Platform SDK: Active Directory, ADSI, and Directory Services

Enabling Rename-Safe Binding with the otherWellKnownObjects Property

Objects of the Container class have an otherWellKnownObjects attribute that you can use to associate a GUID with the distinguished name (DN) of a child object in the container. If the child object is moved or renamed, Active Directory automatically updates the DN in the otherWellKnownObjects value for that child object. This enables you to use the WKGUID binding feature to bind to the child object using the GUID and the DN of the container rather than the child object's DN.

The otherWellKnownObjects attribute is equivalent to the wellKnownObjects attribute except that applications and services can write an otherwellKnownObjects value but only the system can write wellKnownObjects.

Using otherWellKnownObjects property and WKGUID binding is beneficial in the following situation where rename-safe binding is required in relation to a specific container object:

You have a container object and it contains other important objects.
The important objects can be renamed or moved.
The important objects always exist for each instance of the container object. For example, the system uses the wellKnownObjects attribute of each domainDNS object to store a value for the Users container, which exists in every instance of a domainDNS object. This enables applications to bind to the Users container in a rename-safe way by specifying the well-known GUID and the DN of the domainDNS container. Applications can use a container's otherWellKnownObjects attribute in the same way.
You need rename-safe binding and/or search capability on the important objects.

To add rename-safe binding and search capabilities

Add a value to the otherWellKnownObjects property of the container object when the important object is created within that container. The value contains the GUID that represents the well-known object (note that this is not the objectGUID) and the distinguished name for that object.
Use the WKGUID binding feature to bind to or search the important object.

The otherWellKnownObjects attribute can have multiple values and contains the GUID/DN tuples of well-known objects within the containers on which they are set. The otherWellKnownObjects attribute has the DNWithBinary syntax in which values have the following form:

B:CharCount:WKOGUID:ObjectDN

In this example, CharCount is the count of hexadecimal digits in WKOGUID, which is 32 (number of hex digits in a GUID) for both otherWellKnownObjects and wellKnownObjects. WKOGUID is the hexadecimal digit representation of the well-known GUID. ObjectDN is the distinguished name of the object represented by this WKO value. Active Directory maintains the ObjectDN portion of each wellKnownObjects and otherWellKnownObjects value so that it contains the current distinguished name of the object originally specified when the value was created.

For example, if {df447b5e-aa5b-11d2-8d53-00c04f79ab81} is the well-known GUID of the MyObject object in the MyContainer container in the Microsoft.com domain, the otherWellKnownObjects value would specify the well-known GUID and the DN of MyObject:

B:32:df447b5eaa5b11d28d5300c04f79ab81:cn=MyObject,cn=MyContainer,dc=Microsoft,dc=com

To bind to this object, you would use the following WKGUID binding string that specifies the well-known GUID of the object and the DN of the container:

LDAP://<WKGUID=df447b5eaa5b11d28d5300c04f79ab81,cn=MyContainer,dc=Microsoft,dc=com>

After binding to this object, you can use the ADSI COM interfaces to search, read, modify, or delete the object.