Microsoft Active Directory account form attributes

The following table lists the mapping of the user account form attributes on IBM®® Security Identity Manager to the attributes on the Active Directory.

Table 1. Table 1. Mapping of attributes on IBM Security Identity Manager to the attributes on the Active Directory
Adapter Attribute Active Directory Attribute Description Syntax

cn

erADFullName

Note: erADFullName is used only if cn is not specified
cn

Specifies the full name of the user (given name and

surname).

String
description description Specifies the description for the user. String
erAccountStatus userAccountControl    
erADAllowDialin msNPAllowDialin Specifies whether the user can Dial in to the network Boolean
erADAllowEncryptedPassword userAccountControl Specifies whether encrypted passwords are allowed. Boolean
erADBadLoginCount badPwdCount

Specifies the number of invalid login attempts that are

allowed since the last reset.

Long
erADCallbackNumber msRADIUSCallbackNumber

Specifies the callback number for remote access services

that is used when DialinCallBack is set to fixed.

String
erADCannotBeDelegated userAccountControl

Specifies that this account cannot be assigned for delegation

by another account.

Boolean
erADContainer DN of container

Specifies the Relative Distinguished Name (RDN) of a

container object in which to create the user account.

The container is relative to the basepoint.

RN string
erADCountryCode countryCode Specifies the country where the user resides. Integer
erADDialinCallback msRADIUSServiceType

Sets the Dial-in Callback for the user.

1 - No Callback

2 - Fixed callback using erADCallbackNumber

3 - This option is not used

4 - User supplied callback

Integer
erADDisplayName displayName Specifies the Active Directory displayName attribute. String
erADDistinguishedName distinguishedName

Specifies the distinguished name of the account on the

Active Directory.

String
erADEActiveSyncEnabled msExchOmaAdminWirelessEnable

Specifies the distinguished name of the account on the

Active Directory.

Boolean
erADEAddressBookPolicy msExchAddressBookPolicyLink Specified the DN of the Address Book Policy. From supporting data erADEAddrBookPlcy String
erADEAlias mailNickname Specifies the alias for the Exchange Mailbox. String
erADEAllowedAddressList authOrig Specifies a list of email IDs that the user accepts mail from. String
erADEAllowPermTo1Level msExchMailboxSecurityDescriptor Specifies if permission is inherited Boolean
erADEApplyOntoAllow msExchMailboxSecurityDescriptor

Specifies a

Allow permission

Boolean
erADEApplyOntoDeny msExchMailboxSecurityDescriptor Specifies Deny permission Boolean
erADEAssociatedExtAcc msExchMailboxSecurityDescriptor

Specifies whether the user has associated external

account permission.

Boolean
erADEAutoGenEmailAddrs msExchPoliciesExcluded

Specifies whether the recipient update services updates the

email address.

Boolean
erADEChgPermissions msExchMailboxSecurityDescriptor Specifies whether to change the user's Mailbox permission. Integer
erADEConnectToMailbox Not mapped – write only Specify DN of disconnected mailbox to connect to user. From supporting data erADEConnectToMailbox String
erADEDaysBeforeGarbage garbageCollPeriod

Specifies the number of days that deleted mail is retained

before it is permanently deleted.

Integer
erADEDelegates publicDelegates

Specifies the list of all users that have access to the

Exchange Mailbox.

String
erADEDelMailboxStorage msExchMailboxSecurityDescriptor

Specifies whether the user has delete Mailbox storage

permission.

Integer
erADEDenyPermTo1Level msExchMailboxSecurityDescriptor Specifiis whether deny permission is inherited Boolean
erADEEnableRetentionHold msExchELCMailboxFlags Specifies whether retention hold is enabled Boolean
erADEEnableStoreDeflts mDBUseDefaults

Specifies whether to use only default store values for

storage limits, or to use other properties that pertain to the

Mailbox.

