840.113556.1.4.1977	2.5.5.12
ms-TS-Home-Drive	Terminal Services Home Drive specifies a Home drive for the user. In a network environment, this property is a string containing a drive specification (a drive letter followed by a colon) to which the UNC path specified in the TerminalServicesHomeDirectory property is mapped. To set a home directory in a network environment, you must first set this property and then set the TerminalServicesHomeDirectory property.	1.2.840.113556.1.4.1978	2.5.5.12
ms-TS-Allow-Logon	Terminal Services Allow Logon specifies whether the user is allowed to log on to the Terminal Server. The value is 1 if logon is allowed and 0 if logon is not allowed.	1.2.840.113556.1.4.1979	2.5.5.8
ms-TS-Remote-Control	Terminal Services Remote Control specifies the whether to allow remote observation or remote control of the user's Terminal Services session. For a description of these values, see the RemoteControl method of the Win32_TSRemoteControlSetting WMI class. 0 – Disable 1 – EnableInputNotify 2 – EnableInputNoNotify 3 - EnableNoInputNotify 4 - EnableNoInputNoNotify	1.2.840.113556.1.4.1980	2.5.5.9
ms-TS-Max-Disconnection-Time	Terminal Services Session Maximum Disconnection Time is maximum amount of time, in minutes, that a disconnected Terminal Services session remains active on the Terminal Server. After the specified number of minutes has elapsed, the session is terminated.	1.2.840.113556.1.4.1981	2.5.5.9
ms-TS-Max-Connection-Time	Terminal Services Session maximum Connection Time is Maximum duration, in minutes, of the Terminal Services session. After the specified number of minutes has elapsed, the session can be disconnected or terminated.	1.2.840.113556.1.4.1982	2.5.5.9
ms-TS-Max-Idle-Time	Terminal Services Session Maximum Idle Time is maximum amount of time, in minutes, that the Terminal Services session can remain idle. After the specified number of minutes has elapsed, the session can be disconnected or terminated.	1.2.840.113556.1.4.1983	2.5.5.9
ms-TS-Reconnection-Action	Terminal Services Session Reconnection Action specifies whether to allow reconnection to a disconnected Terminal Services session from any client computer. The value is 1 if reconnection is allowed from the original client computer only and 0 if reconnection from any client computer is allowed.	1.2.840.113556.1.4.1984	2.5.5.8
ms-TS-Broken-Connection-Action	Terminal Services Session Broken Connection Action specifies the action to take when a Terminal Services session limit is reached. The value is 1 if the client session should be terminated and 0 if the client session should be disconnected.	1.2.840.113556.1.4.1985	2.5.5.8
ms-TS-Connect-Client-Drives	Terminal Services Session Connect Client Drives At Logon specifies whether to reconnect to mapped client drives at logon. The value is 1 if reconnection is enabled and 0 if reconnection is disabled.	1.2.840.113556.1.4.1986	2.5.5.8
ms-TS-Connect-Printer-Drives	Terminal Services Session Connect Printer Drives At Logon specifies whether to reconnect to mapped client printers at logon. The value is 1 if reconnection is enabled and 0 if reconnection is disabled.	1.2.840.113556.1.4.1987	2.5.5.8
ms-TS-Default-To-Main-Printer	Terminal Services Default To Main Printer specifies whether to print automatically to the client's default printer. The value is 1 if printing to the client's default printer is enabled and 0 if it is disabled.	1.2.840.113556.1.4.1988	2.5.5.8
ms-TS-Work-Directory	Terminal Services Session Work Directory specifies the working directory path for the user. To set an initial application to start when the user logs on to the Terminal Server, you must first set the TerminalServicesInitialProgram property, and then set this property.	1.2.840.113556.1.4.1989	2.5.5.12
ms-TS-Initial-Program	Terminal Services Session Initial Program specifies the Path and file name of the application that the user wants to start automatically when the user logs on to the Terminal Server. To set an initial application to start when the user logs on, you must first set this property and then set the TerminalServicesWorkDirectory property. If you set only the TerminalServicesInitialProgram property, the application starts in the user's session in the default user directory.	1.2.840.113556.1.4.1990	2.5.5.12
MS-TS-Property01	Placeholder Terminal Server Property 01	1.2.840.113556.1.4.1991	2.5.5.12
MS-TS-Property02	Placeholder Terminal Server Property 02	1.2.840.113556.1.4.1992	2.5.5.12
MS-TS-ExpireDate	TS Expiration Date	1.2.840.113556.1.4.1993	2.5.5.11
MS-TS-ExpireDate2	Expiration date of the second TS per user CAL.	1.2.840.113556.1.4.2000	2.5.5.11
MS-TS-ExpireDate3	Expiration date of the third TS per user CAL.	1.2.840.113556.1.4.2003	2.5.5.11
MS-TS-ExpireDate4	Expiration date of the fourth TS per user CAL.	1.2.840.113556.1.4.2006	2.5.5.11
MS-TS-LicenseVersion	TS License Version	1.2.840.113556.1.4.1994	2.5.5.12
MS-TS-LicenseVersion2	Version of the second TS per user CAL.	1.2.840.113556.1.4.2001	2.5.5.12
MS-TS-LicenseVersion3	Version of the third TS per user CAL.	1.2.840.113556.1.4.2004	2.5.5.12
MS-TS-LicenseVersion4	Version of the fourth TS per user CAL.	1.2.840.113556.1.4.2007	2.5.5.12
MS-TS-ManagingLS	TS Managing License Server	1.2.840.113556.1.4.1995	2.5.5.12
MS-TS-ManagingLS2	Issuer name of the second TS per user CAL.	1.2.840.113556.1.4.2002	2.5.5.12
MS-TS-ManagingLS3	Issuer name of the third TS per user CAL.	1.2.840.113556.1.4.2005	2.5.5.12
MS-TS-ManagingLS4	Issuer name of the fourth TS per user CAL.	1.2.840.113556.1.4.2008	2.5.5.12
MS-TSLS-Property01	Placeholder Terminal Server Property 01	1.2.840.113556.1.4.2009	2.5.5.12
MS-TSLS-Property02	Placeholder Terminal Server Property 02	1.2.840.113556.1.4.2010	2.5.5.12
ms-DFSR-DisablePacketPrivacy	Disable packet privacy on a connection	1.2.840.113556.1.6.13.3.32	2.5.5.8
ms-DFSR-DefaultCompressionExclusionFilter	Filter string containing extensions of file types not to be compressed	1.2.840.113556.1.6.13.3.34	2.5.5.12
ms-DFSR-OnDemandExclusionFileFilter	Filter string applied to on demand replication files	1.2.840.113556.1.6.13.3.35	2.5.5.12
ms-DFSR-OnDemandExclusionDirectoryFilter	Filter string applied to on demand replication directories	1.2.840.113556.1.6.13.3.36	2.5.5.12
ms-DFSR-Options2	Object Options2	1.2.840.113556.1.6.13.3.37	2.5.5.9
ms-DFSR-CommonStagingPath	Full path of the common staging directory	1.2.840.113556.1.6.13.3.38	2.5.5.12
ms-DFSR-CommonStagingSizeInMb	Size of the common staging directory in MB	1.2.840.113556.1.6.13.3.39	2.5.5.16
ms-DFSR-StagingCleanupTriggerInPercent	Staging cleanup trigger in percent of free disk space	1.2.840.113556.1.6.13.3.40	2.5.5.9

