Object in Active Directory

Last Edited



Definition of object in Active Directory in Network Encyclopedia.

What is Object (in Active Directory)?

Object is the basic element of Active Directory in Microsoft Windows Server family that represents something on the network, such as a user, a group, a computer, an application, a printer, or a shared folder.

How It Works

Objects have attributes that define and describe them. For example, the attributes of a user object might include the user’s name, e-mail address, and phone number. All objects of the same type or class have the same set of attributes, but they are distinguished from each other by having different values for at least one of these attributes. Some attributes are required to have values (such as the First Name attribute of a user object), while other attributes can be optional (such as Telephone Number).

objects in Active Directory
Creating new objects in Active Directory

You can group objects by placing them into container objects (containers) such as the ones following:

  • Domains: The fundamental units of Active Directory that share common administration, security, and replication requirements. Domains can also be grouped into domain trees and forests to reflect the administrative structure of an enterprise. 
  • Organizational units (OUs): Container objects that are used to organize other directory objects. OUs make possible the hierarchical structure of Active Directory, in which objects are grouped according to common functions and purposes to simplify network administration. The hierarchical grouping of objects and OUs also simplifies the process of searching Active Directory for information about network resources. 

Access to an object in Active Directory is based on the object’s discretionary access control lists (DACLs), which list the users and groups authorized to access the object and their access levels. You can group objects with similar security requirements into OUs to simplify assignment of permissions to the objects and to facilitate administration and control of network resources.

You can assign permissions to objects by using Active Directory Users and Computers, a snap-in for Microsoft Management Console (MMC).

Objects can be referenced by name by using

  • Distinguished names: Analogous to absolute paths of objects within a file system. The distinguished name of an object specifies complete information about the object’s location within Active Directory and includes the domain name, names of OUs that it belongs to, and the name of the object itself. Each object in Active Directory must have a unique distinguished name. 
  • Relative distinguished names: Analogous to relative paths of objects in the current directory of a file system. The relative distinguished name of an object is the portion of the distinguished name that is unique to the object. Any two objects in the same OU must have unique, differing relative distinguished names. 

The most common types of objects in Active Directory are as follows:

  • User account objects: Required for users to log on to the network. 
  • Group objects: Collections of user accounts, computers, or other groups created for organizational purposes or for assigning permissions to shared resources. 
  • Computers: Represent machines that belong to the domain. 
  • Shared folders: Pointers to shared folders on a server on the network. If you create a shared folder on a computer running Windows 2000, an associated shared folder object is automatically created in Active Directory. 
  • Printers: Pointers to printers on the network. If you create a network printer on a machine running Windows 2000, an associated printer object is automatically created in Active Directory. 
  • OUs: Containers for organizing other objects in a hierarchical fashion.


  • When you use Active Directory Users and Computers to view the property sheet for an object, the Security tab, which displays the Active Directory permissions assigned to that object, is usually not visible. Choose Advanced Features from the View menu to make this tab visible.
  • If you have resources such as shared folders or printers on computers that are not running Windows 2000, you must manually publish information about these resources in Active Directory if you want users to be able to locate and access them through Active Directory. You do this by adding the appropriate type of object for that resource to Active Directory and having it point to where the resource is located on the network.
  • When you create a new Active Directory object, you usually use a wizard to specify values for the important attributes of the object. You can specify other attributes after the object is created by opening the property sheet for that object.