Guest inenewbl Posted September 1, 2008 Posted September 1, 2008 Hi all. I use the following to export names to my csv file. "csvde -r objectclass=user, -l displayname, -f test.csv" I found that computer objects are also exported even though i specifically state objectclass=user. However if i use objectcategory=user instead of objectclass=user, it will export only user objects and not computer objects. Why is this so? Pls advise. Thks in advance.
Guest Dusko Savatovic Posted September 1, 2008 Posted September 1, 2008 Re: objectcategory vs objectclass Because computer account is also a user account. You can put them in groups They are security principals (they have SID's). You can include them in ACL's They have passwords (and change them regularly). etc Dush "inenewbl" <inenewbl@discussions.microsoft.com> wrote in message news:4CE8076B-C74F-49FD-A617-411D09A6C092@microsoft.com... > Hi all. I use the following to export names to my csv file. > "csvde -r objectclass=user, -l displayname, -f test.csv" > I found that computer objects are also exported even though i specifically > state objectclass=user. However if i use objectcategory=user instead of > objectclass=user, it will export only user objects and not computer > objects. > Why is this so? Pls advise. Thks in advance. >
Guest Richard Mueller [MVP] Posted September 1, 2008 Posted September 1, 2008 Re: objectcategory vs objectclass Just to clarify, the objectClass attribute is multi-valued. Each object can inherit from one or more classes. User objects have objectClass equal to top, person, organizationalPerson, and user. Contact objects have objectClass equal to top, person, organizationalPerson, and contact. Computer objects have objectClass equal to top, person, organizationalPerson, user, and computer. Thus, a computer object has all of the attributes of a user object, plus some more inherited from the computer class. Computer objects are security principals just like user objects. They need to authenticate to the domain, have passwords (managed by the system), and can be granted permissions. The objectCategory attribute is single-valued. The value is a Distinguished Name. For user objects objectCategory is "cn=Person,cn=Schema,cn=configuration,dc=MyDomain,dc=com", where MyDomain.com is the domain. For contact objects objectCategory is the same, "cn=Person,cn=Schema,cn=configuration,dc=MyDomain,dc=com". For computer objects objectCategory is "cn=Computer,cn=Schema,cn=configuration,dc=MyDomain,dc=com". When searching AD for objects it is more efficient to use objectCategory because it is indexed (objectClass is not), but often a combination of objectClass and objectCategory must be used. The standard search filters are: For user objects: (&(objectCategory=person)(objectClass=user)) For contact objects: (&(objectCategory=person)(objectClass=contact)) For user and contact objects: (objectCategory=person) For computer objects: (objectCategory=computer) For group objects: (objectCategory=group) The provider translates (objectCategory=person) into the correct DN appropriate for the domain. Note that there is no such thing as (objectCategory=user), but the provider translates this into (objectCategory=person), so it includes contact objects. This may not be what you want. Another filter for user objects is: (sAMAccountType=805306368) This is actually a bit more efficient (since it avoids objectClass), but is harder to remember. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- "Dusko Savatovic" <nospam.savatovic@gmail.com> wrote in message news:%23aRt0PFDJHA.4340@TK2MSFTNGP02.phx.gbl... > Because computer account is also a user account. > You can put them in groups > They are security principals (they have SID's). > You can include them in ACL's > They have passwords (and change them regularly). > etc > > Dush > > "inenewbl" <inenewbl@discussions.microsoft.com> wrote in message > news:4CE8076B-C74F-49FD-A617-411D09A6C092@microsoft.com... >> Hi all. I use the following to export names to my csv file. >> "csvde -r objectclass=user, -l displayname, -f test.csv" >> I found that computer objects are also exported even though i >> specifically >> state objectclass=user. However if i use objectcategory=user instead of >> objectclass=user, it will export only user objects and not computer >> objects. >> Why is this so? Pls advise. Thks in advance. >> >
Guest inenewbl Posted September 2, 2008 Posted September 2, 2008 Re: objectcategory vs objectclass Hi Richard, Thk you for the detail explanation. I believe i have to improve on my adsiedit foundation to better understand this. I have obtained an mcse but it did not seem to go very indept about adsiedit. Can you advise any reading material/website so that i can brush up on this area? I am also looking at your website http://www.rlmueller.net for more info. Thks in advance. "Richard Mueller [MVP]" wrote: > Just to clarify, the objectClass attribute is multi-valued. Each object can > inherit from one or more classes. User objects have objectClass equal to > top, person, organizationalPerson, and user. Contact objects have > objectClass equal to top, person, organizationalPerson, and contact. > Computer objects have objectClass equal to top, person, > organizationalPerson, user, and computer. Thus, a computer object has all of > the attributes of a user object, plus some more inherited from the computer > class. Computer objects are security principals just like user objects. They > need to authenticate to the domain, have passwords (managed by the system), > and can be granted permissions. > > The objectCategory attribute is single-valued. The value is a Distinguished > Name. For user objects objectCategory is > "cn=Person,cn=Schema,cn=configuration,dc=MyDomain,dc=com", where > MyDomain.com is the domain. For contact objects objectCategory is the same, > "cn=Person,cn=Schema,cn=configuration,dc=MyDomain,dc=com". For computer > objects objectCategory is > "cn=Computer,cn=Schema,cn=configuration,dc=MyDomain,dc=com". > > When searching AD for objects it is more efficient to use objectCategory > because it is indexed (objectClass