Reading User Object Properties
For general information about reading properties, see Accessing and Manipulating Data with ADSI.
All objects have properties; however, the user object has three types of properties that are stored differently:
- Domain-replicated, stored properties
- Some properties are stored in the directory (such as cn, nTSecurityDescriptor, objectGUID, and so on) and replicated to all domain controllers within a domain. A subset of these properties is also replicated to the global catalog. If you enumerate properties on user object from the global catalog, only the properties that are replicated to the global catalog are returned. Some properties are also indexed—including an indexed property in a query improves the performance of a query.
These properties can be retrieved using the IADs::Get method, IADsProperty* methods, IDirectoryObject::GetObjectAttributes method, and IDirectorySearch methods.
- Non-replicated, locally stored properties
- Non-replicated properties are stored on each domain controller but are not replicated elsewhere (such as badPwdCount, lastLogon, lastLogoff, and so on). The non-replicated properties are properties that pertain to a particular domain controller. For example, lastLogon is the last date/time that the user's network logon was validated by the particular domain controller that is returning the property. These properties can be retrieved in the same way as the domain-wide properties described previously. However, for these properties, each domain controller stores only values that pertain to that particular domain controller. For example, if you want to get the last time a user logged on to the domain, you would have to read the lastLogon property for the user at every domain controller in the domain and find latest time.
- Non-stored, constructed properties
- A user object also has constructed properties that are not stored in the directory but are calculated by the domain controller (such as canonicalName, distinguishedName, allowedAttributes, ADsPath, and so on). Note that distinguishedName and ADsPath are not defined in the schema. All the constructed properties can be retrieved by IDirectoryObject and IDirectorySearch methods. Most are automatically retrieved and cached with a IADs::GetInfo call on the user object (Note IADs::Get does an implicit IADs::GetInfo call if the cache is empty). However, some constructed properties are not automatically retrieved and cached and, therefore, require an IADs::GetInfoEx call to explicitly retrieve them. For example, canonicalName is not retrieved with a IADs::GetInfo call and therefore IADs::Get will return a E_ADS_PROPERTY_NOT_FOUND error. Enumeration of all properties using IADsPropertyList will not include the canonicalName property.