Microsoft Active Directory account form attributes
The following table lists the mapping of the user account form attributes on IBM®® Security Identity Manager to the attributes on the Active Directory.
Adapter Attribute | Active Directory Attribute | Description | Syntax |
---|---|---|---|
cn erADFullName Note: erADFullName is used only if cn is not specified
|
cn |
Specifies the full name of the user (given name and surname). |
String |
description | description | Specifies the description for the user. | String |
erAccountStatus | userAccountControl | ||
erADAllowDialin | msNPAllowDialin | Specifies whether the user can Dial in to the network | Boolean |
erADAllowEncryptedPassword | userAccountControl | Specifies whether encrypted passwords are allowed. | Boolean |
erADBadLoginCount | badPwdCount |
Specifies the number of invalid login attempts that are allowed since the last reset. |
Long |
erADCallbackNumber | msRADIUSCallbackNumber |
Specifies the callback number for remote access services that is used when DialinCallBack is set to fixed. |
String |
erADCannotBeDelegated | userAccountControl |
Specifies that this account cannot be assigned for delegation by another account. |
Boolean |
erADContainer | DN of container |
Specifies the Relative Distinguished Name (RDN) of a container object in which to create the user account. The container is relative to the basepoint. |
RN string |
erADCountryCode | countryCode | Specifies the country where the user resides. | Integer |
erADDialinCallback | msRADIUSServiceType |
Sets the Dial-in Callback for the user. 1 - No Callback 2 - Fixed callback using erADCallbackNumber 3 - This option is not used 4 - User supplied callback |
Integer |
erADDisplayName | displayName | Specifies the Active Directory displayName attribute. | String |
erADDistinguishedName | distinguishedName |
Specifies the distinguished name of the account on the Active Directory. |
String |
erADEActiveSyncEnabled | msExchOmaAdminWirelessEnable |
Specifies the distinguished name of the account on the Active Directory. |
Boolean |
erADEAddressBookPolicy | msExchAddressBookPolicyLink | Specified the DN of the Address Book Policy. From supporting data erADEAddrBookPlcy | String |
erADEAlias | mailNickname | Specifies the alias for the Exchange Mailbox. | String |
erADEAllowedAddressList | authOrig | Specifies a list of email IDs that the user accepts mail from. | String |
erADEAllowPermTo1Level | msExchMailboxSecurityDescriptor | Specifies if permission is inherited | Boolean |
erADEApplyOntoAllow | msExchMailboxSecurityDescriptor |
Specifies a Allow permission |
Boolean |
erADEApplyOntoDeny | msExchMailboxSecurityDescriptor | Specifies Deny permission | Boolean |
erADEAssociatedExtAcc | msExchMailboxSecurityDescriptor |
Specifies whether the user has associated external account permission. |
Boolean |
erADEAutoGenEmailAddrs | msExchPoliciesExcluded |
Specifies whether the recipient update services updates the email address. |
Boolean |
erADEChgPermissions | msExchMailboxSecurityDescriptor | Specifies whether to change the user's Mailbox permission. | Integer |
erADEConnectToMailbox | Not mapped – write only | Specify DN of disconnected mailbox to connect to user. From supporting data erADEConnectToMailbox | String |
erADEDaysBeforeGarbage | garbageCollPeriod |
Specifies the number of days that deleted mail is retained before it is permanently deleted. |
Integer |
erADEDelegates | publicDelegates |
Specifies the list of all users that have access to the Exchange Mailbox. |
String |
erADEDelMailboxStorage | msExchMailboxSecurityDescriptor |
Specifies whether the user has delete Mailbox storage permission. |
Integer |
erADEDenyPermTo1Level | msExchMailboxSecurityDescriptor | Specifiis whether deny permission is inherited | Boolean |
erADEEnableRetentionHold | msExchELCMailboxFlags | Specifies whether retention hold is enabled | Boolean |
erADEEnableStoreDeflts | mDBUseDefaults |
Specifies whether to use only default store values for storage limits, or to use other properties that pertain to the Mailbox. |
