AD is at 2003 functional level, some of our DC's are running Windows Server 2003, some are 2008, some are 2008 R2.
When using the following query:
(objectCategory=user)
I do not expect to see any result where the objectCategory attribute is equal to
'CN=Person,CN=Schema,CN=Configuration,DC=Contoso'
I expect only objects where the objectCategory attribute is equal to
'CN=User,CN=Schema,CN=Configuration,DC=Contoso'
However, the query does indeed return all objects with the objectCategory attribute equal to
'CN=Person,CN=Schema,CN=Configuration,DC=Contoso'
My question then is this: Why do I see the search results that I do? Does AD actively translate queries that include (objectCategory=user) to (objectCategory=Person)? I have looked at the schema definitions for both the Person and the User class, but I cannot see any reason for the query results as I am experiencing them. I know that the User class is a subclass of the organizationalPerson class, which is a subclass of Person, but I can't see an attribute value that would explain this translation.
Best Answer
The reason you get the person objects is because there us no such category as User. User is a class. By strict definition Objectcategory takes a DN attribute. In order to avoid forcing coders to look up the schema DN, the query engine in AD allows you to provide a class and provides the defaultObjectCategory as the expansion. So if you were too look up the schema of User you get this as the defaultobjectcategory:
The proper expression to search for users is: "(&(objectClass=user)(objectCategory=person))".