is not), but often a combination of > objectClass and objectCategory must be used. The standard search filters > are: > > For user objects: > (&(objectCategory=person)(objectClass=user)) > > For contact objects: > (&(objectCategory=person)(objectClass=contact)) > > For user and contact objects: > (objectCategory=person) > > For computer objects: > (objectCategory=computer) > > For group objects: > (objectCategory=group) > > The provider translates (objectCategory=person) into the correct DN > appropriate for the domain. Note that there is no such thing as > (objectCategory=user), but the provider translates this into > (objectCategory=person), so it includes contact objects. This may not be > what you want. Another filter for user objects is: > > (sAMAccountType=805306368) > > This is actually a bit more efficient (since it avoids objectClass), but is > harder to remember. > > -- > Richard Mueller > MVP Directory Services > Hilltop Lab - http://www.rlmueller.net > -- > > "Dusko Savatovic" <nospam.savatovic@gmail.com> wrote in message > news:%23aRt0PFDJHA.4340@TK2MSFTNGP02.phx.gbl... > > Because computer account is also a user account. > > You can put them in groups > > They are security principals (they have SID's). > > You can include them in ACL's > > They have passwords (and change them regularly). > > etc > > > > Dush > > > > "inenewbl" <inenewbl@discussions.microsoft.com> wrote in message > > news:4CE8076B-C74F-49FD-A617-411D09A6C092@microsoft.com... > >> Hi all. I use the following to export names to my csv file. > >> "csvde -r objectclass=user, -l displayname, -f test.csv" > >> I found that computer objects are also exported even though i > >> specifically > >> state objectclass=user. However if i use objectcategory=user instead of > >> objectclass=user, it will export only user objects and not computer > >> objects. > >> Why is this so? Pls advise. Thks in advance. > >> > > > > >
Guest Richard Mueller [MVP] Posted September 2, 2008 Posted September 2, 2008 Re: objectcategory vs objectclass ADSI Edit is part of the Support Tools included on the Windows Server 2003 CD (also Windows 2000 Server). On the CD navigate to the \Support\Tools folder and click SupTools.msi to install. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- "inenewbl" <inenewbl@discussions.microsoft.com> wrote in message news:EFF4EFAF-B89F-40D4-A34A-51023CC01D6F@microsoft.com... > Hi Richard, > > Thk you for the detail explanation. > I believe i have to improve on my adsiedit foundation to better understand > this. > I have obtained an mcse but it did not seem to go very indept about > adsiedit. > Can you advise any reading material/website so that i can brush up on this > area? > I am also looking at your website http://www.rlmueller.net for more info. Thks in > advance. > > "Richard Mueller [MVP]" wrote: > >> Just to clarify, the objectClass attribute is multi-valued. Each object >> can >> inherit from one or more classes. User objects have objectClass equal to >> top, person, organizationalPerson, and user. Contact objects have >> objectClass equal to top, person, organizationalPerson, and contact. >> Computer objects have objectClass equal to top, person, >> organizationalPerson, user, and computer. Thus, a computer object has all >> of >> the attributes of a user object, plus some more inherited from the >> computer >> class. Computer objects are security principals just like user objects. >> They >> need to authenticate to the domain, have passwords (managed by the >> system), >> and can be granted permissions. >> >> The objectCategory attribute is single-valued. The value is a >> Distinguished >> Name. For user objects objectCategory is >> "cn=Person,cn=Schema,cn=configuration,dc=MyDomain,dc=com", where >> MyDomain.com is the domain. For contact objects objectCategory is the >> same, >> "cn=Person,cn=Schema,cn=configuration,dc=MyDomain,dc=com". For computer >> objects objectCategory is >> "cn=Computer,cn=Schema,cn=configuration,dc=MyDomain,dc=com". >> >> When searching AD for objects it is more efficient to use objectCategory >> because it is indexed (objectClass is not), but often a combination of >> objectClass and objectCategory must be used. The standard search filters >> are: >> >> For user objects: >> (&(objectCategory=person)(objectClass=user)) >> >> For contact objects: >> (&(objectCategory=person)(objectClass=contact)) >> >> For user and contact objects: >> (objectCategory=person) >> >> For computer objects: >> (objectCategory=computer) >> >> For group objects: >> (objectCategory=group) >> >> The provider translates (objectCategory=person) into the correct DN >> appropriate for the domain. Note that there is no such thing as >> (objectCategory=user), but the provider translates this into >> (objectCategory=person), so it includes contact objects. This may not be >> what you want. Another filter for user objects is: >> >> (sAMAccountType=805306368) >> >> This is actually a bit more efficient (since it avoids objectClass), but >> is >> harder to remember. >> >> -- >> Richard Mueller >> MVP Directory Services >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> "Dusko Savatovic" <nospam.savatovic@gmail.com> wrote in message >> news:%23aRt0PFDJHA.4340@TK2MSFTNGP02.phx.gbl... >> > Because computer account is also a user account. >> > You can put them in groups >> > They are security principals (they have SID's). >> > You can include them in ACL's >> > They have passwords (and change them regularly). >> > etc >> > >> > Dush >> > >> > "inenewbl" <inenewbl@discussions.microsoft.com> wrote in message >> > news:4CE8076B-C74F-49FD-A617-411D09A6C092@microsoft.com... >> >> Hi all. I use the following to export names to my csv file. >> >> "csvde -r objectclass=user, -l displayname, -f test.csv" >> >> I found that computer objects are also exported even though i >> >> specifically >> >> state objectclass=user. However if i use objectcategory=user instead >> >> of >> >> objectclass=user, it will export only user objects and not computer >> >> objects. >> >> Why is this so? Pls advise. Thks in advance. >> >> >> > >> >> >>
Recommended Posts