Boolean |
erADEEndRetentionHold | msExchELCExpirySuspensionEnd | Specifies whether to enable or disable Retention Hold. | Boolean |
erADEExtension1 | extensionAttribute1 | Specifies a user-defined extension attribute. | String |
erADEExtension10 | extensionAttribute10 | Specifies a user-defined extension attribute. | String |
erADEExtension11 | extensionAttribute11 | Specifies a user-defined extension attribute. | String |
erADEExtension12 | extensionAttribute12 | Specifies a user-defined extension attribute. | String |
erADEExtension13 | extensionAttribute13 | Specifies a user-defined extension attribute. | String |
erADEExtension14 | extensionAttribute14 | Specifies a user-defined extension attribute. | String |
erADEExtension15 | extensionAttribute15 | Specifies a user-defined extension attribute. | String |
erADEExtension2 | extensionAttribute2 | Specifies a user-defined extension attribute. | String |
erADEExtension3 | extensionAttribute3 | Specifies a user-defined extension attribute. | String |
erADEExtension4 | extensionAttribute4 | Specifies a user-defined extension attribute. | String |
erADEExtension5 | extensionAttribute5 | Specifies a user-defined extension attribute. | String |
erADEExtension6 | extensionAttribute6 | Specifies a user-defined extension attribute. | String |
erADEExtension7 | extensionAttribute7 | Specifies a user-defined extension attribute. | String |
erADEExtension8 | extensionAttribute8 | Specifies a user-defined extension attribute. | String |
erADEExtension9 | extensionAttribute9 | Specifies a user-defined extension attribute. | String |
erADEForwardingStyle | deliverAndRedirect |
Specifies whether email is also delivered to an alternate email address. |
String |
erADEForwardTo | altRecipient | Specifies the URL where email is to be forwarded. | String |
erADEFullMailboxAccess | msExchMailboxSecurityDescriptor |
Specifies whether the user has full Mailbox access permission. 1=Allow 2=Deny 0 or no value=None |
Integer |
erADEGarbageAfterBckp | deletedItemFlags |
Specifies whether deleted messages can be permanently deleted after the Mailbox is backed up. |
Boolean |
erADEHardLimit | mDBOverHardQuotaLimit |
Specifies the maximum Mailbox size in KB when sending and receiving email is disabled. |
Integer |
erADEHideFromAddrsBk | msExchHideFromAddressLists |
Specifies whether the address is displayed in the address book. |
Boolean |
erADEHomeMDB | homeMDB | Specifies the URL of the store for the recipient. | String |
erADEIMAP4Enabled | protocolSettings | Specifies whether to enable or disable MAPI support. | Boolean |
erADEIMAP4Format | protocolSettings |
Specifies the IMAP4 format. 0=Text 1=HTML 2=HTML and alternative text 3=Enriched Text 4=Enriched Text and alterative text 5=Best body format 6=TNEF |
Integer |
erADEIMAP4FormatUseDefault | protocolSettings | Specifies whether to use the default IMAP4 format | Boolean |
erADEIncomingLimit | delivContLength | Specifies the max incoming message size | Integer |
erADELanguages | language | Specifies languages | String |
erADEMailboxFolderPolicy | msExchMailboxTemplateLink | Specifies DN of Mailbox folder policy. From supporting data erADMBFldPolicy objects | String |
erADEMailboxStore | homeMDB | Specifies DN of mailbox store of the mailbox | |
erADEMailboxUMExtensions | null | Specifies a list of Unified Messaging extension numbers | String |
erADEMailboxUMPolicy | msExchUMTemplateLink | Specifies the Unified Messaging policy. From supporting data erADMBUMPolicy objects | String |
erADEMAPIBlockOutlookRpcHttp | protocolSettings | Specifies whether to block Outlook Rpc | Boolean |
erADEMAPIEnabled | protocolSettings | Specifies whether MAPI is enabled | Boolean |
erADEmployeeID | employeeID | Specifies the user's employee identifier. | String |
erADEmployeeNumber | employeeNumber | Specifies the employee number | String |
erADEMsOwaPolicy | msExchOWAPolicy | Specfies the OWA Policy | String |
erADEOutgoingLimit | submissionContLength |
