Interesting Active Directory LDAP Filters

Interesting Active Directory LDAP Filters

Hello,

Hereunder some interesting LDAP filters to checkout on your Active Directory to better understand some behaviors.

Interesting Active Directory LDAP Filters

Partial Attribute Set

Those attributes are replicated across all Global Catalog in the forest.

Get-ADObject -LDAPFilter '(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))' -SearchBase (Get-ADRootDSE).SchemaNamingContext

Attributes not replicated between Domain Controllers

Those attributes aren’t replicated between Domain Controllers, each DC owns it own value for it.

Get-ADObject -LDAPFilter '(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=1))' -SearchBase (Get-ADRootDSE).SchemaNamingContext

Attributes preserved when object gets deleted

Those attributes are the ones that aren’t loose when an abject gets deleted.

Get-ADObject -LDAPFilter '(searchFlags:1.2.840.113556.1.4.803:=8)' -SearchBase (Get-ADRootDSE).SchemaNamingContext

Indexed Attributes

Those attributes are the ones that gets indexed by AD.

Get-ADObject -LDAPFilter '(searchFlags:1.2.840.113556.1.4.803:=1)' -SearchBase (Get-ADRootDSE).SchemaNamingContext

Filtered Attribute Set

The filter attribute set is the attribute that don’t get to be replicated with Read Only Domain Controllers.

Get-ADObject -LDAPFilter '(searchFlags:1.2.840.113556.1.4.803:=512)' -SearchBase (Get-ADRootDSE).SchemaNamingContext

Unaudited Attributes

Those attributes won’t get audit by Active Directory audit.

Get-ADObject -LDAPFilter '(searchFlags:1.2.840.113556.1.4.803:=256)' -SearchBase (Get-ADRootDSE).SchemaNamingContext

Note : This should be empty.

Confidential Attributes

Those attributes are confidential, they require special permissions to be able to access them.

Get-ADObject -LDAPFilter '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=128))' -SearchBase (Get-ADRootDSE).SchemaNamingContext

Copied Attributes

When you copy a user account in Active Directory Users and Computers, some attributes gets copied.

Interesting Active Directory LDAP Filters

Interesting Active Directory LDAP Filters

Get-ADObject -LDAPFilter '(searchFlags:1.2.840.113556.1.4.803:=16)' -SearchBase (Get-ADRootDSE).SchemaNamingContext

Conclusion

All of those LDAP filters will tell you how your AD will behave in certain circumstances.

You can modify how AD will behave when you delete a user, add on RODC to the forest, etc… Those LDAP filter will allow you to document and track your changes in your Active Directory domain..

 

 

Leave a Reply