Boolean
erADEEndRetentionHold msExchELCExpirySuspensionEnd Specifies whether to enable or disable Retention Hold. Boolean
erADEExtension1 extensionAttribute1 Specifies a user-defined extension attribute. String
erADEExtension10 extensionAttribute10 Specifies a user-defined extension attribute. String
erADEExtension11 extensionAttribute11 Specifies a user-defined extension attribute. String
erADEExtension12 extensionAttribute12 Specifies a user-defined extension attribute. String
erADEExtension13 extensionAttribute13 Specifies a user-defined extension attribute. String
erADEExtension14 extensionAttribute14 Specifies a user-defined extension attribute. String
erADEExtension15 extensionAttribute15 Specifies a user-defined extension attribute. String
erADEExtension2 extensionAttribute2 Specifies a user-defined extension attribute. String
erADEExtension3 extensionAttribute3 Specifies a user-defined extension attribute. String
erADEExtension4 extensionAttribute4 Specifies a user-defined extension attribute. String
erADEExtension5 extensionAttribute5 Specifies a user-defined extension attribute. String
erADEExtension6 extensionAttribute6 Specifies a user-defined extension attribute. String
erADEExtension7 extensionAttribute7 Specifies a user-defined extension attribute. String
erADEExtension8 extensionAttribute8 Specifies a user-defined extension attribute. String
erADEExtension9 extensionAttribute9 Specifies a user-defined extension attribute. String
erADEForwardingStyle deliverAndRedirect

Specifies whether email is also delivered to an alternate

email address.

String
erADEForwardTo altRecipient Specifies the URL where email is to be forwarded. String
erADEFullMailboxAccess msExchMailboxSecurityDescriptor

Specifies whether the user has full Mailbox access

permission.

1=Allow

2=Deny

0 or no value=None

Integer
erADEGarbageAfterBckp deletedItemFlags

Specifies whether deleted messages can be permanently

deleted after the Mailbox is backed up.

Boolean
erADEHardLimit mDBOverHardQuotaLimit

Specifies the maximum Mailbox size in KB when sending

and receiving email is disabled.

Integer
erADEHideFromAddrsBk msExchHideFromAddressLists

Specifies whether the address is displayed in the address

book.

Boolean
erADEHomeMDB homeMDB Specifies the URL of the store for the recipient. String
erADEIMAP4Enabled protocolSettings Specifies whether to enable or disable MAPI support. Boolean
erADEIMAP4Format protocolSettings

Specifies the IMAP4 format.

0=Text

1=HTML

2=HTML and alternative text

3=Enriched Text

4=Enriched Text and alterative text

5=Best body format

6=TNEF

Integer
erADEIMAP4FormatUseDefault protocolSettings Specifies whether to use the default IMAP4 format Boolean
erADEIncomingLimit delivContLength Specifies the max incoming message size Integer
erADELanguages language Specifies languages String
erADEMailboxFolderPolicy msExchMailboxTemplateLink Specifies DN of Mailbox folder policy. From supporting data erADMBFldPolicy objects String
erADEMailboxStore homeMDB Specifies DN of mailbox store of the mailbox  
erADEMailboxUMExtensions null Specifies a list of Unified Messaging extension numbers String
erADEMailboxUMPolicy msExchUMTemplateLink Specifies the Unified Messaging policy. From supporting data erADMBUMPolicy objects String
erADEMAPIBlockOutlookRpcHttp protocolSettings Specifies whether to block Outlook Rpc Boolean
erADEMAPIEnabled protocolSettings Specifies whether MAPI is enabled Boolean
erADEmployeeID employeeID Specifies the user's employee identifier. String
erADEmployeeNumber employeeNumber Specifies the employee number String
erADEMsOwaPolicy msExchOWAPolicy Specfies the OWA Policy String
erADEOutgoingLimit submissionContLength

Specifies the maximum size in KB of a message that is sent

from the recipient.

Integer
erADEOutlookWebAccessEnabled protocolSettings Specifies whether to enable or disable Outlook Web Access. Boolean
erADEOverQuotaLimit mDBOverQuotaLimit

Specifies the maximum size of a Mailbox in KB before

sending messages is suspended.

Integer
erADEOverrideGarbage deletedItemFlags

Specifies whether the store is prevented from permanently

deleting messages.

Boolean
erADEPOP3Enabled protocolSettings Specifies whether POP3 is enabled Boolean
erADEPOP3FormatUseDefault protocolSettings Specifies whether the default POP3 format is used Boolean
erADEPOP3Format protocolSettings

Specifies the POP3 format

0=Text

1=HTML

2=HTML and alternative text

3=Enriched Text

4=Enriched Text and alterative text

5=Best body format

6=TNEF

Integer
erADEProxyAddresses proxyAddresses Specifies a list of proxy addresses for the recipient. String
erADEReadPermissions msExchMailboxSecurityDescriptor

Specifies whether the user has read Mailbox permission.

