objectClass vs. objectCategory

Everyone knows (or should) that in general, searching by objectClass is a "bad thing", e.g (objectClass=user). Why? because objectClass is not indexed, and otherwise unqualified searches will touch every single object in the search scope. Fine for NetPro's AD, but not fine for NIH's, or the Korean Government's.

The better answer is to search by objectCategory, which is single-valued and IS indexed. It can make for an astounding improvement in search times.

But a question I've had for a while is "what is the relationship between objectClass and objectCategory?" Most of the time, the value for objectCategory is simply the most specific value of the objectClass attribute. For instance, a computer object has a multi-valued objectClass of "top;person;organizationalPerson;user;computer" and its objectCategory is "computer". But a user object has an obejctClass value of "top;person;organizationalPerson;user", and its objectCategory is "person". What's up with that?

It turns out the AD schema contains the mapping of objectClass to objectCategory. Each classSchema object contains an attribute named "defaultObjectCategory". This is the value that is inserted into an object at creation time if no value for objectCategory is specified. It is possible that some particular piece of code will assign a different value for objectCategory, possibly unrelated to its objectClass, but this doesn't seem to be the case in practice.

See Search Filters on MSDN.