Specifies the maximum size in KB of a message that is sent from the recipient. |
Integer |
erADEOutlookWebAccessEnabled | protocolSettings | Specifies whether to enable or disable Outlook Web Access. | Boolean |
erADEOverQuotaLimit | mDBOverQuotaLimit |
Specifies the maximum size of a Mailbox in KB before sending messages is suspended. |
Integer |
erADEOverrideGarbage | deletedItemFlags |
Specifies whether the store is prevented from permanently deleting messages. |
Boolean |
erADEPOP3Enabled | protocolSettings | Specifies whether POP3 is enabled | Boolean |
erADEPOP3FormatUseDefault | protocolSettings | Specifies whether the default POP3 format is used | Boolean |
erADEPOP3Format | protocolSettings |
Specifies the POP3 format 0=Text 1=HTML 2=HTML and alternative text 3=Enriched Text 4=Enriched Text and alterative text 5=Best body format 6=TNEF |
Integer |
erADEProxyAddresses | proxyAddresses | Specifies a list of proxy addresses for the recipient. | String |
erADEReadPermissions | msExchMailboxSecurityDescriptor |
Specifies whether the user has read Mailbox permission. 1=Allow 2=Deny 0 or no value=None |
Integer |
erADERecipientLimit | msExchRecipLimit |
Specifies the maximum number of people to whom the recipient can send email. |
Integer |
erADERemoteAddress | targetAddress | Specifies the target address for a Mail enabled user. (Enable-MailUser) | String |
erADERstrctAdrsFg | No longer used | ||
erADERstrctAdrsLs | authOrig/unauthOrig | Specifies a list of email addresses to reject mail from. | String |
erADEServerName | Null | Specifies the name of the Microsoft Exchange Server. | String |
erADEShowInAddrBook | showInAddressBook |
Specifies the list of address books that the user is a member of. |
String |
erADESMTPEmail |
Specifies the primary SMTP address that is used for the recipient. |
String | |
erADEStartRetentionHold | msExchELCExpirySuspensionStart | Specifies the date to start retention hold. | Date |
erADEStoreQuota | mDBStorageQuota |
Specifies a limit when the recipient receives a warning for exceeding their mail file storage allocation. |
Integer |
erADETakeOwnership | msExchMailboxSecurityDescriptor |
Specifies whether the user has take Mailbox ownership permission. |
Integer |
erADETargetAddress | targetAddress | Specifies the external email address to be used by the user. | String |
erADEX400Email | textEncodedORAddress |
Specifies the primary X.400 address that is used for the recipient. |
String |
erADExDialin | msNPAllowDialin | Specifies whether to allow dialin | Boolean |
erADExpirationDate | accountExpires |
Specifies the date and time after which the user cannot log in. |
Date |
erADFailIntrLgonCnt | msDS-FailedInteractiveLogonCount | Specifies the failed interactive logon count. Read only | Integer |
erADfax | facsimileTelephoneNumber | Specifies the fax numbers of the user. | String |
erADFlIntrLgonCntAtLastSucLgon | msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon | Specifies the failed interactive logon count at the last successful logon | Integer |
erADHomeDir | homeDirectory |
Specifies a null-terminated string that contains the path of the user's home directory. This string can specify a local path or a UNC path. For example: \\machine\share\path |
String |
erADHomeDirAccessShare | File system | Specifies the user access level on the share. | String |
erADHomeDirDrive | homeDrive |
Specifies the drive letter to assign to a UNC-based home directory. |
String |
erADHomeDirNtfsAccess | File system |
Specifies the NTFS security level for the home directory of the user. |
String |
erADHomeDirShare | File system |
Specifies the name of the share to create for home directory. Append a dollar sign ($) to create a hidden share. |
String |
erADHomePage | wWWHomePage | Specifies the URL for the home page of the user. | String |
erADInitial | initials | Specifies the middle initials of the name of the user. | String |
erADIsAccountLocked | lockoutTime |
Specifies whether the account is locked because of intruder detection. |
