<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
%%information
[{$pagename}] has information that is is specific to [Microsoft Active Directory]!
%%

!!! Overview [1]
Each entry has a multi-valued [objectClass] property that identifies the class of which the object is an instance, as well as all structural or abstract superclasses from which that class is derived. Thus, the objectClass property of a user object would identify the top, person, organizationalPerson, and user classes. 

!! [objectClass] Property
The [objectClass] property (More LDAP people call these attributes) do not include [Statically Linked Auxiliary Classes] in the list. The system sets the objectClass value when the object instance is created and it cannot be changed.

Prior to Windows Server 2008, the objectClass attribute is not indexed. This is because it has multiple values and is highly non-unique; that is, every instance of the objectClass attribute includes the top class. This means an index would be very large and ineffective. To locate objects of a given class, use the objectCategory attribute, which is single-valued and indexed.

!! [objectCategory] Property
Each instance of an object class also has an [objectCategory] property, which is a single-valued property that contains the distinguished name of either the class of which the object is an instance or one of its superclasses. When an object is created, the system sets its objectCategory property to the value specified by the defaultObjectCategory property of its object class. An object's objectCategory property cannot be changed.


!! Creating a Custom Object
If you create a subclass from a structural class, the best practice is to set the [defaultObjectCategory] value of the new class to the same distinguished name of the superclass. This allows the standard UI to &quot;find&quot; the subclass.

%%warning
Prior to [Windows Server 2008], the [objectClass] attribute __is not indexed__. This is because it has multiple values and is highly non-unique; that is, every instance of the [objectClass] attribute includes the top class. This means an index would be very large and ineffective. To locate objects of a given class, use the [objectCategory] attribute, which is [SINGLE-VALUE] and indexed.
%%

!! [LDAP Filter Choices] on [objectCategory] and [objectClass]
When your filter clause includes the objectCategory attribute, LDAP does some magic to convert the values for your convenience. 

The objectCategory attribute is a [DN] attribute. A typical value for an object in Active Directory might be &quot;cn=person,cn=Schema,cn=Configuration,dc=MyDomain,dc=com&quot;. You coulld use a filter clause similar to the following:
{{{
(objectCategory=cn=person,cn=Schema,cn=Configuration,dc=MyDomain,dc=com)
}}}

However, Active Directory allows you to instead use the following shortcut:
{{{
(objectCategory=person)
}}}

The cobinations of the [{$pagename}] are a little complex and not intuitive, the following table documents the result of various combinations of clauses specifying values for objectCategory and objectClass:

%%zebra-table
%%sortable
%%table-filter
||TABLLE||HEADINGS
||objectCategory||objectClass||Result
|person|user|user objects
|person| |user and contact objects
|person|contact|contact objects
| |user|user and computer objects
|computer| |computer objects
|user| |user and contact objects
| |contact|contact objects
| |computer|computer objects
| |person|user, computer, and contact objects
|contact|user and contact objects
|group| |group objects
| group|group objects
|person|organizationalPerson|user and contact objects
| |organizationalPerson|user, computer, and contact objects
|organizationalPerson| |user and contact objects
/%
/%
/%

Use the filter that makes your intent most clear. Also, if you have a choice between using objectCategory and objectClass, usually is recommended that you use objectCategory. That is because objectCategory is both single valued and indexed, while objectClass is multi-valued and not indexed (except on Windows Server 2008 and above). A query using a filter with objectCategory will be more efficient than a similar filter with objectClass. Windows Server 2008 domain controllers (and above) have a special behavior that indexes the objectClass attribute. 

You can take advantage of this if all of your domain controllers are [Windows Server 2008], or if you specify a [Windows Server 2008] domain controller in your query.


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]

----
* [#1] - [http://msdn.microsoft.com/en-us/library/windows/desktop/ms677612(v=vs.85).aspx] - Retrieved 2013-03-10
* [#2] - [Filter on objectCategory and objectClass|https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx|target='_blank'] - based on information obtained 2020-05-30 
</pre>