1. ADM 493 Digging Deep into the Active Directory LDP

2. Windows 2000 and 2003 The majority of topics apply equally well to Windows 2000 and 2003 All the demonstrations will be performed on Windows Server 2003

3. Health Warning!! In this seminar we will show the use of tools that will allow direct access to AD objects and attributes Always test any changes before implementing them in a production environment You could always make mistakes!

4. The Directory The directory is a container for objects The objects are stored as rows within the database Columns contain metadata and attributes The on-the-wire protocol for accessing the database is LDAP LDP allows you to create native LDAP queries for ultimate access LDP is part of the support tools which can be installed from the distribution media

5. Using LDP LDP provides a tree view and powerful search capabilities

6. Searching the Directory To view/search the directory you must define a starting point NC head Subtree Leaf object Only returns information about that object

7. Naming Contexts Windows Server 2003 allows the creation of additional NCs These are called Application Directory Partitions example.com child.example.com Domain NC: dc=child,dc=example,dc=com Configuration NC: cn=configuration,dc=example,dc=com Schema NC: cn=schema,cn=configuration,dc=example,dc=com

8. The Global Catalog The Global catalog is not a NC It contains a partial replica of all objects within the domain The GC is hosted on a DC in domainX DomainX objects The GC responds to LDAP queries on port 3268 Domain NC objects replicated from the other domains in the forest The GC stores only a partial set of attributes for each object The GC stores only a partial set of attributes for each object

9. Naming Objects Every object is identified by an unique Distinguished Name In addition to a DN (which may change), the object is uniquely identified by a GUID Security principals are identified by a SID LNED legalsales USAUK example.com child.example.com John cn = common name, ou = organizational unit, dc = domain component ED legal UK cn=john,ou=legal,ou=ed,ou=uk dc=child, dc=example,dc=com

10. RootDSE All DCs maintain a node called RootDSE RootDSE provides information on: Supported naming contexts The Root NC LDAP versions Supported controls Extends the capabilities of LDAP Policies and security RootDSE = Root DSA-Specific Entry, DSA=Directory Service Agent

11. Using LDP Connect and bind (authenticate) The view/search base can be defined by DN CN=James Bond,OU=Oxford,DC=example,DC=com GUID SID

12. Searching All searches are started from a base The returned results are based on an LDAP filter The filter tests the attributes of an object When the filter evaluates TRUE, the DN of the object is returned The attributes to be returned along with the objects DN can be defined

13. LDAP Filters (cn=james) (cn=jam*) (description=*) (!(description=*)) (&(objectCategory=user)(description=production*)) (&(!(description=production*))(|(objectCategory=user)(objectCategory=computer))) (ANR=j)

14. Query Processor The query processor optimises the filter The actual server-side filter can be viewed using an LDAP control Controls extend the functionality of LDAP The controls are identified by OIDs Example Control Types: Show Deleted Objects: 1.2.840.113556.1.4.417 Do Not Generate Referrals: 1.2.840.113556.1.4.1339

15. Using Controls Windows 2000 LDP requires you to manually enter the control and click Check in

16. Returning Results The maximum number of results that can be returned from the server is 1000 This is set via the LDAP policy MaxPageSize To retrieve larger results sets either use the Paged option or Virtual List View VLV is only available on Window Server 2003 LDP has a default buffer size of 512 lines Increase this for larger results sets

17. Returning Attribute Values Select the attributes to be returned by their ldapDisplayName Separate the names with a semicolon (no spaces) * returns all attributes 1.1 returns no attributes Attributes that have null values are not displayed Results to which you dont have access permissions are not displayed

18. Search Scopes Base: searches the base object only One Level: searches the direct descendants of the base object, does not include the base object Subtree: searches the base object and all objects below For efficient searching, always try to minimise the search scope

19. Bit Flags Some configuration details are stored as individual bits within an attribute For example both of the following attributes contain flags searchFlags groupType You can not test these flags with a simple numeric value

20. searchFlags (simplified) enabled = 1, disabled = 0 The searchFlags are one of the properties of an attribute These are defined in the schema bit 0 bit 1 bit 2 bit 3 1248 Preserve this attribute on logical deletion (tombstoned) Member of ANR set bit 4 16 Copy attribute when object is copied (user account copy) Index over container and attribute Index over attribute

21. groupType bit 0 bit 1 bit 2 124 bit 31 2147483648 Set for global groups Set for domain local groups Set for universal groups Set for security groups Clear for distribution groups 8 bit 3

22. BIT Wise Operations Matching rules are used to test bits within an attribute Attributename:ruleOID:=value No spaces, Value in decimal (searchFlags:1.2.840.113556.1.4.803:=5) Rule OID provides an AND test, evaluates true if bits 0 AND 2 are set (searchFlags:1.2.840.113556.1.4.804:=5) Rule OID provides an OR test, evaluates true if bits 0 OR 2 are set

23. Operational Attributes Operational attributes provide a mechanism for triggering actions on the server via LDAP They are not defined in the schema Writing to the attributes causes the server to perform a predefined action Actions include ( ntldap.h for details) Updating the Schema Transferring FSMO roles Triggering the SD Propagator Thread

24. Operational Attributes Updating the GC cache on 2003

25. Creating an Object Objects can be created using LDP Alternative methods are preferred if they are available To create an object you must populate the mandatory attributes Some mandatory attributes are automatically populated by the system

26. Creating a User Version 2

27. Example of Creating a User Object Creates a user with default settings

28. Complex Investigations

29. Account Unknown Set the SID as the search base Enable the showing of deleted objects

30. Searching for GUIDs GUIDS are stored in two different formats String format: e48d0154-bcf8-11d1-8702-00c04fb96050 Binary format: 54018de4f8bcd111870200c04fb96050 To search for a binary GUID each byte must be escaped \54\01\8d\e4\f8\bc\d1\11\87\02\00\c0\4f\b9\60\50

31. Converting Formats

32. Extended Rights The objects to which extended rights apply are defined in the appliesTo attribute cn=personal-information appliesTo user RightsGUID ACL Access to an extended right is controlled by adding the rightsGUID attribute value to the objects ACL Access to an extended right is controlled by adding the rightsGUID attribute value to the objects ACL Added to attributeSecurityGUID for all members of the property set The rightsGUID also identifies the attributes that are members of a property set The rightsGUID also identifies the attributes that are members of a property set

33. And There is More… If youve enjoyed this session Tell your friends, ask your local Microsoft subsidiary when we will be in your area next! Hope to see you – soon Dont forget to buy the book!!