Browse All Articles > Using Ldp.exe to search for data in the Active Directory
This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :)
For those of you working with AD, you already are very familiar with the classical MMC snap-in which makes you everyday tasks possible, ADUC (Active Directory Users & Computers). Unfortunately, ADUC still lacks features; especially prior to 2008. I have noticed recently that few System Administrartors are familiar with LDP despite being as useful as ADSIEdit. Both offer additional access to data that is difficult to see in ADUC.
As Microsoft describes: “Ldp.exe is a Windows 2000 Support Tools utility you can use to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given search criteria. This also allows administrators to query data that would otherwise not be visible through the Administrative tools included in the product. All data that is returned in LDP queries, however, is subject to security permissions.”
So basically you can use this to search for specific attributes and specify search criteria in order to find out what you need regarding certain objects. LDP.exe doesn’t take much time to learn and it will help you analyze AD issues. I use it a lot during migrations to locate AD objects. You can also use LDP.exe to view other LDAP catalogs that are not Active Directory.
As I mentioned, I use this in migrations and in environments I am not familiar with; for example where certain objects are located to to find objects that use extended attributes for 3rd party applications. ADUC can help however what if you want to search for something more specific?
I often use this to search for users as well as computer objects as ldp.exe displays the OU path for the object you search for. And if you are not familiar with an AD structure or not using Windows 2008 then this tool is excellent.
To use ldpRemote in to a DC or a machine which has Support Tools installed.
1. Start-> Run, type ldp.exe. The first thing you will see is blank frames.
2. Click on Connect and then Bind.
3. Connection -> Connect -> Fill in desired information and press OK.
Once you are connected you need to Bind to LDAP, otherwise you will not see any data. A bit obvious, but worth reminding :)
Once you have input the correct details you will see something like the folloing in the main frame of ldap:
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='DomainAdmininistrator'; Pwd= password; domain = 'DomainName'.}
Authenticated as dn:' DomainAdmininistrator''.
View > Tree will display AD BaseDN Tree for your DC or configuration view, etc, just as in ADSIEdit.msc. But even without displaying the Tree view you can go ahead and search for data.
5. Browse –> Search
Obviously you can change the filter using ANY attribute name you want to look for. Run the search:
***Searching...
ldap_search_s(ld, "DC=companyname,DC=net", 2, "(samaccountname=nipponsoul*)", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=Nippon Soul,OU=SUBOUUsers,OU=Users,DC=compa
ny,DC=net
4> objectClass: top; person; organizationalPerson; user;
1> cn Nippon Soul;
1> distinguishedName: CN=Nippon Soul,OU= SUBOUUsers,OU=Users,DC=Company,DC=ne
t;
1> name: Nippon Soul;
1> canonicalName: company.com/Users/ SUBOUUsers / Nippon Soul;
-----------
This is a straight forward easy search. Have a go with it and you won’t be disappointed! I have attached some photos as well :)
Thank you for taking the time to read this and I hope this might help some people and make daily tasks faster and easier.
ldp1.JPG
ldp2.JPG
ldp3.JPG
ldp4.JPG
ldp5.JPG
For those of you working with AD, you already are very familiar with the classical MMC snap-in which makes you everyday tasks possible, ADUC (Active Directory Users & Computers). Unfortunately, ADUC still lacks features; especially prior to 2008. I have noticed recently that few System Administrartors are familiar with LDP despite being as useful as ADSIEdit. Both offer additional access to data that is difficult to see in ADUC.
As Microsoft describes: “Ldp.exe is a Windows 2000 Support Tools utility you can use to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given search criteria. This also allows administrators to query data that would otherwise not be visible through the Administrative tools included in the product. All data that is returned in LDP queries, however, is subject to security permissions.”
So basically you can use this to search for specific attributes and specify search criteria in order to find out what you need regarding certain objects. LDP.exe doesn’t take much time to learn and it will help you analyze AD issues. I use it a lot during migrations to locate AD objects. You can also use LDP.exe to view other LDAP catalogs that are not Active Directory.
As I mentioned, I use this in migrations and in environments I am not familiar with; for example where certain objects are located to to find objects that use extended attributes for 3rd party applications. ADUC can help however what if you want to search for something more specific?
I often use this to search for users as well as computer objects as ldp.exe displays the OU path for the object you search for. And if you are not familiar with an AD structure or not using Windows 2008 then this tool is excellent.
To use ldpRemote in to a DC or a machine which has Support Tools installed.
1. Start-> Run, type ldp.exe. The first thing you will see is blank frames.
2. Click on Connect and then Bind.
3. Connection -> Connect -> Fill in desired information and press OK.
Once you are connected you need to Bind to LDAP, otherwise you will not see any data. A bit obvious, but worth reminding :)
Once you have input the correct details you will see something like the folloing in the main frame of ldap:
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='DomainAdmininistrato
Authenticated as dn:' DomainAdmininistrator''.
View > Tree will display AD BaseDN Tree for your DC or configuration view, etc, just as in ADSIEdit.msc. But even without displaying the Tree view you can go ahead and search for data.
5. Browse –> Search
Obviously you can change the filter using ANY attribute name you want to look for. Run the search:
***Searching...
ldap_search_s(ld, "DC=companyname,DC=net", 2, "(samaccountname=nipponsou
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn: CN=Nippon Soul,OU=SUBOUUsers,OU=User
4> objectClass: top; person; organizationalPerson; user;
1> cn Nippon Soul;
1> distinguishedName: CN=Nippon Soul,OU= SUBOUUsers,OU=Users,DC=Com
1> name: Nippon Soul;
1> canonicalName: company.com/Users/ SUBOUUsers / Nippon Soul;
-----------
This is a straight forward easy search. Have a go with it and you won’t be disappointed! I have attached some photos as well :)
Thank you for taking the time to read this and I hope this might help some people and make daily tasks faster and easier.
ldp1.JPG
ldp2.JPG
ldp3.JPG
ldp4.JPG
ldp5.JPG
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)