Boolean |
erADLastFailedLogin | badPasswordTime | Specifies the date and time of the last failed network login. | Date |
erADLastFailIntrLgonTime | msDS-LastFailedInteractiveLogonTime | ||
erADLastLogoff | lastLogoff | Specifies the date and time of the last network logoff. | Date |
erADLastLogon | lastLogon |
Specifies the date and time of the last successful network login. |
Date |
erADLastLogonTimeStamp | lastLogonTimestamp | Specifies the timestamp of the last logon | Date |
erADLastSuccIntrLgonTime | msDS-LastSuccessfulInteractiveLogonTime | Specifies the time of the last successful interactive logon | Date |
erADLoginScript | scriptPath | Specifies the login script path. | String |
erADLoginWorkstations | userWorkstations |
Specifies a comma-separated list of addresses or names of workstations from which the user can log in to. |
String |
erADManager | manager | Specifies the DN of the manager's Active Directory account. | String |
erADLyncArchPolicy | Managed via Get-CSUser and Set-CSUser | Specifies the Lync Archive Policy. From supporting data erADLyncArchivingPolicy | String |
erADLyncCVPolicy | Managed via Get-CSUser and Set-CSUser | Specifies the Lync Client Version Policy. From supporting data erADLyncClntVerPolicy | String |
erADLyncClntPolicy | Managed via Get-CSUser and Set-CSUser | Specifies the Lync Client Policy. From supporting data erADLyncClntVerPolicy | String |
erADLyncConfPolicy | Managed via Get-CSUser and Set-CSUser | Specifies the Lync Conferencing Policy. From supporting data erADLyncClntVerPolicy | String |
erADLyncDialPolicy | Managed via Get-CSUser and Set-CSUser | Specifies the Lync Dial Plan Policy. From supporting data erADLyncDialPlanPolicy | String |
erADLyncExAcPolicy | Managed via Get-CSUser and Set-CSUser | Specifies the Lync External Access Policy. From supporting data erADLyncExtAccPolicy | String |
erADLyncLocPolicy | Managed via Get-CSUser and Set-CSUser | Specifies the Lync Location Policy. From supporting data erADLyncLocationPolicy | String |
erADLyncMobilityPolicy | Managed via Get-CSUser and Set-CSUser |
Specifies the Lync Mobility Policy. From supporting data erADLyncCMobilityPolicy |
String |
erADLyncPersistentChatPolicy | Managed via Get-CSUser and Set-CSUser |
Specifies the Lync Persistent Chat Policy. From supporting data erADCLyncPersistentChatPolicy |
String |
erADLyncPnPolicy | Managed via Get-CSUser and Set-CSUser |
Specifies the Lync PIN® Policy. From supporting data erADLyncPinPolicy |
String |
erADLyncRegPool |
Specifies the Lync Registrar Pool. From supporting data erADLyncPool |
String | |
erADLyncSipAdr | msRTCSIP-PrimaryUserAddress | Specfies the primary SIP address | String |
erADLyncTelephony | Managed via Get-CSUser and Set-CSUser |
Specifies the Lync Telephony setting 0=PC to PC only 1=Audio/video disabled 2=Enterprise Voice 3=Remote call control 4=Remote call control only |
Integer |
erADLyncVoicePolicy | Managed via Get-CSUser and Set-CSUser |
Specifies the Lync Voice Pool. From supporting data erADLyncVoicPolicy |
String |
erADLyncEnable | msRTCSIP-UserEnabled | Specifies whether the Lync account is enabled | Boolean |
erADLyncLineURI | msRTCSIP-Line | Specifies Lync Line URI | String |
erADLyncLineSerURI | msRTCSIP-LineServer | Specifies the Lync Line Server URI | String |
erADManager | Specifies the DN of the manager's Active Directory account. | String | |
erADNamePrefix | personalTitle | Specifies the title of the user, for example Ms. or Mr. | String |
erADNameSuffix | generationQualifier | Specifies the name suffix of the user, for example Jr., or III. | String |
erADNoChangePassword | Security descriptor on user object in AD | Specifies whether the user can change their password. | String |
erADOfficeLocations | physicalDeliveryOfficeName | Specifies the office location. | String |
erADOtherName | middleName |
Specifies an additional name, for example, the middle name, for the user. |
String |
erADPasswordForceChange | pwdLastSet | Specifies whether to force a password change on next login. | Boolean |
