Overview [1]#

The LDAP_SERVER_EXTENDED_DN_OID SupportedControl is used with an extended LDAP search function to request an extended form of an Microsoft Active Directory object distinguished name DN.

The extended form includes a string representation of the object ObjectGUID property. For security principal objects such as:

  • users
  • groups
  • computers
the extended form also includes a string representation of the object objectSID property.


To use this control, set the members of the LDAPControl structure as follows:
  • PWCHAR ldctl_oid = LDAP_SERVER_EXTENDED_DN_OID = 1.2.840.113556.1.4.529
  • struct berval ldctl_value
  • BOOLEAN ldctl_iscritical;




Specifies the BER-encoded sequence of parameters that enables the application to specify the string format of the returned GUID and objectSID. In the berval structure, set bv_val to a pointer to the sequence that contains the flag data and set bv_len to the length of the sequence. For more information, see the Remarks section.


ldctl_iscritical Can be TRUE or FALSE depending on whether the search is critical to your application.


The Extended DN Control enables the client to request that the results returned by an LDAP search that uses this control return the GUID and objectSID data of an object along with the object distinguishedName, which is returned as follows.
  • xxxxxxxx is a string that contains the ObjectGUID
  • yyyyyyyy is a string that contains the objectSID
  • distinguishedName is the DN, as in "cn=users,dc=fabrikam,dc=com".
The GUID and DN are always present; the objectSID is present only for security principals.

The ldctl_value field specifies the string format of the returned GUID and objectSID values, and is set to the following Ber-encoded sequence:

Sequence {
  Flag    INTEGER

A ldctl_value value 0 specifies that the ObjectGUID and objectSID values be returned in hexadecimal string format such as "<GUID=3BC72D2DEC5A704BBDC21F4EF97B7870>" and "<SID=0105000000000005150000005951B81766725D2564633B0B9B602C00>".

A ldctl_value value of 1 will return the ObjectGUID and objectSID values in standard string format such as "<GUID=098f2470-bae0-11cd-b579-08002b30bfeb>" and "<SID=S-1-5-21-397955417-626881126-188441444-2908315>".

When sending this control to a Windows 2000 operating system DC, the ldctl_value field is omitted.

When sending this control to any of:

  • Windows Server 2003 DC
  • Windows Server 2008 DC
  • Windows Server 2008 R2 DC
  • Windows Server 2012 DC
  • Windows Server 2012 R2 DC
the ldctl_value field is either omitted or is set to one of the following:
  • 0 - the DC returns the values of the objectGUID and objectSid attributes as a hexadecimal representation of their binary format.
  • 1 - the DC returns the GUID in dashed-string format (RFC 4122 section 3) and the objectSID in SDDL objectSID string format (MS-DTYP section The returned SDDL SID string begins with "S-".
  • neither 0 nor 1 - then it does not conform with the specification of this control. (Whatever that means)

Examples [2]#

For example, setting ldctl_value to 0 (or omitting the controlValue field) might return the following extended DN:
<GUID=b3d4bfbd3c45ee4298e27b4a698a61b8>;<SID=01050000000000051500000061eb5b8c50ef705befda808bf4010000>;CN=Administrator, CN=Users,DC=Fabrikam,DC=com

While setting ldctl_value to 1 would return the same object's extended DN in the following form:

<GUID=bdbfd4b3-453c-42ee-98e2-7b4a698a61b8>;<SID=S-1-5-21-2354834273-1534127952-2340477679-500>;CN=Administrator, CN=Users,DC=Fabrikam,DC=com

More Information#

There might be more information for this subject on one of the following: