Platform SDK: Active Directory, ADSI, and Directory Services

Binding to Well-Known Objects Using WKGUID

The containers can have one or more sub-objects that are important but can be renamed or moved. It can be cumbersome to keep track of these sub-objects and build correct binding strings for them, especially if they are renamed or moved.

To support rename-safe binding to these objects within these containers, the Active Directory has two properties: wellKnownObjects and otherWellKnownObjects. These properties have an attribute syntax of SYNTAX_DISTNAME_BINARY. They allow multiple values and contain the GUID/DN tuples of well-known objects within the containers on which they are set. The Active Directory maintains the distinguished name portion of each wellKnownObjects and otherWellKnownObjects entry so that it contains the current distinguished name of the object originally specified when the entry was created.

The otherWellKnownObjects property can be set and used on any object.

The wellKnownObjects property is used on the domainDNS and configuration containers. The wellKnownObjects property is a system-only property and can only be modified by the operating system.

The domainDNS container has the following well-known objects:

The configuration container has the following well-known object:

These objects are always in every domainDNS and configuration container in the Active Directory.

You can bind to a well-known object using the WKGUID binding format. Binding with WKGUID is only supported in Active Directory (that is, the LDAP provider).

Important  Always use the WKGUID binding format to bind to the well-known objects (listed above) in the domain and configuration containers. This ensures that you are able to bind to those containers even if they are moved or renamed.

The WKGUID binding string format is the following:

LDAP://servername/<WKGUID=XXXXX,ContainerDN>

In this example, servername is the name of the directory server. The servername is optional.

XXXXX is the string representation of the hexadecimal value of the GUID that represents the well-known object. Note that 1) XXXXX is not the string produced by the StringFromGUID2function in the COM library and 2) XXXXX is not the object's objectGUID.

To bind to an object specified in otherWellKnownObjects in an object, specify XXXXX as the bindable string form of the well-known object GUID of the object. See Reading an Object's objectGUID and Creating a String Representation of the GUID. For more information on setting the otherWellKnownObjects property on objects, see Enabling Rename-Safe Binding with the otherWellKnownObjects Property.

To bind to an object specified in wellKnownObjects in domainDNS or configuration containers, specify XXXXX as one of the constants defined in ntdsapi.h:

GUID_USERS_CONTAINER_W

GUID_COMPUTRS_CONTAINER_W

GUID_SYSTEMS_CONTAINER_W

GUID_DOMAIN_CONTROLLERS_CONTAINER_W

GUID_INFRASTRUCTURE_CONTAINER_W

GUID_DELETED_OBJECTS_CONTAINER_W

GUID_LOSTANDFOUND_CONTAINER_W

For example, if you wanted to bind to the users container in a domain, you would specify GUID_USERS_CONTAINER_W as XXXXX.

ContainerDN is the distinguished name of the container object that has this object represented as a value in its wellKnownObjects property. For example, if you wanted to bind to the users container in a domain, you would specify the domain's distinguished name as the ContainerDN.

For example, you would use the following binding to bind to the users container of the domain Microsoft.com:

LDAP://<WKGUID=a9d1ca15768811d1aded00c04fd8d5cd,dc=Microsoft,dc=com>