Transcription

Microsoft Domain Service (DS)Active Directory Schema ClassesDefined by Defenderwritten byQuest Software, Inc.

2009 Quest Software, Inc. All rights reserved.This guide contains proprietary information, which is protected by copyright. The softwaredescribed in this guide is furnished under a software license or nondisclosure agreement.This software may be used or copied only in accordance with the terms of the applicableagreement. No part of this guide may be reproduced or transmitted in any form or by anymeans, electronic or mechanical, including photocopying and recording for any purposeother than the purchaser's personal use without the written permission of Quest Software,Inc.WARRANTYThe information contained in this document is subject to change without notice. QuestSoftware makes no warranty of any kind with respect to this information. QUESTSOFTWARE SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTY OF THE MERCHANTABILITYAND FITNESS FOR A PARTICULAR PURPOSE. Quest Software shall not be liable for anydirect, indirect, incidental, consequential, or other damage alleged in connection with thefurnishing or use of this information.TRADEMARKSQuest, Quest Software, the Quest Software logo, AccessManager, Aelita, Akonix, AppAssure,Benchmark Factory, Big Brother, BusinessInsight, ChangeAuditor, DataFactory,DeployDirector, DirectoryAnalyzer, DirectoryTroubleshooter, DNS Analyzer, DSExpert,ERDisk, Foglight, GPOAdmin, iToken, I/Watch, Imceda, InLook, IntelliProfile, InTrust,Invirtus, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin,MessageStats, Monosphere, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo,PerformaSure, Quest Central, Quest vToolkit, Quest vWorkSpace, ReportADmin,RestoreADmin, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQLLiteSpeed, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tagand Follow, Toad, T.O.A.D., Toad World, vAutomator, vControl, vConverter, vFoglight,vOptimizer Pro, vPackager, vRanger, vRanger Pro, vSpotlight, vStream, vToad, Vintela,Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vBackup, VizioncorevEssentials, Vizioncore vMigrator, Vizioncore vReplicator, Vizioncore vTraffic, VizioncorevWorkflow, Xaffire, and XRT are trademarks and registered trademarks of Quest Software,Inc in the United States of America and other countries. Other trademarks and registeredtrademarks used in this guide are property of their respective owners.World Headquarters5 Polaris WayAliso Viejo, CA 92656www.quest.come-mail: [email protected] and Canada: 949.754.8000Please refer to our Web site for regional and international office information.July, 2009

Technical BriefCLASSES DEFINED BY DEFENDERThe following is the list of Microsoft Domain Service (DS) Active Directory SchemaClasses that are specifically defined by Defender. Each Class has been listed inaccordance with the Active Directory Schema definitions format as used in the MSDNdocumentation (see S.85).aspx forfurther details). Only Attributes that are specific to Defender have been listed; all otherAttributes are as per the MSDN documentation provided for each respective CategorySubclass ofPossible SuperiorsUpdate PrivilegeUpdate verns-IdObject-CategorySubclass ofPossible SuperiorsUpdate PrivilegeUpdate eafOrganizational-UnitDomain or Defender administrator.Records of this type will be updated each time aDefender Token is created, deleted or modified.A record of this type is created for each Tokendefined to 1.21LeafOrganizational-UnitDomain or Defender administrator.Records of this type will be updated each time aDefender Access Node (DAN) is created, deleted ormodified.A record of this type is created for each Access Node(DAN) defined to der-subnetMaskFalsedefender-userIdTypeFalse1

Technical bclass ofPossible SuperiorsUpdate PrivilegeUpdate verns-IdObject-CategorySubclass ofPossible SuperiorsUpdate PrivilegeUpdate FrequencyDescriptionSpecific main or Defender administrator.Record of this type will be updated each time aDefender Security Server (DSS) is created, deletedor modified.A record of this type is created for each SecurityServer (DSS) defined to anizational-UnitDomain or Defender administrator.Records of this type will be updated each time aDefender Policy is created, deleted or modified.A record of this type is created for each Policydefined in fender-policyPasswordFilterFalse2

Technical bclass ofPossible SuperiorsUpdate PrivilegeUpdate verns-IdObject-CategorySubclass ofPossible SuperiorsUpdate PrivilegeUpdate verns-IdObject-CategorySubclass ofPossible SuperiorsUpdate PrivilegeUpdate .51LeafOrganizational-UnitDomain or Defender administrator.Records of this type will be updated each time aDefender License is created, deleted or modified.A record of this type is created for each Licensedefined in nal-UnitDomain or Defender administrator.Record of this type will be updated each time aDefender RADIUS Payload is created, deleted ormodified.A record of this type is created for each RADIUSPayload defined to anizational-UnitDomain or Defender administrator.Record of this type will be updated each time aDefender Token License is created, deleted ormodified.A record of this type is created for each TokenLicense defined in defender-tokenTypeFalse3