1=Allow

2=Deny

0 or no value=None

Integer
erADERecipientLimit msExchRecipLimit

Specifies the maximum number of people to whom the

recipient can send email.

Integer
erADERemoteAddress targetAddress Specifies the target address for a Mail enabled user. (Enable-MailUser) String
erADERstrctAdrsFg No longer used    
erADERstrctAdrsLs authOrig/unauthOrig Specifies a list of email addresses to reject mail from. String
erADEServerName Null Specifies the name of the Microsoft Exchange Server. String
erADEShowInAddrBook showInAddressBook

Specifies the list of address books that the user is a member

of.

String
erADESMTPEmail mail

Specifies the primary SMTP address that is used for the

recipient.

String
erADEStartRetentionHold msExchELCExpirySuspensionStart Specifies the date to start retention hold. Date
erADEStoreQuota mDBStorageQuota

Specifies a limit when the recipient receives a warning for

exceeding their mail file storage allocation.

Integer
erADETakeOwnership msExchMailboxSecurityDescriptor

Specifies whether the user has take Mailbox ownership

permission.

Integer
erADETargetAddress targetAddress Specifies the external email address to be used by the user. String
erADEX400Email textEncodedORAddress

Specifies the primary X.400 address that is used for the

recipient.

String
erADExDialin msNPAllowDialin Specifies whether to allow dialin Boolean
erADExpirationDate accountExpires

Specifies the date and time after which the user cannot log

in.

Date
erADFailIntrLgonCnt msDS-FailedInteractiveLogonCount Specifies the failed interactive logon count. Read only Integer
erADfax facsimileTelephoneNumber Specifies the fax numbers of the user. String
erADFlIntrLgonCntAtLastSucLgon msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon Specifies the failed interactive logon count at the last successful logon Integer
erADHomeDir homeDirectory

Specifies a null-terminated string that contains the path of

the user's home directory.

This string can specify a local path or a UNC path.

For example:

\\machine\share\path

String
erADHomeDirAccessShare File system Specifies the user access level on the share. String
erADHomeDirDrive homeDrive

Specifies the drive letter to assign to a UNC-based home

directory.

String
erADHomeDirNtfsAccess File system

Specifies the NTFS security level for the home directory of

the user.

String
erADHomeDirShare File system

Specifies the name of the share to create for home directory.

Append a dollar sign ($) to create a hidden share.

String
erADHomePage wWWHomePage Specifies the URL for the home page of the user. String
erADInitial initials Specifies the middle initials of the name of the user. String
erADIsAccountLocked lockoutTime

Specifies whether the account is locked because of intruder

detection.

Boolean
erADLastFailedLogin badPasswordTime Specifies the date and time of the last failed network login. Date
erADLastFailIntrLgonTime msDS-LastFailedInteractiveLogonTime    
erADLastLogoff lastLogoff Specifies the date and time of the last network logoff. Date
erADLastLogon lastLogon

Specifies the date and time of the last successful network

login.

Date
erADLastLogonTimeStamp lastLogonTimestamp Specifies the timestamp of the last logon Date
erADLastSuccIntrLgonTime msDS-LastSuccessfulInteractiveLogonTime Specifies the time of the last successful interactive logon Date
erADLoginScript scriptPath Specifies the login script path. String
erADLoginWorkstations userWorkstations

Specifies a comma-separated list of addresses or names of

workstations from which the user can log in to.

String
erADManager manager Specifies the DN of the manager's Active Directory account. String
erADLyncArchPolicy Managed via Get-CSUser and Set-CSUser Specifies the Lync Archive Policy. From supporting data erADLyncArchivingPolicy String
erADLyncCVPolicy Managed via Get-CSUser and Set-CSUser Specifies the Lync Client Version Policy. From supporting data erADLyncClntVerPolicy String
erADLyncClntPolicy Managed via Get-CSUser and Set-CSUser Specifies the Lync Client Policy. From supporting data erADLyncClntVerPolicy String
erADLyncConfPolicy Managed via Get-CSUser and Set-CSUser Specifies the Lync Conferencing Policy. From supporting data erADLyncClntVerPolicy String
erADLyncDialPolicy Managed via Get-CSUser and Set-CSUser Specifies the Lync Dial Plan Policy. From supporting data erADLyncDialPlanPolicy String
erADLyncExAcPolicy Managed via Get-CSUser and Set-CSUser Specifies the Lync External Access Policy. From supporting data erADLyncExtAccPolicy String
erADLyncLocPolicy Managed via Get-CSUser and Set-CSUser Specifies the Lync Location Policy. From supporting data erADLyncLocationPolicy String
erADLyncMobilityPolicy Managed via Get-CSUser and Set-CSUser

