Is there any Primary Key (or) Unique Key is present in Active Directory?

Question

I am running the below command from PowerShell:

Get-ADUser -Server ad.com -Filter '*' -Properties '*' Export-Csv 'C:\Users\myFolder\file.csv' -NoTypeInformation -Delimiter '|'

Just trying to identify the Attribute which I can use as a 'Primary Key' such as EmployeeID or EmployeeNumber. AD Attributes List: [link] Does AD provide a Primary Key?

Answer 1

If you need a unique value in user and group entries you can look at attribute objectSID. The LDAP string representation is an OctetString but you can find code to convert this into a ASCII-clean so-called SDDL representation.

Note that SIDs contain the domain's SID as prefix. So in case the domain gets migrated new SIDs are generated and old SIDs are placed in attribute sIDHistory until cleaned up by the AD admins.

However if you're looking for a primary key to sync data with an external data source I'd create the unique value in this external data source and place it in employeeID or employeeNumber.

While many other attributes have to be unique some are not really stable or local and thus not suitable e.g. for syncing data:

objectGUID is globally unique because it is a UUID (see RFC 4122) encoded as OctetString. But IIRC it is not stable across replicas.

samAccountName and userPrincipalName are often derived from person names. The entry's RDN in AD is also based on cn which most times contains the person's name. Values derived from person's name will likely be changed after marriage/divorce etc.

=>

• The best attribute for syncing is a self-generated ID (e.g. an UUID).
• The 2nd best attribute is objectSID used in combination with sIDHistory for locating the entry. Make sure to sync back current value of objectSID to your data source.

Answer 2

It is pretty well documented if you look.

Distinguished name is the primary key. As a hierarchical database, the full path to the object with the canonical name must be unique in the forest.

samAccountName and userPrincipalName must also be unique across security principals in a domain.

objectSID is unique across the domain.

objectGUID is globally unique.

That said, I have seen oddball situations where the user principal name or samAccountName are duplicated, but that causes problems because the system assumes they must be unique.

EmployeeNumber is a user specified property. It's intended to be populated with the id from your user database or HR database to keep demographic and organizational data up to date. The attribute itself has no constraints.