ADM 493

Digging Deep into the Active Directory LDP

Windows 2000 and 2003

The majority of topics apply equally well to Windows 2000 and 2003

All the demonstrations will be performed on Windows Server 2003

Health Warning!!

In this seminar we will show the use of tools that will allow direct access to AD objects and attributes

Always test any changes before implementing them in a production environment

You could always make mistakes!

The Directory

The directory is a container for objectsThe objects are stored as rows within the databaseColumns contain metadata and attributes

The on-the-wire protocol for accessing the database is LDAPLDP allows you to create native LDAP queries for ultimate access

LDP is part of the support tools which can be installed from the distribution media

Using LDP

LDP provides a tree view and powerful search capabilities

Searching the Directory

To view/search the directory you must define a starting point

NC head

Subtree

Leaf objectOnly returns information about that object

Naming Contexts

Windows Server 2003 allows the creation of additional NCs

These are called Application Directory Partitions

example.comchild.example.com

Domain NC:

dc=child,dc=example,dc=com

Configuration NC: cn=configuration,dc=example,dc=com

Schema NC: cn=schema,cn=configuration,dc=example,dc=com

The Global Catalog

The Global catalog is not a NC It contains a partial replica of all objects within the domain

The GC is hosted on a DC in domainXThe GC is hosted on a DC in domainX

DomainX objectsDomainX objects

The GC respondsThe GC respondsto LDAP queries to LDAP queries on port 3268on port 3268

Domain NC objects replicated fromDomain NC objects replicated fromthe other domains in the forestthe other domains in the forest

• The GC stores only a partialThe GC stores only a partial set of attributes for each object set of attributes for each object

Naming Objects

Every object is identified by an unique Distinguished Name

In addition to a DN (which may change), the object is uniquely identified by a GUID

Security principals are identified by a SID

LN ED

legalsales

USAUK

example.com

child.example.com

John

cn = common name, ou = organizational unit, dc = domain component

ED

legal

UK

cn=john,ou=legal,ou=ed,ou=ukdc=child, dc=example,dc=com

RootDSE

All DCs maintain a node called RootDSE

RootDSE provides information on:Supported naming contexts

The Root NC

LDAP versions

Supported controlsExtends the capabilities of LDAP

Policies and security

RootDSE = Root DSA-Specific Entry, DSA=Directory Service Agent

Using LDP

Connect and bind (authenticate)

The view/search base can be defined byDN

CN=James Bond,OU=Oxford,DC=example,DC=com

GUID<GUID=5d4d36b1-12ad-4c3b-b943-9f3db65310e8>

SID<SID=S-1-5-21-1539329446-2123584859-1544097757-1605>

Searching

All searches are started from a baseThe returned results are based on an LDAP filter

The filter tests the attributes of an object

When the filter evaluates TRUE, the DN of the object is returned

The attributes to be returned along with the object’s DN can be defined

LDAP Filters

Logical Operators

Description

= Equal

~= Approximately equal

<= Less than or equal to

>= Greater than or equal to

& AND

| OR

! NOT

(cn=james)(cn=jam*)(description=*)(!(description=*))(&(objectCategory=user)(description=production*))(&(!(description=production*))(|(objectCategory=user)(objectCategory=computer)))(ANR=j)

Query Processor

The query processor optimises the filter

The actual server-side filter can be viewed using an LDAP control

Controls extend the functionality of LDAP

The controls are identified by OIDs

Example Control Types:Example Control Types:

Show Deleted Objects:Show Deleted Objects: 1.2.840.113556.1.4.4171.2.840.113556.1.4.417

Do Not Generate Referrals:Do Not Generate Referrals: 1.2.840.113556.1.4.13391.2.840.113556.1.4.1339

Using Controls

Windows 2000 LDP requires you to manually enter the control

and click Check in

Returning Results

The maximum number of results that can be returned from the server is 1000

This is set via the LDAP policy MaxPageSize

To retrieve larger results sets either use the Paged option or Virtual List View

VLV is only available on Window Server 2003

LDP has a default buffer size of 512 linesIncrease this for larger results sets

Returning Attribute Values

Select the attributes to be returned by their ldapDisplayName

Separate the names with a semicolon (no spaces)

