Interesting Active Directory LDAP Filters
Hello,
Hereunder some interesting LDAP filters to checkout on your Active Directory to better understand some behaviors.
Interesting Active Directory LDAP Filters
Partial Attribute Set
Those attributes are replicated across all Global Catalog in the forest.
Get-ADObject -LDAPFilter '(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))' -SearchBase (Get-ADRootDSE).SchemaNamingContext
Attributes not replicated between Domain Controllers
Those attributes aren’t replicated between Domain Controllers, each DC owns it own value for it.
Get-ADObject -LDAPFilter '(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=1))' -SearchBase (Get-ADRootDSE).SchemaNamingContext
Attributes preserved when object gets deleted
Those attributes are the ones that aren’t loose when an abject gets deleted.
Get-ADObject -LDAPFilter '(searchFlags:1.2.840.113556.1.4.803:=8)' -SearchBase (Get-ADRootDSE).SchemaNamingContext
Indexed Attributes
Those attributes are the ones that gets indexed by AD.
Get-ADObject -LDAPFilter '(searchFlags:1.2.840.113556.1.4.803:=1)' -SearchBase (Get-ADRootDSE).SchemaNamingContext
Filtered Attribute Set
The filter attribute set is the attribute that don’t get to be replicated with Read Only Domain Controllers.
Get-ADObject -LDAPFilter '(searchFlags:1.2.840.113556.1.4.803:=512)' -SearchBase (Get-ADRootDSE).SchemaNamingContext
Unaudited Attributes
Those attributes won’t get audit by Active Directory audit.
Get-ADObject -LDAPFilter '(searchFlags:1.2.840.113556.1.4.803:=256)' -SearchBase (Get-ADRootDSE).SchemaNamingContext
Note : This should be empty.
Confidential Attributes
Those attributes are confidential, they require special permissions to be able to access them.
Get-ADObject -LDAPFilter '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=128))' -SearchBase (Get-ADRootDSE).SchemaNamingContext
Copied Attributes
When you copy a user account in Active Directory Users and Computers, some attributes gets copied.
Get-ADObject -LDAPFilter '(searchFlags:1.2.840.113556.1.4.803:=16)' -SearchBase (Get-ADRootDSE).SchemaNamingContext
Conclusion
All of those LDAP filters will tell you how your AD will behave in certain circumstances.
You can modify how AD will behave when you delete a user, add on RODC to the forest, etc… Those LDAP filter will allow you to document and track your changes in your Active Directory domain..
Thank you very much for the snippet for Attributes preserved when object gets deleted. I guessed it would be simple, but it was surprisingly hard to find 🙂