adm 493 digging deep into the active directory with ldp john craddock principal consultant...
TRANSCRIPT
ADM 493
Digging Deep into the Active Directory with LDP
John CraddockPrincipal Consultant [email protected] [email protected]
Sally StoreyConsultant [email protected]
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Seminar Topics
Introduction
Setting The Search Base
Search Filters
Controls
Bitwise Operations
Modifying Attributes
Complex Investigations
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Windows 2000 and 2003
The majority of topics apply equally well to Windows 2000 and 2003
All the demonstrations will be performed on Windows Server 2003
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Health Warning!!
In this seminar we will show the use of tools that will allow direct access to AD objects and attributes
Always test any changes before implementing them in a production environment
You could always make mistakes!
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
The Directory
The directory is a container for objectsThe objects are stored as rows within the databaseColumns contain metadata and attributes
The on-the-wire protocol for accessing the database is LDAPLDP allows you to create native LDAP queries for ultimate access
LDP is part of the support tools which can be installed from the distribution media
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Using LDP
LDP provides a tree view and powerful search capabilities
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Searching the Directory
To view/search the directory you must define a starting point
NC head
Subtree
Leaf objectOnly returns information about that object
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Naming Contexts
Windows Server 2003 allows the creation of additional NCs
These are called Application Directory Partitions
example.comchild.example.com
Domain NC:
dc=child,dc=example,dc=com
Configuration NC: cn=configuration,dc=example,dc=com
Schema NC: cn=schema,cn=configuration,dc=example,dc=com
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
The Global Catalog
The Global catalog is not a NC It contains a partial replica of all objects within the domain
The GC is hosted on a DC in domainXThe GC is hosted on a DC in domainX
DomainX objectsDomainX objects
The GC respondsThe GC respondsto LDAP queries to LDAP queries on port 3268on port 3268
Domain NC objects replicated fromDomain NC objects replicated fromthe other domains in the forestthe other domains in the forest
• The GC stores only a partialThe GC stores only a partial set of attributes for each object set of attributes for each object
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Naming Objects
Every object is identified by an unique Distinguished Name
In addition to a DN (which may change), the object is uniquely identified by a GUID
Security principals are identified by a SID
LN ED
legalsales
USAUK
example.com
child.example.com
John
cn = common name, ou = organizational unit, dc = domain component
ED
legal
UK
cn=john,ou=legal,ou=ed,ou=ukdc=child, dc=example,dc=com
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
RootDSE
All DCs maintain a node called RootDSE
RootDSE provides information on:Supported naming contexts
The Root NC
LDAP versions
Supported controlsExtends the capabilities of LDAP
Policies and security
RootDSE = Root DSA-Specific Entry, DSA=Directory Service Agent
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Using LDP
Connect and bind (authenticate)
The view/search base can be defined byDN
CN=James Bond,OU=Oxford,DC=example,DC=com
GUID<GUID=5d4d36b1-12ad-4c3b-b943-9f3db65310e8>
SID<SID=S-1-5-21-1539329446-2123584859-1544097757-1605>
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Searching
All searches are started from a baseThe returned results are based on an LDAP filter
The filter tests the attributes of an object
When the filter evaluates TRUE, the DN of the object is returned
The attributes to be returned along with the object’s DN can be defined
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
LDAP Filters
Logical Operators
Description
= Equal
~= Approximately equal
<= Less than or equal to
>= Greater than or equal to
& AND
| OR
! NOT
(cn=james)(cn=jam*)(description=*)(!(description=*))(&(objectCategory=user)(description=production*))(&(!(description=production*))(|(objectCategory=user)(objectCategory=computer)))(ANR=j)
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Query Processor
The query processor optimises the filter
The actual server-side filter can be viewed using an LDAP control
Controls extend the functionality of LDAP
The controls are identified by OIDs
Example Control Types:Example Control Types:
Show Deleted Objects:Show Deleted Objects: 1.2.840.113556.1.4.4171.2.840.113556.1.4.417
Do Not Generate Referrals:Do Not Generate Referrals: 1.2.840.113556.1.4.13391.2.840.113556.1.4.1339
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Using Controls
Windows 2000 LDP requires you to manually enter the control
and click Check in
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Returning Results
The maximum number of results that can be returned from the server is 1000
This is set via the LDAP policy MaxPageSize
To retrieve larger results sets either use the Paged option or Virtual List View
VLV is only available on Window Server 2003
LDP has a default buffer size of 512 linesIncrease this for larger results sets
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Returning Attribute Values
