ActiveDirectory - LDAP query for objectCategory unexpected results

Question

AD is at 2003 functional level, some of our DC's are running Windows Server 2003, some are 2008, some are 2008 R2.

When using the following query:

(objectCategory=user)

I do not expect to see any result where the objectCategory attribute is equal to 'CN=Person,CN=Schema,CN=Configuration,DC=Contoso'

I expect only objects where the objectCategory attribute is equal to 'CN=User,CN=Schema,CN=Configuration,DC=Contoso'

However, the query does indeed return all objects with the objectCategory attribute equal to 'CN=Person,CN=Schema,CN=Configuration,DC=Contoso'

My question then is this: Why do I see the search results that I do? Does AD actively translate queries that include (objectCategory=user) to (objectCategory=Person)? I have looked at the schema definitions for both the Person and the User class, but I cannot see any reason for the query results as I am experiencing them. I know that the User class is a subclass of the organizationalPerson class, which is a subclass of Person, but I can't see an attribute value that would explain this translation.

Can you clarify what objects you're expecting to see, and what you are seeing instead? Having that `objectCategory` is not unexpected for a user account object. — Shane Madden, Mar 30 '12 at 16:38
This is not an answer to your question (hence the comment) but please stop using Windows Server 2003. Microsoft no longer offers security patches for it and as a result it is unsafe. — user5870571, Jul 18 '19 at 12:35
@user5870571, this was an over 7 year old question... Are you going through all ancient questions that mention EOL'd systems and telling people that their systems are insecure? — Joseph Alcorn, Jul 19 '19 at 15:21
@joseph alcorn I just respond to questions at the top of the list. — user5870571, Jul 19 '19 at 23:42

score 0 · Accepted Answer · answered Mar 30 '12 at 19:40

The reason you get the person objects is because there us no such category as User. User is a class. By strict definition Objectcategory takes a DN attribute. In order to avoid forcing coders to look up the schema DN, the query engine in AD allows you to provide a class and provides the defaultObjectCategory as the expansion. So if you were too look up the schema of User you get this as the defaultobjectcategory:

CN=Person,CN=Schema,CN=Configuration,DC=jimbdom,DC=com

The proper expression to search for users is: "(&(objectClass=user)(objectCategory=person))".

Perfect explanation! Thanks much, that explains away all my confusion on this issue. — Joseph Alcorn, Apr 02 '12 at 20:51

score -1 · Answer 2 · edited Jul 18 '19 at 10:26

-1

User inherits from Person. In other words, users are Persons. The opposite is not true.

So if you search for user, you can also see persons.

From Technet:

enter image description here

edited Jul 18 '19 at 10:26

Pang

273
3
8

answered Mar 30 '12 at 17:50

uSlackr

6,412
21
37

I was also hoping that by poinintg out the documentation you might read through it to discover the issue in your answer. The OP query is for a CATEGORY not a CLASS. – Jim B Mar 30 '12 at 19:40

ActiveDirectory - LDAP query for objectCategory unexpected results

2 Answers2