This article applies to BHCE and BHE

This article outlines the IssuancePolicy node in BloodHound, it describes what the node represents, the node's properties, and possible incoming/outgoing edges.


The IssuancePolicy node represents the Active Directory LDAP objects of the msPKI-Enterprise-Oid class located in the OID container in the Configuration Naming Context.

Node properties

The node supports the properties of the table. Three types of property names will be used, depending on where the property is found:

  • Entity Panel: Name shown in the BloodHound UI.
  • Database: Name stored in the BloodHound database and returned by the BloodHound API. This is to be used when running Cypher queries.
  • Directory: Name collected from the directory the node is stored in, for example, the LDAP name for an Active Directory property.
Entity Panel Database Directory Description
Object ID


objectGUID The object's unique identifier in the directory.
ACL Inheritance Denied


nTSecurityDescriptor Whether inherited permissions (ACEs) from containers are blocked on this object.
Certificate Template OID certtemplateoid msPKI-Cert-Template-OID The OID string used in certificate templates to reference this issuance policy.
Created whencreated whenCreated When the object was created in the directory.
Distinguished Name distinguishedname distinguishedName The name of the object and it's location in AD.
Domain FQDN domain - The fully qualified domain name (FQDN) of the domain the object belongs to.
Domain SID domainsid - The SID of the domain the object belongs to.
Last Collected by BloodHound lastseen - When the object was last collected and ingested in BloodHound.
- name name + domain name Name of the object + @ + the name of the domain. 


The following edge types may be linked to/from this node. See the edges documentation for more information on the edge types.

Incoming edges

Edge type Entity panel category
GenericAll Inbound Object Control
GenericWrite Inbound Object Control
Owns Inbound Object Control
WriteDacl Inbound Object Control
WriteOwner Inbound Object Control
ExtendedByPolicy Certificate Templates with Extension

Outgoing edges

Edge type Entity panel category
OIDGroupLink OID Group Link