A list of all the user attributes with maximum data sizes, including Microsoft Exchange Extensions.
| Description | LDAP provider property | Alias | WinNT provider property |
LDAP Max Length |
Multi- Valued ? |
LDAP Property Method |
|---|---|---|---|---|---|---|
| Account expires end of (date) | accountExpires | Date | AccountExpirationdate | |||
| Country/region (ISO 4217) | c | co, countryCode | Predefined values (3 digit int returns String) |
|||
| Common Name (givenName + SN) | cn | String(64) | ||||
| Company | company | String(64) | ||||
| Department | department | String(64) | ||||
| Description | description | description | String(1024) | |||
| Display name | displayName | FullName | fullName | String(256) | FullName | |
| Fax | facsimileTelephoneNumber | String(64) | FaxNumber | |||
| Given name. In western countries this is often the first name. In Eastern countries this is often the last name. |
givenName | FirstName | String(64) | FirstName | ||
| Home Folder, Connect to Path | homeDirectory | homeDirectory | String | |||
| Home Drive, Connect to Drive | homeDrive | homeDirDrive | Predefined values (String) |
|||
| Home | homePhone | String(64) | TelephoneHome | |||
| Notes | info | String(1024) | ||||
| Initials | initials | String(6) | ||||
| IP phone | ipPhone | String(64) | ||||
| City | l | City | String(128) | |||
| Logon Hours… | logonHours | Binary | LoginHours | |||
| EmailAddress | String(256) | EmailAddress | ||||
| Manager | manager | Distinguished Name | ||||
| Mobile | mobile | String(64) | TelephoneMobile | |||
| Other Fax numbers | otherFacsimileTelephoneNumber | String(64) | Yes | |||
| Other Home phone numbers | otherHomePhone | String(64) | Yes | |||
| Other IP phone numbers | otherIpPhone | String | Yes | |||
| Other Mobile numbers | otherMobile | String(64) | Yes | |||
| Other Pager numbers | otherPager | String(64) | Yes | |||
| Other Telephone numbers | otherTelephone | String(64) | Yes | |||
| Pager | pager | String(64) | TelephonePager | |||
| Office | physicalDeliveryOfficeName | String(128) | OfficeLocations | |||
| Zip/Postal Code | postalCode | String(40) | ||||
| P.O. Box | postOfficeBox | String(40) | ||||
| User Profile path | profilePath | profile | String | |||
| User must change password at next logon | pwdLastSet | Boolean | ||||
| pre-Windows 2000 logon name | sAMAccountName | name | String(256) | |||
| Logon script | scriptPath | loginScript | String | LoginScript | ||
| Surname. In western countries this is often the last name. In Eastern countries this is often the first name. |
sn | LastName | String(64) | LastName | ||
| State/province | st | String(128) | ||||
| Street | streetAddress | String(1024) | ||||
| Telephone number | telephoneNumber | String(64) | ||||
| Title (Job Title) | title | String(128) | ||||
| Other Web pages | url | Multi-String(2048) | Yes | |||
| Account is Disabled | UserAccountControl flag (AccountDisabled/0x0002) |
Boolean | AccountDisabled | |||
| User cannot change password | UserAccountControl flag To set this: Modify the ACE |
Boolean | ||||
| Password never expires | UserAccountControl flag (DONT_EXPIRE_PASSWORD/0x10000) |
Boolean | ||||
| Store password using reversible encryption | UserAccountControl flag | Boolean | ||||
| User logon name | userPrincipalName | String(1024) | ||||
| Logon On To… (Logon Workstations) | userWorkstations | String(1024) | Yes | LoginWorkstations | ||
| Web page | wWWHomePage | String(2048) | HomePage | |||
| MS Exchange extensions | ExtensionAttribute1 | String(1024) | ||||
| MS Exchange extensions | ExtensionAttribute2 | String(1024) | ||||
| MS Exchange extensions | ExtensionAttribute... | String(1024) | ||||
| MS Exchange extensions | ExtensionAttribute14 | String(1024) | ||||
| MS Exchange extensions | ExtensionAttribute15 | String(1024) | ||||
| MS Exchange extensions 2010 | ExtensionCustomAttribute1 | Yes | ||||
| MS Exchange extensions 2010 | ExtensionCustomAttribute2 | Yes | ||||
| MS Exchange extensions 2010 | ExtensionCustomAttribute3 | Yes | ||||
| MS Exchange extensions 2010 | ExtensionCustomAttribute4 | Yes | ||||
| MS Exchange extensions 2010 | ExtensionCustomAttribute5 | Yes |
The Microsoft Exchange attributes aren’t used by any Exchange components.
They can be used to store additional data in Active Directory without having to extend the Active Directory schema.
LDAP query options with examples. Each entire LDAP statement must be encompassed in a set of parentheses( ).
Operator Description Examples = (EQUAL TO, The attribute must be equal to a certain value to be true.) Find all objects that have the first name of Alice:
(givenName=Alice)& (logical AND, More than one condition must be true.) Find all of the people that have the first name of Alice and live in Venice:
(&(givenName=Alice)(l=Venice))! (logical NOT, Exclude objects with a certain attribute.) Find all objects except those with the first name of Alice:
(!givenName=Alice)* (Wildcard, match anything) Find all objects that have a value (any value) for title
(title=*)
Find a given name that starts with Al:
(givenName=Al*)| (Logical OR, either condition must be true) Find all objects that are in Venice or in Milan:
(|(l=Venice)(l=Milan))LDAP filters also have a special matching rule Object IDentifiers (OIDs)
Many attributes in Active Directory are composed of bit flags. A bit flag is often used to encode properties about an object into a single attribute.
OID Description Example 1.2.840.113556.1.4.803 Bitwise AND Return all disabled accounts.
normal user account (flag 512) AND disabled account (flag 2):
(userAccountControl:1.2.840.113556.1.4.803:=514)1.2.840.113556.1.4.804 Bitwise OR Return all user accounts.
normal user account (flag 512) OR disabled account (flag 2):
(useraccountcontrol:1.2.840.113556.1.4.804:=514)1.2.840.113556.1.4.1941 Chain matching (for distinguished name attributes) Comparison operators:
Operator Meaning = Equality >= Greater than or equal to (lexicographical) <= Less than or equal to (lexicographical) Note that the operators "<" and ">" are not supported.
This LDAP query syntax can be combined for more complex questions
Find all objects that are in Venice or Milan, and that have the first name of Alice:(&(givenName=Alice)(|(l=Venice)(l=Milan)))The ! operator in conjunction with the wildcard operator will look for objects where that attribute is not set to anything.
“We learn more by looking for the answer to a question and not finding it than we do from learning the answer itself” ~ Lloyd Alexander
Get-adGroup - Get one or more AD groups.
Get-adUser - Get one or more AD users.
ComputerInfo / UserInfo - Active Directory Users and Computers - custom search.
CSVDE / LDIFDE - Create, modify or delete directory objects.
TechNet wiki - LDAP Syntax Filters.
GitHub - LDAP Search Filter Cheatsheet.
Microsoft: Full list of Active Directory attributes.