Technical BriefCLASSES EXTENDED BY DEFENDERThe following is the list of Microsoft Domain Service (DS) Active Directory SchemaClasses that are extended by Defender. Each Class has been listed in accordance withthe Active Directory Schema definitions format as used in the MSDN documentation 85(VS.85).aspx for further details).Only Attributes that are specific to Defender have been listed; all other Attributes are asper the MSDN documentation provided for each extended Class eFalseFalseFalseFalseFalseFalseFalseFalse4

Technical BriefATTRIBUTES DEFINED BY DEFENDERThe following is the list of Microsoft Domain Service (DS) Active Directory SchemaAttributes that are defined by Defender. Each Attribute has been listed in accordancewith the Active Directory Schema definitions format as used in the MSDN documentation(see S.85).aspx for furtherdetails). Only Attributes that are specific to Defender have been listed; all otherAttributes are as per the MSDN s-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used main or Defender administrator.Whenever a Token or a Token License is created.For a Token contains the major token type.For a Token License contains the license 0000Domain or Defender administrator.Whenever Token Data is added or modified.For a Token contains the token seed and otherinformation required for authentication.For licenses contains information on the license typeand – in the case of a Token License – the counts ofused and available ssdefender-licenseClass5

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used FalseFalseTrue0x00000000Domain or Defender administrator.Whenever a Token is assigned to or removed from aUser.Contains the User specific data associated with aToken, together with the tokens’ 963Object(DS-DN)FalseFalseFalse0x00000010Domain or Defender administrator.Whenever a Token is assigned to or removed from aUser.For a Token, contains the distinguished names ofUsers assigned to the token.For a User, this attribute is set when the user isassigned a Defender Password or GrIDsure token.defender-tokenClassUser6

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used 56.1.8000.1267.2.48 000Domain or Defender administrator.Whenever a date change occurs for a Token.Contains date information associated with theToken. This may be the manufacturing date of thetoken or the date of token import.defender-tokenClass7

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used 0000Domain or Defender administrator.Whenever a Defender Access Node is added to orremoved from a Defender Security Server.Contains the distinguished names of the DSS objectsto which the DAN is bject(DS-DN)FalseFalseFalse0x00000010Domain or Defender administrator.Whenever a Defender Access Node is added to orremoved from a Defender Security Server.Contains the distinguished names of the DAN objectsassigned to the DSS.defender-dssClass8

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used omain or Defender administrator.Whenever a Defender Access Node is added ordeleted.Contains the shared secret for the 0x00000003Domain or Defender administrator.Whenever a new object is created, or the Id of anexisting object is the modified.For a token, contains the type information forDefender Desktop Tokens only.For a User, contains the user’s Defender ID.defender-tokenClassUser9

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used 0x00000000Domain or Defender administrator.Whenever a Users violation occurs.Contains the number of unsuccessful authenticationattempts since last 0x00000000Domain or Defender administrator.Whenever a Users account is reset via Defender.Contains the number of violation count resets.User10

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used 56.1.8000.1267.2.128 BytesIntervalTrueFalseFalse0x00000000Domain or Defender administrator.Whenever a User successfully logs-on via Defender.Contains the time of the last successful BooleanTrueFalseFalse0x00000000Domain or Defender administrator.Whenever a Defender Security Server changes state(e.g. Active-to-Inactive or Inactive-to-Active).Flag to indicate whether or not the DSS has up-todate configuration data.defender-dssClass11

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used 00000Domain or Defender administrator.Whenever a Defender Security Server prompt isadded, modified or deleted.Contains the list of authentication prompts used bythe DSS during .15String(Octet)TrueFalseFalse0x00000000Domain or Defender administrator.Whenever the Authentication Method associated witha Policy is modified.Data structure containing describing the types ofauthentication methods applicable to usersassociated with this Policy.defender-PolicyClass12

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used alse0x00000000Domain or Defender administrator.Whenever the Lockout Duration associated with aPolicy is modified.Contains the number of unsuccessful authenticationattempts before account will be 7IntegerTrueFalseFalse0x00000000Domain or Defender administrator.Whenever the Lockout Duration associated with aPolicy is modified.Contains the duration for which a User account(which has been locked by Defender) will remainlocked. After this period has expired the account willbe eligible for unlocking.defender-Policy13

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used 113556.1.8000.1267.2.188 BytesIntervalTrueFalseFalse0x00000000Domain or Defender administrator.Whenever a Users account is locked by Defender.Contains the time at which the user was locked lseTrue0x00000000Domain or Defender administrator.Whenever a Defender Policy is assigned.Contains the distinguished name of the DefenderPolicy assigned to the 14