Specifies the Lync

Mobility Policy. From supporting data

erADLyncCMobilityPolicy

String
erADLyncPersistentChatPolicy Managed via Get-CSUser and Set-CSUser

Specifies the Lync

Persistent Chat Policy. From supporting data

erADCLyncPersistentChatPolicy

String
erADLyncPnPolicy Managed via Get-CSUser and Set-CSUser

Specifies the Lync

PIN® Policy. From supporting data erADLyncPinPolicy

String
erADLyncRegPool  

Specifies the Lync

Registrar Pool. From supporting data erADLyncPool

String
erADLyncSipAdr msRTCSIP-PrimaryUserAddress Specfies the primary SIP address String
erADLyncTelephony Managed via Get-CSUser and Set-CSUser

Specifies the Lync Telephony setting

0=PC to PC only

1=Audio/video disabled

2=Enterprise Voice

3=Remote call control

4=Remote call control only

Integer
erADLyncVoicePolicy Managed via Get-CSUser and Set-CSUser

Specifies the Lync

Voice Pool. From supporting data erADLyncVoicPolicy

String
erADLyncEnable msRTCSIP-UserEnabled Specifies whether the Lync account is enabled Boolean
erADLyncLineURI msRTCSIP-Line Specifies Lync Line URI String
erADLyncLineSerURI msRTCSIP-LineServer Specifies the Lync Line Server URI String
erADManager   Specifies the DN of the manager's Active Directory account. String
erADNamePrefix personalTitle Specifies the title of the user, for example Ms. or Mr. String
erADNameSuffix generationQualifier Specifies the name suffix of the user, for example Jr., or III. String
erADNoChangePassword Security descriptor on user object in AD Specifies whether the user can change their password. String
erADOfficeLocations physicalDeliveryOfficeName Specifies the office location. String
erADOtherName middleName

Specifies an additional name, for example, the middle

name, for the user.

String
erADPasswordForceChange pwdLastSet Specifies whether to force a password change on next login. Boolean
erADPasswordLastChange pwdLastSet Specifies the last time that the password was changed. Date
erADPasswordMinimumLength Null Specifies the minimum length of the password. Integer
erADPasswordNeverExpires userAccountControl Specifies whether a password can never expire. Boolean
erADPasswordRequired userAccountControl Specifies whether the password is required. Boolean
erADPrimaryGroup primaryGroupID Specifies the primary group ID. String
erADRadiusFramedIPv4Addr msRASSavedFramedIPAddress    
erADRequireUniquePassword Null

Specifies whether a new password must be different from

those passwords in the password history.

Boolean
erADSmartCardRequired userAccountControl Specifies whether a smart card is required for login. Boolean
erADTrustedForDelegation userAccountControl

Specifies that the user can assign responsibility for

management and administration of a portion of the domain

namespace to another user, group, or organization.

Boolean
erADUPN userPrincipalName Specifies the principal name for the user account. String
erADWTSAllowLogon  

Specifies whether the user account is allowed to log on to a

terminal server.

Boolean
erADWTSBrokenTimeout  

Specifies what happens when the connection or idle timers

expire or when a connection is lost due to a connection

error.

Long
erADWTSCallbackNumber  

Citrix ICA clients must specify a null-terminated string that

contains the phone number to use for callback connections.

String
erADWTSCallbackSettings  

Citrix ICA clients must specify a value that indicates the

configuration for dialup connections in which the terminal

server hangs up and then calls back the client to establish

the connection.

Valid values indicate:

1 - The server prompts the user to enter a phone number,

and calls the user back at that phone number. You can use

the WtsCallbackNumber value to specify a default phone

number.

2 - The server automatically calls the user back at the phone

number that is specified by the WtsCallbackNumber value.

Integer
erADWTSClientDefaultPrinter  

RDP 5.0 clients and Citrix ICA clients must specify whether

the client printer is the default printer.

Boolean
erADWTSClientDrives  

Citrix ICA clients must specify whether the terminal server

automatically establishes client drive mappings at login.

Boolean
erADWTSClientPrinters  

RDP 5.0 clients and Citrix ICA clients must specify whether

the terminal server automatically establishes client printer

mappings at login.

