Using Ldp.exe to Find Data in the Active Directory

Ldp.exe is a Windows 2000 Support Tools utility you can use to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given search criteria. This also allows administrators to query data that would otherwise not be visible through the Administrative tools included in the product. All data that is returned in LDP queries, however, is subject to security permissions.
If you have already determined the name of the attribute to be used in the search, refer to the section "Searching the Active Directory for Specific Information" below. Otherwise, you need to determine the name of the attribute that correlates to the data to be used as the search criteria. To determine this, first follow the procedures in the section "Determining the Name of the Attribute to be Used in the Search".

clip_image001Back to the top

MORE INFORMATION

Determining the Name of the Attribute to Be Used in the Search Insert the Window…

Determining the Name of the Attribute to Be Used in the Search

1. Insert the Windows 2000 CD-ROM and open the Windows 2000 Support Tools kit. From supporttools, run Setup.exe. This installs the Support Tools kit, which in turn installs LDP.

2. On the Connection menu, click Connect.

3. Type in the server name of a domain controller in the enterprise, verify that the port setting is set to 389, click to clear the Connectionless check box, and then click OK. Once the connection is complete, server-specific data is displayed in the right pane.

4. On the Connection menu, click Bind. Type the user name, password, and domain name (in DNS format) in the appropriate boxes (you may need to select the Domain check box), and then click OK. If the binding is successful, you should receive a message similar to "Authenticated as dn:’YourUserID’" in the right pane.

5. On the Browse menu, click Search.

6. The Base DN is the starting point in the Active Directory hierarchy at which your search will begin. In the Base DN box, type

CN=Schema,CN=Configuration,dc=mydomain,dc=com

replacing mydomain and com with the appropriate domain name. NOTE: the domain name for the Base DN when searching the Schema will always be for the root domain of the forest.

7. In the Filter box, type

(adminDescription=*yourtexthere*)

replacing yourtexthere with a keyword that might describe the attribute you are looking for.
Or, type

(adminDisplayName=*yourtexthere*)

replacing yourtexthere with a part of the name of the attribute as it is displayed in the administrative tools (e.g. entering "office" would return the attribute "physicalDeliveryOfficeName".)
Or, type

(ldapDisplayName=*yourtexthere*)

replacing yourtexthere with a part of the name of the attribute as used in LDAP queries, if you know it.

8. In the Scope frame, click Subtree.

9. Click Options. In the Attributes box, type ldapDisplayName.

10. Accept all other defaults, click OK and then click Run. After the query completes, the Distinguished Name (DN) of the object(s) found and the value of the ldapDisplayName attribute (now used in turn to search for data) of each are displayed in the right pane.
For example, doing a search on any attributes that have the text "office" in the "adminDisplayName" would yield the following output:

***Searching… ldap_search_s(ld, "cn=schema,cn=configuration,dc=mydomain,dc=com", 2, "(adminDisplayName=*office*)", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 3 entries:
>> Dn: CN=Phone-Office-Other,CN=Schema,CN=Configuration,DC=mydomain,DC=com

1> lDAPDisplayName: otherTelephone;

>> Dn: CN=Physical-Delivery-Office-Name,CN=Schema,CN=Configuration,DC=mydomain,DC=com

1> lDAPDisplayName: physicalDeliveryOfficeName;

>> Dn: CN=Post-Office-Box,CN=Schema,CN=Configuration,DC=mydomain,DC=com

1> lDAPDisplayName: postOfficeBox;

clip_image001[1]Back to the top

Searching the Active Directory for Specific Information

Once the attribute name has been determined, either specified in documentation or by using the procedure outlined above in the section "Determining the Name of the Attribute to be Used in the Search", you can use the following steps to find objects in the Active Directory that meet the criteria you are looking for.
The name of the attribute (ldapDisplayName) is used in queries to determine which objects should be returned based on meeting criteria supplied by the user.

1. Run Ldp.exe from the SupportReskitNetmgmtDstool folder on the retail Windows 2000 CD-ROM.

2. On the Connection menu, click Connect.

3. Type in the server name of a domain controller in the enterprise, verify that the port setting is set to 389, click to clear the Connectionless check box, and then click OK. Once the connection is complete, server-specific data is displayed in the right pane.

4. On the Connection menu, click Bind. Type the user name, password, and domain name (in DNS format) in the appropriate boxes (you may need to select the Domain check box), and then click OK. If the binding is successful, you should receive a message similar to "Authenticated as dn:’YourUserID’" in the right pane.

5. On the Browse menu, click Search.

6. The Base DN is the starting point in the Active Directory hierarchy at which your search will begin. In the Base DN box, type

dc=mydomain,dc=com

replacing mydomain and com with the appropriate domain name to search for objects such as users, computers, contacts, groups, file volumes, and printers.
Or, type

CN=Configuration,dc=mydomain,dc=com

replacing mydomain and com with the appropriate domain name to search the Configuration partition of the Active Directory which includes such objects such as Sites, Subnets, Site Links, Site Link Bridges, and Forest structure.
Or, type

CN=Schema,CN=Configuration,dc=mydomain,dc=com

replacing mydomain and com with the appropriate domain name to search the Schema partition of the Active Directory which includes the classes and attributes defined for the Forest of which the domain controller is a member.

7. In the Filter box, type

(AttributeName=*yourtexthere*)

replacing AttributeName with the name of the attribute (as defined by ldapDisplayName) and replacing yourtexthere with the search criteria such as in the following examples:

(physicalDeliveryOfficeName=*Seattle*)

Or,

(badPwdCount=1)

8. In the Scope frame, click Subtree.

9. Click Options. In the Attributes box, type the name of each of the attributes that should be displayed for each object found that meets the specified criteria separated by semicolons.
For example, by requesting that all objects (users intended in this example) whose "physicalDeliveryOfficename" contains "Seattle", display the User Profile Path and Logon Script path of each of the users (or other object types) found. The following would be entered in the Attributes box:

profilePath;scriptPath

10. Accept all other defaults, click OK and then click Run. After the query completes, the Distinguished Name (DN) of the object(s) found and the value of the each of the attributes specified are displayed in the right pane.
An example of the output would be as follows:

***Searching…
ldap_search_s(ld, "dc=mydomain,dc=com", 2, "(physicalDeliveryOfficeName=*Seattle*)", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 2 entries:
>> Dn: CN=user1,CN=Users,DC=mydomain,DC=com

1> profilePath: \w2k-dc-01profilesuser1;
1> scriptPath: users.vbs;

>> Dn: CN=user2,CN=Users,DC=mydomain,DC=com

1> profilePath: \w2k-dc-01profilesuser2;
1> scriptPath: users.vbs;

More information on LDAP query syntax can be found in the LDP documentation in the Windows 2000 Resource Kit, and in the following article in the Microsoft Knowledge Base:

221606 (http://support.microsoft.com/kb/221606/EN-US/ ) Common LDAP RFCs

clip_image001[2]Back to the top


APPLIES TO

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Datacenter Server

 

Source: Using Ldp.exe to Find Data in the Active Directory

Leave a Reply

Your email address will not be published. Required fields are marked *