New Classes in Windows 2008

Attribute Name	OID
ms-DS-Password-Settings	1.2.840.113556.1.5.255
ms-DS-Password-Settings-Container	1.2.840.113556.1.5.256
NTDS-DSA-RO	1.2.840.113556.1.5.254
ms-net-ieee-80211-GroupPolicy	1.2.840.113556.1.5.251
ms-net-ieee-8023-GroupPolicy	1.2.840.113556.1.5.252
ms-FVE-RecoveryInformation	1.2.840.113556.1.5.253

New Inclusions in the GC for Windows 2008

Attribute	Description
Last-Logon-Timestamp	This is the time that the user last logged into the domain. Whenever a user logs on, the value of this attribute is read from the DC. If the value is older [current_time - msDS-LogonTimeSyncInterval], the value is updated. The initial update after the raise of the domain functional level is calculated as 14 days minus random percentage of 5 days.
MS-DRM-Identity-Certificate	The XrML digital rights management certificates for this user.
ms-DS-Phonetic-First-Name	Contains the phonetic given name or first name of the person.
ms-DS-Phonetic-Last-Name	Contains the phonetic last name of the person.
ms-DS-Phonetic-Department	Contains the phonetic department name where the person works.
ms-DS-Phonetic-Company-Name	Contains the phonetic company name where the person works.
ms-DS-Phonetic-Display-Name	The phonetic display name of an object. In the absence of a phonetic display name the existing display name is used.
ms-DS-HAB-Seniority-Index	Contains the seniority index as applied by the organisation where the person works.
ms-FVE-VolumeGuid	This attribute contains the GUID that is associated with the Bit locker-supported volume.
ms-FVE-RecoveryGuid	This attribute contains the GUID associated with a Full Volume Encryption (FVE) recovery password.

Marcus Walshe
		About the author:
		This is a test entry, full details following shortly.

Articles by this Author:

View all articles by this author

Last Updated ( Monday, 03 December 2007 )

Next >

[ Back ]

New Attributes in Windows 2008

New Classes in Windows 2008

New Inclusions in the GC for Windows 2008

Who's Online