Object-Class:The list of classes from which this class is derived

从网上摘抄的,objectclass与objectcategory的一般介绍 

Just to clarify, the objectClass attribute is multi-valued. Each object can inherit from one or more classes. User objects have objectClass equal to top, person, organizationalPerson, and user. Contact objects have objectClass equal to top, person, organizationalPerson, and contact. Computer objects have objectClass equal to top, person, organizationalPerson, user, and computer. Thus, a computer object has all of the attributes of a user object, plus some more inherited from the computer class. Computer objects are security principals just like user objects. They need to authenticate to the domain, have passwords (managed by the system), and can be granted permissions. The objectCategory attribute is single-valued. The value is a Distinguished Name. For user objects objectCategory is MyDomain.com is the domain. For contact objects objectCategory is the same, objects objectCategory is When searching AD for objects it is more efficient to use objectCategory because it is indexed (objectClass is not), but often a combination of objectClass and objectCategory must be used. The standard search filters are: For user objects: (&(objectCategory=person)(objectClass=user)) For contact objects: (&(objectCategory=person)(objectClass=contact)) For user and contact objects: (objectCategory=person) For computer objects: (objectCategory=computer) For group objects: (objectCategory=group) The provider translates (objectCategory=person) into the correct DN appropriate for the domain. Note that there is no such thing as (objectCategory=user), but the provider translates this into (objectCategory=person), so it includes contact objects. This may not be what you want. Another filter for user objects is: (sAMAccountType=80530636  

看了上面的解释,有点明白了在查询ADSI的时候为什么不建议用objectclass,而是建议用objectcategory,因为一个user的objectclass集成了好多,并不是唯一的,像我的账户在域中的objectclass就是top,person,organizationalPerson,user,而我的objectcategory就是CN=Person,CN=Schema,CN=Configuration,DC=ads-telekom,DC=de,这样查询起来范围就少多了 

写的还是非常非常的好,我一直想从微软网站上找到这些原话,但是没找到,呵呵,估计是在os的介绍里面