Digging Deep into the Active Directory with LDP - PowerPoint PPT Presentation

About This Presentation
Title:

Digging Deep into the Active Directory with LDP

Description:

Title: ADM 493 Digging Deep into the Active Directory with LDP Last modified by: CP1 Created Date: 4/28/2002 2:48:24 PM Document presentation format – PowerPoint PPT presentation

Number of Views:103
Avg rating:3.0/5.0
Slides: 34
Provided by: besti62
Category:

less

Transcript and Presenter's Notes

Title: Digging Deep into the Active Directory with LDP


1
Digging Deep into the Active Directory with LDP
2
Seminar Topics
  • Introduction
  • Setting The Search Base
  • Search Filters
  • Controls
  • Bitwise Operations
  • Modifying Attributes
  • Complex Investigations

3
Windows 2000 and 2003
  • The majority of topics apply equally well to
    Windows 2000 and 2003
  • All the demonstrations will be performed on
    Windows Server 2003

4
Health Warning!!
  • In this seminar we will show the use of tools
    that will allow direct access to AD objects and
    attributes
  • Always test any changes before implementing them
    in a production environment
  • You could always make mistakes!

5
The Directory
  • The directory is a container for objects
  • The objects are stored as rows within the
    database
  • Columns contain metadata and attributes
  • The on-the-wire protocol for accessing the
    database is LDAP
  • LDP allows you to create native LDAP queries for
    ultimate access
  • LDP is part of the support tools which can be
    installed from the distribution media

6
Using LDP
  • LDP provides a tree view and powerful search
    capabilities

7
Searching the Directory
  • To view/search the directory you must define a
    starting point
  • NC head
  • Subtree
  • Leaf object
  • Only returns information about that object

8
Naming Contexts
example.com
child.example.com
  • Windows Server 2003 allows the creation of
    additional NCs
  • These are called Application Directory Partitions

9
The Global Catalog
The GC is hosted on a DC in domainX
  • The Global catalog is not a NC
  • It contains a partial replica of all objects
    within the domain

10
Naming Objects
example.com
child.example.com
USA
UK
LN
ED
cnjohn,oulegal,oued,ouukdcchild,
dcexample,dccom
legal
sales
  • Every object is identified by an unique
    Distinguished Name
  • In addition to a DN (which may change), the
    object is uniquely identified by a GUID
  • Security principals are identified by a SID

John
cn common name, ou organizational unit, dc
domain component
11
RootDSE
  • All DCs maintain a node called RootDSE
  • RootDSE provides information on
  • Supported naming contexts
  • The Root NC
  • LDAP versions
  • Supported controls
  • Extends the capabilities of LDAP
  • Policies and security

RootDSE Root DSA-Specific Entry, DSADirectory
Service Agent
12
Using LDP
  • Connect and bind (authenticate)
  • The view/search base can be defined by
  • DN
  • CNJames Bond,OUOxford,DCexample,DCcom
  • GUID
  • ltGUID5d4d36b1-12ad-4c3b-b943-9f3db65310e8gt
  • SID
  • ltSIDS-1-5-21-1539329446-2123584859-1544097757-160
    5gt

13
Searching
  • All searches are started from a base
  • The returned results are based on an LDAP filter
  • The filter tests the attributes of an object
  • When the filter evaluates TRUE, the DN of the
    object is returned
  • The attributes to be returned along with the
    objects DN can be defined

14
LDAP Filters
(cnjames) (cnjam) (description) (!(descriptio
n)) ((objectCategoryuser)(descriptionproducti
on)) ((!(descriptionproduction))((objectCateg
oryuser)(objectCategorycomputer))) (ANRj)
15
Query Processor
  • The query processor optimises the filter
  • The actual server-side filter can be viewed using
    an LDAP control
  • Controls extend the functionality of LDAP
  • The controls are identified by OIDs

Example Control Types Show Deleted Objects
1.2.840.113556.1.4.417 Do Not Generate Referrals
1.2.840.113556.1.4.1339
16
Using Controls
17
Returning Results
  • The maximum number of results that can be
    returned from the server is 1000
  • This is set via the LDAP policy MaxPageSize
  • To retrieve larger results sets either use the
    Paged option or Virtual List View
  • VLV is only available on Window Server 2003
  • LDP has a default buffer size of 512 lines
  • Increase this for larger results sets

18
Returning Attribute Values
Select the attributes to be returned by their
ldapDisplayName Separate the names with a
semicolon (no spaces) returns all
attributes 1.1 returns no attributes
Attributes that have null values are not displayed
Results to which you dont have access
permissions are not displayed
19
Search Scopes
For efficient searching, alwaystry to minimise
the search scope
Base searches the base object only One Level
searches the direct descendants of the
baseobject, does not include the base
objectSubtree searches the base object and all
objects below
20
Bit Flags
  • Some configuration details are stored as
    individual bits within an attribute
  • For example both of the following attributes
    contain flags
  • searchFlags
  • groupType
  • You can not test these flags with a simple
    numeric value

21
searchFlags (simplified)
Copy attributewhen object is copied(user
account copy)
16
1
2
4
8
bit 0
bit 1
bit 2
bit 3
bit 4
Preserve this attribute on logical deletion
(tombstoned)
Member of ANR set
  • enabled 1, disabled 0
  • The searchFlags are one of the properties of an
    attribute
  • These are defined in the schema

22
groupType
1
2
4
8
2147483648
bit 31
bit 0
bit 1
bit 2
bit 3
Set for universal groups
Set for security groups Clear for distribution
groups
Set for domain local groups
Set for global groups
23
BIT Wise Operations
  • Matching rules are used to test bits within an
    attribute
  • AttributenameruleOIDvalue
  • No spaces, Value in decimal

(searchFlags1.2.840.113556.1.4.8035) Rule OID
provides an AND test, evaluates true if bits 0
AND 2 are set
(searchFlags1.2.840.113556.1.4.8045) Rule OID
provides an OR test, evaluates true if bits 0 OR
2 are set
24
Operational Attributes
  • Operational attributes provide a mechanism for
    triggering actions on the server via LDAP
  • They are not defined in the schema
  • Writing to the attributes causes the server to
    perform a predefined action
  • Actions include (ntldap.h for details)
  • Updating the Schema
  • Transferring FSMO roles
  • Triggering the SD Propagator Thread

25
Operational Attributes
Updating the GC cache on 2003
26
Creating an Object
  • Objects can be created using LDP
  • Alternative methods are preferred if they are
    available
  • To create an object you must populate the
    mandatory attributes
  • Some mandatory attributes are automatically
    populated by the system

27
Creating a User Version 2
28
Example of Creating a User Object
  • Creates a user with default settings

29
Complex Investigations
30
Account Unknown
  • Set the SID as the search base
  • Enable the showing of deleted objects

31
Searching for GUIDs
  • GUIDS are stored in two different formats
  • String format
  • e48d0154-bcf8-11d1-8702-00c04fb96050
  • Binary format
  • 54018de4f8bcd111870200c04fb96050
  • To search for a binary GUID each byte must be
    escaped
  • \54\01\8d\e4\f8\bc\d1\11\87\02\00\c0\4f\b9\60\50

32
Converting Formats
33
Extended Rights
cnpersonal-information
  • The objects to which extended rights applyare
    defined in the appliesTo attribute
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Digging Deep into the Active Directory with LDP" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!