> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # User Applies to BloodHound Enterprise and CE ## Node properties The node supports the properties of the table below. Properties which are blank/null will not be shown in the Entity Panel. | **Entity Panel name** | **Description** | | --------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Tier Zero / High Value | BloodHound Enterprise: Whether the object is part of Tier Zero of the Microsoft's Active Directory Tier Model, or the Control Plane of Microsoft's Enterprise Access Model.

BloodHound CE: Whether the object is currently marked as High Value. By default any object that belongs to Tier Zero is marked as High Value. | | Display Name | The display name for the object. | | Object ID | The object's security identifier (SID), a unique identifier in the directory. | | ACL Inheritance Denied | Identifies whether an object is allowing DACL inheritance to itself. Corresponds to the DACL\_Protected security descriptor flag. | | Admin Count | Whether the object currently, or possibly ever has belonged to a certain set of highly privileged groups. For Active Directory nodes this is related to the AdminSDHolder object and the ProtectAdminGroups background task. Read more about that [here](https://specterops.io/resources/adminsdholder). | | AdminSDHolder Protected | The authoritative security descriptor of this object matches that of the AdminSDHolder container and is therefore protected by it. AdminSDHolder is a security descriptor template that the ProtectAdminGroups background task stamps on protected objects. | | Admin Rights Count | The number of computers that the object has been added to the local administrators group on. | | Allows Unconstrained Delegation | Whether the object is allowed to perform unconstrained kerberos delegation. See more info about that [here](https://blog.harmj0y.net/redteaming/another-word-on-delegation/). | | Created | The time when the object was created in the directory. | | Description | The contents of the description field for the object. | | Do Not Require Pre-Authentication | Whether object is not required to perform Kerberos pre-authentication. Pre-authentication is also known as Kerberos ticket-granting-ticket (TGT). | | Email | The contents of the email field for the object. | | Enabled | Whether the computer object is enabled. | | Last Logon | The last time the domain controller you got this data from handled a logon request for the object. Attribute 'lastlogon'. | | Last Logon (Replicated) | The last time any domain controller handled a logon for this object,

the value is, by default, only updated if the latest logon is greater than or equal to 14 days than the previous value. Attribute 'lastlogontimestamp'. | | Logonscript | The path for the user's logon script. | | Profilepath | The path to the user's profile. | | Sidhistory | Whether the principal has a SID History used for domain migration. | | Owned | BloodHound Enterprise: Not applicable.

BloodHound CE: Whether the object is marked as Owned, used to mark that the object has been compromised. | | Password Last Set | The human-readable date for when the user's password last changed. This is stored internally in Unix epoch format | | Passwordnotreqd | Whether the UAC flag is set on the object to not require the object to have a password. Note that this does not necessarily mean the object does not have a password, just that the object is allowed to not have one. | | Pwdneverexpires | Whether the UAC flag is set to not require the object to update its password. | | Sensitive | Whether the UAC flag is to disallow Kerberos delegation for this object. If this is “True”, then the object cannot be abused as part of a Kerberos delegation attack. | | Serviceprincipalnames | The list of SPNs on the object. Very useful for determining any non-default services that may be running on the computer, such as MSSQL | | SIDHistory | Previous SID(s) for the object. Used if the object was moved from another domain. | | Title | The contents of the title field for the object. | | Trustedtoauth | Whether the object is allowed to perform constrained kerberos delegation. See more info about that [here](https://blog.harmj0y.net/redteaming/another-word-on-delegation/). | ## References * [https://learn.microsoft.com/en-us/windows/win32/adschema/c-user](https://learn.microsoft.com/en-us/windows/win32/adschema/c-user)