Select the attributes to be returned by their ldapDisplayName
Separate the names with a semicolon (no spaces)
* returns all attributes1.1 returns no attributes
Attributes that have null values are not displayed
Results to which you don’t have access permissions are not
displayed
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Search Scopes
Base: searches the base object onlyOne Level: searches the direct descendants of the baseobject, does not include the base objectSubtree: searches the base object and all objects below
For efficient searching, alwaystry to minimise the search scope
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Bit Flags
Some configuration details are stored as individual bits within an attributeFor example both of the following attributes contain flags
searchFlagsgroupType
You can not test these flags with a simple numeric value
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
searchFlags (simplified)
enabled = 1, disabled = 0The searchFlags are one of the properties of an attribute
These are defined in the schema
bit 0bit 0bit 1bit 1bit 2bit 2bit 3bit 3
11224488
Preserve this Preserve this attribute on logical attribute on logical
deletion deletion (tombstoned)(tombstoned)
Member of ANR setMember of ANR set
bit 4bit 4
1616Copy attributeCopy attribute
when object is copiedwhen object is copied(user account copy)(user account copy)
Index over container Index over container and attributeand attribute
Index over Index over attributeattribute
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
groupType
bit 0bit 0bit 1bit 1bit 2bit 2
112244
bit 31bit 31
21474836482147483648
Set for global groups
Set for domain local groups
Set for universal groups
Set for security groups
Clear for distribution groups
88
bit 3bit 3
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
BIT Wise Operations
Matching rules are used to test bits within an attribute
Attributename:ruleOID:=valueNo spaces, Value in decimal
(searchFlags:1.2.840.113556.1.4.803:=5)(searchFlags:1.2.840.113556.1.4.803:=5)Rule OID provides an Rule OID provides an ANDAND test, evaluates true if bits 0 AND 2 test, evaluates true if bits 0 AND 2
are set are set
(searchFlags:1.2.840.113556.1.4.804:=5)(searchFlags:1.2.840.113556.1.4.804:=5)Rule OID provides an Rule OID provides an OROR test, evaluates true if bits 0 OR 2 test, evaluates true if bits 0 OR 2
are set are set
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Operational Attributes
Operational attributes provide a mechanism for triggering actions on the server via LDAP
They are not defined in the schema
Writing to the attributes causes the server to perform a predefined action
Actions include (ntldap.h for details)Updating the Schema
Transferring FSMO roles
Triggering the SD Propagator Thread
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Operational Attributes
Updating the GC cache on 2003Updating the GC cache on 2003
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Creating an Object
Objects can be created using LDPAlternative methods are preferred if they are available
To create an object you must populate the mandatory attributes
Some mandatory attributes are automatically populated by the system
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Creating a User Version 2
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Example of Creating a User Object
Creates a user with default settings
Complex Investigations
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Account Unknown
Set the SID as the search baseEnable the showing of deleted objects
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Searching for GUIDs
GUIDS are stored in two different formatsString format:
e48d0154-bcf8-11d1-8702-00c04fb96050
Binary format:54018de4f8bcd111870200c04fb96050
To search for a binary GUID each byte must be escaped
\54\01\8d\e4\f8\bc\d1\11\87\02\00\c0\4f\b9\60\50
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Converting Formats
a8 de - 12 9a - 95 33 - 83 98 20 50 21 71 47 1f 4e dd -
47 71 9a 12 95 33 83 98 20 50 21 de a8 1f dd 4e
reverse reverse reverse
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Extended Rights
The objects to which extended rights applyare defined in the appliesTo attribute
cn=personal-informationcn=personal-information
appliesToappliesTo useruser
RightsGUIDRightsGUIDACL
Access to an extended right is controlled Access to an extended right is controlled by adding the by adding the rightsGUIDrightsGUID attribute value attribute value to the object’s ACL to the object’s ACL
Added to attributeSecurityGUID for Added to attributeSecurityGUID for all members of the property setall members of the property set
The The rightsGUIDrightsGUID also identifies the attributes also identifies the attributes that are members of a property set that are members of a property set
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
And There is More…
If you’ve enjoyed this sessionTell your friends, ask your local Microsoft subsidiary when we will be in your area next!
Hope to see you – soon
Don’t forget to buy the book!!
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
Suggested Reading & Resources
Investigating and Managing Objects and Attributes, Windows 2000 and Windows Server 2003
John Craddock and Sally StoreyISBN 0-9544218-0-9
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
evaluationsevaluations
______________KimberryKimberryAssociatesAssociates
www.kimberry.co.uk
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.