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used FalseFalse0x00000010Domain or Defender administrator.Whenever a Defender Policy is assigned.Contains the distinguished names of the objects towhich this Policy is rueFalseFalse0x00000000Domain or Defender administrator.Whenever a Defender Access Node is created.Contains the type of the Access Node.defender-danClass15

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used 00Domain or Defender administrator.Whenever the UserId Type associated with theDefender Access Node changes.Contains the format of the user ID used forauthentication through the Access .23IntegerTrueFalseFalse0x00000000Domain or Defender administrator.Whenever a Policy Access Category changes.Contains the access categories required forWebthority.defender-PolicyClass16

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used 00Domain or Defender administrator.Whenever the IP Subnet Mask of a Defender AccessNode changes.Contains the IP Subnet Mask associated with aDefender Access ct(DS-DN)FalseFalseTrue0x00000000Domain or Defender administrator.Whenever a User is added to or removed from aDefender Access Node.Contains the distinguished names of groups andusers allowed to authenticate through the AccessNode.defender-danClass17

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used 000010Domain or Defender administrator.Whenever a User is added to or removed from aDefender Access Node.Contains the list of Access Nodes of which the user isa direct sion1.2.840.113556.1.8000.1267.2.278 BytesIntervalTrueFalseFalse0x00000000Domain or Defender administrator.Whenever a Defender Security Server is defined.Contains the file version of the DSS.defender-dssClass18

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used rueFalseTrue0x00000000Domain or Defender administrator.Whenever a Radius Payload is assigned.Contains the distinguished name of the assignedDefender RADIUS t(DS-DN)FalseFalseFalse0x00000010Domain or Defender administrator.Whenever a Radius Payload is assigned.Contains the distinguished names of objects towhich the RADIUS Payload is assigned.defender-radiusPayloadClass19

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used lseFalseFalse0x00000000Domain or Defender administrator.Whenever the data associated with a Radius Payloadis modified.Contains RADIUS Payload lseFalseTrue0x00000000Domain or Defender administrator.Whenever the data associated with a Group specificRadius Payload is modified.Contains the distinguished names of the Groupsreferenced in the RADIUS payload.defender-radiusPayloadClass20

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used ject(DS-DN)FalseFalseFalse0x00000010Domain or Defender administrator.Whenever the data associated with group specificRadius Payload is modified.Contains the distinguished names of the RADIUSPayload objects in which this object is lse0x00000000Domain or Defender administrator.Whenever a Radius Payload is to be inherited.Set if RADIUS payload information assigned to thisobject is to be inherited by other objects.defender-danClassGroupUser21

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used alse0x00000000Domain or Defender administrator.Whenever the Auto Unlock setting of a Policy ismodified.Determines whether Defender accounts areautomatically reset after a successful lse0x00000000Domain or Defender administrator.Whenever the Mobile Users setting associated with aPolicy is modified.Contains the settings for the configuration of theSMS provider policy.defender-policyClass22

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used MaximumPasswordAge1.2.840.113556.1.8000.1267.2.368 BytesIntervalTrueFalseFalse0x00000000Domain or Defender administrator.Whenever the Maximum Password Age valueassociated with a Policy is modified.Contains the number of days after which a DefenderPassword will 8000.1267.2.378 BytesIntervalTrueFalseFalse0x00000000Domain or Defender administrator.Whenever the Maximum PIN Age value associatedwith a Policy is modified.Contains the number of days after which a DefenderPIN will expire.defender-policyClass23

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used 8IntegerTrueFalseFalse0x00000000Domain or Defender administrator.Whenever Password Change Flags associated with aPolicy are modified.Not currently 000Domain or Defender administrator.Whenever the Password Filter associated with aPolicy is modified.Not currently used.defender-policyClass24

Technical In Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used Range-UpperSizeSyntaxIs-Single-ValuedIs-IndexedIn Global CatalogSearch-FlagsUpdate PrivilegeUpdate FrequencyDescriptionClasses used ueFalseFalse0x00000000Domain or Defender administrator.Whenever the GINA Options value associated with aPolicy is modified.Not currently n or Defender administrator.Whenever the Login Time associated with a Policy ismodified.Contains the times when a user is allowed toauthenticate using Defender.defender-policyClass25

Technical BriefABOUT QUEST SOFTWARE, INC.Quest Software, Inc., a leading enterprise systems management vendor, deliversinnovative products that help organizations get more performance and productivityfrom their applications, databases, Windows infrastructure and virtualenvironments. Through a deep expertise in IT operations and a continued focus onwhat works best, Quest helps more than

Technical Brief 4 CLASSES EXTENDED BY DEFENDER The following is the list of Microsoft Domain Service (DS) Active Directory Schema Classes that are extended b