erADPasswordLastChange | pwdLastSet | Specifies the last time that the password was changed. | Date |
erADPasswordMinimumLength | Null | Specifies the minimum length of the password. | Integer |
erADPasswordNeverExpires | userAccountControl | Specifies whether a password can never expire. | Boolean |
erADPasswordRequired | userAccountControl | Specifies whether the password is required. | Boolean |
erADPrimaryGroup | primaryGroupID | Specifies the primary group ID. | String |
erADRadiusFramedIPv4Addr | msRASSavedFramedIPAddress | ||
erADRequireUniquePassword | Null |
Specifies whether a new password must be different from those passwords in the password history. |
Boolean |
erADSmartCardRequired | userAccountControl | Specifies whether a smart card is required for login. | Boolean |
erADTrustedForDelegation | userAccountControl |
Specifies that the user can assign responsibility for management and administration of a portion of the domain namespace to another user, group, or organization. |
Boolean |
erADUPN | userPrincipalName | Specifies the principal name for the user account. | String |
erADWTSAllowLogon |
Specifies whether the user account is allowed to log on to a terminal server. |
Boolean | |
erADWTSBrokenTimeout |
Specifies what happens when the connection or idle timers expire or when a connection is lost due to a connection error. |
Long | |
erADWTSCallbackNumber |
Citrix ICA clients must specify a null-terminated string that contains the phone number to use for callback connections. |
String | |
erADWTSCallbackSettings |
Citrix ICA clients must specify a value that indicates the configuration for dialup connections in which the terminal server hangs up and then calls back the client to establish the connection. Valid values indicate: 1 - The server prompts the user to enter a phone number, and calls the user back at that phone number. You can use the WtsCallbackNumber value to specify a default phone number. 2 - The server automatically calls the user back at the phone number that is specified by the WtsCallbackNumber value. |
Integer | |
erADWTSClientDefaultPrinter |
RDP 5.0 clients and Citrix ICA clients must specify whether the client printer is the default printer. |
Boolean | |
erADWTSClientDrives |
Citrix ICA clients must specify whether the terminal server automatically establishes client drive mappings at login. |
Boolean | |
erADWTSClientPrinters |
RDP 5.0 clients and Citrix ICA clients must specify whether the terminal server automatically establishes client printer mappings at login. |
Boolean | |
erADWTSHomeDir |
Specifies a null-terminated string for the path of the home directory of the user for terminal server login. This string can specify a local path or a UNC path (\\machine\share\path). |
String | |
erADWTSHomeDirAccessShare |
Specifies the user access level to the share on the WTS home directory. |
Integer | |
erADWTSHomeDirDrive |
Specifies a null-terminated string for a drive letter to which the UNC path specified in the WtsHomeDir string is mapped |
String | |
erADWTSHomeDirNtfsAccess | Specifies the NTFS access to the home directory. | String | |
erADWTSHomeDirShare |
Specifies the name of a share to create the WTS home directory. Append a dollar sign ($) to create a hidden share. |
String | |
erADWTSInheritInitialProg |
Specifies whether the client can specify the initial program. If not set, WtsInitialProgram is the only program that the user can run. The terminal server logs off the user when the user exits that program. |
Boolean | |
erADWTSInitialProgram |
Specifies a null-terminated string for the path of the initial program that Terminal Services runs when the user logs in. If the WtsInheritInitialProgram value is 1, the initial program can be any program that is specified by the client. |
String | |
erADWTSProfilePath |
Specifies a null-terminated string for the path of the profile of the user for terminal server login. |
String | |
erADWTSReconnectSettings |
