none
Object of type "Account" in AD 2008R2: What is it?

    Question

  • In reviewing our AD users ou, we found an object of type "Account" with a DN of CN=LDAP Bind,OU=Domain Users,DC=mydomain,DC=local.  and an object category of CN=account,CN=Schema,CN=Configuration,DC=mydomain,DC=local. (This requires advanced features to be enabled in ADUC to view the object.)

    a get-adobject with a filter of obectclass=account will return this object.

    when you view the object in ADUC shows no icon next to the object.

    Short version: Users are of type user & have a object type of "user", and this has an object type of "account" - which no one in my office has heard of, nor can I find it from a short bing search. (nor can I find evidence that this object category exists in any Microsoft documentation.)

    (Possibly created by Quest Domain Migration Tools? IF this is a computer account per http://hackipedia.org/Protocols/Microsoft%20Windows/Active%20Directory/MS-ADSC%20Active%20Directory%20Schema%20Classes%20(v20080207).pdf p9, then the information on that sheet is incorrect that it ended in AD-2008. (and other computer objects are of class "computer")

    any pointers to determining what this

    Friday, January 13, 2017 5:46 PM

All replies

  • The object also has no SID or SID history and is the only object in the domain that represents itself as objectclass Account.

    get-adobject -filter {objectclass -eq "account"} -properties *

    Returns the object itself and all attributes associated with it.


    Friday, January 13, 2017 6:02 PM
  • Standard AD has never had objectClass Account that I know of. Computer objects have class computer (and user). Sounds like someone, or something, extended the Schema to add this class.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, January 13, 2017 6:14 PM
  • That was our theory as well. We figured we'd shoot it out there in the event that it was something that was normally part of AD that we'd never seen before. I've done some research on some of the technologies we've used here that would have required schema extension, but I'm not finding much in the way of details as to what some of those extensions actually did when they were executed...
    Friday, February 10, 2017 1:15 PM