Boolean
erADWTSHomeDir  

Specifies a null-terminated string for the path of the home

directory of the user for terminal server login. This string

can specify a local path or a UNC path

(\\machine\share\path).

String
erADWTSHomeDirAccessShare  

Specifies the user access level to the share on the WTS

home directory.

Integer
erADWTSHomeDirDrive  

Specifies a null-terminated string for a drive letter to which

the UNC path specified in the WtsHomeDir string is

mapped

String
erADWTSHomeDirNtfsAccess   Specifies the NTFS access to the home directory. String
erADWTSHomeDirShare  

Specifies the name of a share to create the WTS home

directory. Append a dollar sign ($) to create a hidden share.

String
erADWTSInheritInitialProg  

Specifies whether the client can specify the initial program.

If not set, WtsInitialProgram is the only program that the

user can run. The terminal server logs off the user when the

user exits that program.

Boolean
erADWTSInitialProgram  

Specifies a null-terminated string for the path of the initial

program that Terminal Services runs when the user logs in.

If the WtsInheritInitialProgram value is 1, the initial

program can be any program that is specified by the client.

String
erADWTSProfilePath  

Specifies a null-terminated string for the path of the profile

of the user for terminal server login.

String
erADWTSReconnectSettings  

Specifies a value that indicates how a disconnected session

for a user can be reconnected.

Valid values indicate:

0 - The user can log in to any client computer to reconnect

to a disconnected session. Sessions started at clients other

than the system console cannot be connected to the system

console. Sessions started at the system console cannot be

disconnected.

1 - The user can reconnect to a disconnected session by

logging on to the client computer used to establish the

disconnected session. If the user logs on from a different

client computer, the user gets a new login session.

Integer
erADWTSRemoteHomeDir  

Specifies the home directory of the user on the Windows

Server.

String
erADWTSServerName      
erADWTSShadowSettings  

RDP 5.0 clients and Citrix ICA clients must specify a value

that indicates whether the user session can be shadowed.

Shadowing allows a user to remotely monitor the on-screen

operations of another user.

String
erADWTSTimeoutConnections  

Specifies a value that specifies the maximum connection

duration, in milliseconds. One minute before the connection

timeout interval expires, the user is notified of the pending

disconnection. The user session is disconnected or

terminated depending on the WtsBrokenTimeout value.

Every time the user logs on, the timer is reset. A value of

zero indicates that the connection timer is disabled.

String
erADWTSTimeoutDisconnections  

Specifies the maximum duration, in milliseconds, that a

WTS retains a disconnected session before the login is

terminated. A value of zero indicates that the disconnection

timer is disabled.

Integer
erADWTSTimeoutIdle  

Specifies the maximum idle time, in milliseconds. If there is

no keyboard or mouse activity for the specified interval, the

user's session is disconnected or terminated depending on

the WtsBrokenTimeout value. A value of zero indicates that

the idle timer is disabled.

Integer
erADWTSWorkingDir  

Specifies a null-terminated string for the path of the

working directory for the initial program

String
erCompany company Specifies the name of the company that the user works for. String
erDepartment department

Specifies the department within the company to which the

user belongs.

String
erDivision division

Specifies the division within a company (organization) that

the employee belongs to.

String
erGroup memberOf Specifies names of groups. String
erLogonTimes logonHours

Specifies the time periods for each day of the week during

which logins are allowed for the user. Represented as a

table of Boolean values for the week, each indicating

whether that time slot is a valid login time.

Byte array

Login time (LT)

erMaxStorage maxStorage

Specifies the maximum amount of disk space, in KB, that

the user can have.

Long
erPassword Null Specifies the password for the user account. String
erProfile profilePath Specifies the path to the profile of the user. String
eruid sAMAccountName Specifies the user ID. String
givenName givenName Specifies the given name of the user. String
homePhone homePhone Specifies the home telephone number of the user. String
l l

Specifies the user's city or location (shown as the lowercase

letter 'l').

String
mail mail Specifies the email address of the user. String
mobile mobile Specifies the mobile telephone number of the user. String
pager pager Specifies the pager number of the user. String
postalCode postalCode Specifies the user's postal code for their address String
postOfficeBox postOfficeBox Specifies the user's Post Office Box String
sn sn Specifies the surname of the user. String
st st Specifies the state where the user resides. String
street streetAddress Specifies the street address where the user resides. String
telephoneNumber telephoneNumber Specifies the work telephone number of the user. String
title title Specifies the title of the user. String