Specifies a value that indicates how a disconnected session for a user can be reconnected. Valid values indicate: 0 - The user can log in to any client computer to reconnect to a disconnected session. Sessions started at clients other than the system console cannot be connected to the system console. Sessions started at the system console cannot be disconnected. 1 - The user can reconnect to a disconnected session by logging on to the client computer used to establish the disconnected session. If the user logs on from a different client computer, the user gets a new login session. |
Integer | |
erADWTSRemoteHomeDir |
Specifies the home directory of the user on the Windows Server. |
String | |
erADWTSServerName | |||
erADWTSShadowSettings |
RDP 5.0 clients and Citrix ICA clients must specify a value that indicates whether the user session can be shadowed. Shadowing allows a user to remotely monitor the on-screen operations of another user. |
String | |
erADWTSTimeoutConnections |
Specifies a value that specifies the maximum connection duration, in milliseconds. One minute before the connection timeout interval expires, the user is notified of the pending disconnection. The user session is disconnected or terminated depending on the WtsBrokenTimeout value. Every time the user logs on, the timer is reset. A value of zero indicates that the connection timer is disabled. |
String | |
erADWTSTimeoutDisconnections |
Specifies the maximum duration, in milliseconds, that a WTS retains a disconnected session before the login is terminated. A value of zero indicates that the disconnection timer is disabled. |
Integer | |
erADWTSTimeoutIdle |
Specifies the maximum idle time, in milliseconds. If there is no keyboard or mouse activity for the specified interval, the user's session is disconnected or terminated depending on the WtsBrokenTimeout value. A value of zero indicates that the idle timer is disabled. |
Integer | |
erADWTSWorkingDir |
Specifies a null-terminated string for the path of the working directory for the initial program |
String | |
erCompany | company | Specifies the name of the company that the user works for. | String |
erDepartment | department |
Specifies the department within the company to which the user belongs. |
String |
erDivision | division |
Specifies the division within a company (organization) that the employee belongs to. |
String |
erGroup | memberOf | Specifies names of groups. | String |
erLogonTimes | logonHours |
Specifies the time periods for each day of the week during which logins are allowed for the user. Represented as a table of Boolean values for the week, each indicating whether that time slot is a valid login time. |
Byte array Login time (LT) |
erMaxStorage | maxStorage |
Specifies the maximum amount of disk space, in KB, that the user can have. |
Long |
erPassword | Null | Specifies the password for the user account. | String |
erProfile | profilePath | Specifies the path to the profile of the user. | String |
eruid | sAMAccountName | Specifies the user ID. | String |
givenName | givenName | Specifies the given name of the user. | String |
homePhone | homePhone | Specifies the home telephone number of the user. | String |
l | l |
Specifies the user's city or location (shown as the lowercase letter 'l'). |
String |
Specifies the email address of the user. | String | ||
mobile | mobile | Specifies the mobile telephone number of the user. | String |
pager | pager | Specifies the pager number of the user. | String |
postalCode | postalCode | Specifies the user's postal code for their address | String |
postOfficeBox | postOfficeBox | Specifies the user's Post Office Box | String |
sn | sn | Specifies the surname of the user. | String |
st | st | Specifies the state where the user resides. | String |
street | streetAddress | Specifies the street address where the user resides. | String |
telephoneNumber | telephoneNumber | Specifies the work telephone number of the user. | String |
title | title | Specifies the title of the user. | String |