1 / 33

ADM 493 Digging Deep into the Active Directory LDP

ADM 493 Digging Deep into the Active Directory LDP. Windows 2000 and 2003 . The majority of topics apply equally well to Windows 2000 and 2003 All the demonstrations will be performed on Windows Server 2003. Health Warning!!.

oren-spence
Download Presentation

ADM 493 Digging Deep into the Active Directory LDP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ADM 493Digging Deep into the Active Directory LDP

  2. Windows 2000 and 2003 • The majority of topics apply equally well to Windows 2000 and 2003 • All the demonstrations will be performed on Windows Server 2003

  3. Health Warning!! • In this seminar we will show the use of tools that will allow direct access to AD objects and attributes • Always test any changes before implementing them in a production environment • You could always make mistakes!

  4. The Directory • The directory is a container for objects • The objects are stored as rows within the database • Columns contain metadata and attributes • The on-the-wire protocol for accessing the database is LDAP • LDP allows you to create native LDAP queries for ultimate access • LDP is part of the support tools which can be installed from the distribution media

  5. Using LDP • LDP provides a tree view and powerful search capabilities

  6. Searching the Directory • To view/search the directory you must define a starting point • NC head • Subtree • Leaf object • Only returns information about that object

  7. Domain NC:dc=child,dc=example,dc=com Configuration NC: cn=configuration,dc=example,dc=com Schema NC: cn=schema,cn=configuration,dc=example,dc=com Naming Contexts example.com child.example.com • Windows Server 2003 allows the creation of additional NCs • These are called Application Directory Partitions

  8. The GC responds to LDAP queries on port 3268 DomainX objects • Domain NC objects replicated fromthe other domains in the forest • The GC stores only a partial set of attributes for each object The Global Catalog The GC is hosted on a DC in domainX • The Global catalog is not a NC • It contains a partial replica of all objects within the domain

  9. UK ED legal example.com Naming Objects child.example.com • Every object is identified by an unique Distinguished Name • In addition to a DN (which may change), the object is uniquely identified by a GUID • Security principals are identified by a SID UK USA LN ED cn=john,ou=legal,ou=ed,ou=ukdc=child, dc=example,dc=com sales legal John cn = common name, ou = organizational unit, dc = domain component

  10. RootDSE • All DCs maintain a node called RootDSE • RootDSE provides information on: • Supported naming contexts • The Root NC • LDAP versions • Supported controls • Extends the capabilities of LDAP • Policies and security RootDSE = Root DSA-Specific Entry, DSA=Directory Service Agent

  11. Using LDP • Connect and bind (authenticate) • The view/search base can be defined by • DN • CN=James Bond,OU=Oxford,DC=example,DC=com • GUID • <GUID=5d4d36b1-12ad-4c3b-b943-9f3db65310e8> • SID • <SID=S-1-5-21-1539329446-2123584859-1544097757-1605>

  12. Searching • All searches are started from a base • The returned results are based on an LDAP filter • The filter tests the attributes of an object • When the filter evaluates TRUE, the DN of the object is returned • The attributes to be returned along with the object’s DN can be defined

  13. LDAP Filters (cn=james) (cn=jam*) (description=*) (!(description=*)) (&(objectCategory=user)(description=production*)) (&(!(description=production*))(|(objectCategory=user)(objectCategory=computer))) (ANR=j)

  14. Query Processor • The query processor optimises the filter • The actual server-side filter can be viewed using an LDAP control • Controls extend the functionality of LDAP • The controls are identified by OIDs Example Control Types: Show Deleted Objects:1.2.840.113556.1.4.417 Do Not Generate Referrals:1.2.840.113556.1.4.1339

  15. Windows 2000 LDP requires you to manually enter the controland click Check in Using Controls

  16. Returning Results • The maximum number of results that can be returned from the server is 1000 • This is set via the LDAP policy MaxPageSize • To retrieve larger results sets either use the Paged option or Virtual List View • VLV is only available on Window Server 2003 • LDP has a default buffer size of 512 lines • Increase this for larger results sets

  17. Returning Attribute Values Select the attributes to be returned by their ldapDisplayName Separate the names with a semicolon (no spaces) * returns all attributes 1.1 returns no attributes Attributes that have null values are not displayed Results to which you don’t have access permissions are not displayed

  18. Search Scopes For efficient searching, alwaystry to minimise the search scope Base: searches the base object only One Level: searches the direct descendants of the baseobject, does not include the base objectSubtree: searches the base object and all objects below

  19. Bit Flags • Some configuration details are stored as individual bits within an attribute • For example both of the following attributes contain flags • searchFlags • groupType • You can not test these flags with a simple numeric value

  20. Index over attribute Index over container and attribute searchFlags (simplified) Copy attributewhen object is copied(user account copy) 16 8 4 2 1 • enabled = 1, disabled = 0 • The searchFlags are one of the properties of an attribute • These are defined in the schema bit 4 bit 3 bit 2 bit 1 bit 0 Preserve this attribute on logical deletion (tombstoned) Member of ANR set

  21. groupType 4 2 1 8 2147483648 bit 31 bit 3 bit 2 bit 1 bit 0 Set for universal groups Set for security groups Clear for distribution groups Set for domain local groups Set for global groups

  22. BIT Wise Operations • Matching rules are used to test bits within an attribute • Attributename:ruleOID:=value • No spaces, Value in decimal (searchFlags:1.2.840.113556.1.4.803:=5) Rule OID provides an AND test, evaluates true if bits 0 AND 2 are set (searchFlags:1.2.840.113556.1.4.804:=5) Rule OID provides an OR test, evaluates true if bits 0 OR 2 are set

  23. Operational Attributes • Operational attributes provide a mechanism for triggering actions on the server via LDAP • They are not defined in the schema • Writing to the attributes causes the server to perform a predefined action • Actions include (ntldap.h for details) • Updating the Schema • Transferring FSMO roles • Triggering the SD Propagator Thread

  24. Operational Attributes Updating the GC cache on 2003

  25. Creating an Object • Objects can be created using LDP • Alternative methods are preferred if they are available • To create an object you must populate the mandatory attributes • Some mandatory attributes are automatically populated by the system

  26. Creating a User Version 2

  27. Example of Creating a User Object • Creates a user with default settings

  28. Complex Investigations

  29. Account Unknown • Set the SID as the search base • Enable the showing of deleted objects

  30. Searching for GUIDs • GUIDS are stored in two different formats • String format: • e48d0154-bcf8-11d1-8702-00c04fb96050 • Binary format: • 54018de4f8bcd111870200c04fb96050 • To search for a binary GUID each byte must be escaped • \54\01\8d\e4\f8\bc\d1\11\87\02\00\c0\4f\b9\60\50

  31. Converting Formats

  32. user appliesTo ACL RightsGUID Added to attributeSecurityGUID for all members of the property set • Access to an extended right is controlled by adding the rightsGUID attribute value to the object’s ACL • The rightsGUIDalso identifies the attributes that are members of a property set Extended Rights cn=personal-information • The objects to which extended rights applyare defined in the appliesTo attribute

  33. And There is More… • If you’ve enjoyed this session • Tell your friends, ask your local Microsoft subsidiary when we will be in your area next! • Hope to see you – soon • Don’t forget to buy the book!!

More Related