Active Directory Schema

The Active Directory schema defines what different types of objects looks like within Active Directory. Whatt is a user ? what properties does a group have ? Active directory comes with a prepopulated base schema and it can be modified or extended to meet the needs of custom applications.

Every resource in Active Directory is represented as an object and each object has a set of attributes that are associated with it. In Active Directory, each object is defined within the Active Directory schema. The schema is a a master database that contains definitions of all objects in the Active Directory--in a way it defines what Active Directory is. The schema has two components: object classes and attributes. Each object that is represented in Active Directory--for example, the user smith and the printer Laserprinter- is an instance of the user and printer object classes, respectively.

Each object class in the schema is further defined according to a list of attributes that make the object class unique within the database. The list of attributes is defined only once in the schema, but the same attribute can be associated with more than one object class. Some attributes are required attributes that are necessary for the object to be created, such as a user account logon name. Other optional attributes, such as street address and phone number, provide additional details that can be published for user and administrative purposes.

When Active Directory is installed, a number of object classes are created automatically. Some of these object classes include:

Users, Groups, Computers, Domain controllers and printers etc..

All object classes have a common set of attributes that help to uniquely identify each object within the database. Some of these common attributes are as follows:

Unique Name: This name identifies the object in the database. A unique name is given to the object upon its creation and includes references to its location within the directory database. 

Globally unique Identifier (GUID):- This GUID is a 128-bit hexadecimal number that is assigned to every object in the Active Directory forest upon its creation. This number does not change, even when the object itself is renamed. The number is not used again, even if an object is deleted and recreated with the same display name.

Required Object attributes:- These attributes are required for the object to function. In particular the user account must have a unique name and a password entered upon creation.

Optional object attributes:- These attributes add information that is not critical to the object in terms of functionality. This type of information is "nice to know" as opposed to "need to know". An example of an optional object attribute would be a phone number or street address for a user account.

As I said, the schema can be modified to include additional objects and attributes when necessary. Each object in the schema is protected by access control lists (ACLs) so that only authorized administrators can access and modify the schema. ACLs are implemented by the administrator and used by the directory to keep track of which users and groups have permission to access specific objects and to what degree they can use or modify them.

Active Directory Schema plays very important role in AD for object attributes extension. Administrator very carefully do the necessary modification for AD schema.