* returns all attributes1.1 returns no attributes

Attributes that have null values are not displayed

Results to which you don’t have access permissions are not

displayed

Search Scopes

Base: searches the base object onlyOne Level: searches the direct descendants of the baseobject, does not include the base objectSubtree: searches the base object and all objects below

For efficient searching, alwaystry to minimise the search scope

Bit Flags

Some configuration details are stored as individual bits within an attributeFor example both of the following attributes contain flags

searchFlagsgroupType

You can not test these flags with a simple numeric value

searchFlags (simplified)

enabled = 1, disabled = 0The searchFlags are one of the properties of an attribute

These are defined in the schema

bit 0bit 0bit 1bit 1bit 2bit 2bit 3bit 3

11224488

Preserve this Preserve this attribute on logical attribute on logical

deletion deletion (tombstoned)(tombstoned)

Member of ANR setMember of ANR set

bit 4bit 4

1616Copy attributeCopy attribute

when object is copiedwhen object is copied(user account copy)(user account copy)

Index over container Index over container and attributeand attribute

Index over Index over attributeattribute

groupType

bit 0bit 0bit 1bit 1bit 2bit 2

112244

bit 31bit 31

21474836482147483648

Set for global groups

Set for domain local groups

Set for universal groups

Set for security groups

Clear for distribution groups

88

bit 3bit 3

BIT Wise Operations

Matching rules are used to test bits within an attribute

Attributename:ruleOID:=valueNo spaces, Value in decimal

(searchFlags:1.2.840.113556.1.4.803:=5)(searchFlags:1.2.840.113556.1.4.803:=5)Rule OID provides an Rule OID provides an ANDAND test, evaluates true if bits 0 AND 2 test, evaluates true if bits 0 AND 2

are set are set

(searchFlags:1.2.840.113556.1.4.804:=5)(searchFlags:1.2.840.113556.1.4.804:=5)Rule OID provides an Rule OID provides an OROR test, evaluates true if bits 0 OR 2 test, evaluates true if bits 0 OR 2

are set are set

Operational Attributes

Operational attributes provide a mechanism for triggering actions on the server via LDAP

They are not defined in the schema

Writing to the attributes causes the server to perform a predefined action

Actions include (ntldap.h for details)Updating the Schema

Transferring FSMO roles

Triggering the SD Propagator Thread

Operational Attributes

Updating the GC cache on 2003Updating the GC cache on 2003

Creating an Object

Objects can be created using LDPAlternative methods are preferred if they are available

To create an object you must populate the mandatory attributes

Some mandatory attributes are automatically populated by the system

Creating a User Version 2

Example of Creating a User Object

Creates a user with default settings

Complex Investigations

Account Unknown

Set the SID as the search baseEnable the showing of deleted objects

Searching for GUIDs

GUIDS are stored in two different formatsString format:

e48d0154-bcf8-11d1-8702-00c04fb96050

Binary format:54018de4f8bcd111870200c04fb96050

To search for a binary GUID each byte must be escaped

\54\01\8d\e4\f8\bc\d1\11\87\02\00\c0\4f\b9\60\50

Converting Formats

a8 de - 12 9a - 95 33 - 83 98 20 50 21 71 47 1f 4e dd -

47 71 9a 12 95 33 83 98 20 50 21 de a8 1f dd 4e

reverse reverse reverse

Extended Rights

The objects to which extended rights applyare defined in the appliesTo attribute

cn=personal-informationcn=personal-information

appliesToappliesTo useruser

RightsGUIDRightsGUIDACL

Access to an extended right is controlled Access to an extended right is controlled by adding the by adding the rightsGUIDrightsGUID attribute value attribute value to the object’s ACL to the object’s ACL

Added to attributeSecurityGUID for Added to attributeSecurityGUID for all members of the property setall members of the property set

The The rightsGUIDrightsGUID also identifies the attributes also identifies the attributes that are members of a property set that are members of a property set

And There is More…

If you’ve enjoyed this sessionTell your friends, ask your local Microsoft subsidiary when we will be in your area next!

Hope to see you – soon

Don’t forget to buy the book!!