jspωiki
Active Directory Schema Related LDAP Searches

Overview#

Active Directory Schema Related LDAP Searches are Example LDAP SearchFilters that reveal the Microsoft Active Directory LDAP Schema for your AD Forest

LDAP Schema: Operational Constructed Attributes#

Constructed Attributes have the FLAG_ATTR_IS_CONSTRUCTED set for SystemFlags
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?cn,lDAPDisplayName,linkID,objectClass?sub?(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4))
# command line : ldapsearch -H ldaps://example-dcdc.example.com:636 -x -D "administrator@example.com" -W -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" -s sub -a always -z 1000 "(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4))" "cn" "lDAPDisplayName" "linkID" "objectClass"

LDAP Schema: NOT Replicated Attributes#

Results of this query have the FLAG_ATTR_NOT_REPLICATED set for SystemFlags
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?lDAPDisplayName,cn,objectClass?sub?(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=1))
# command line : ldapsearch -H ldaps://example-dcdc.example.com:636 -x -D "administrator@example.com" -W -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" -s sub -a always -z 1000 "(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=1))" "lDAPDisplayName" "cn" "objectClass"

LDAP Schema: Linked Attributes#

This LDAP SearchFilter reveals the Linked Attributes defined within the Microsoft Active Directory Schema.
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?cn,lDAPDisplayName,linkID,objectClass?sub?(linkID=*)
# command line : ldapsearch -H ldaps://example-dcdc.example.com:636 -x -D "administrator@example.com" -W -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" -s sub -a always -z 1000 "(linkID=*)" "cn" "lDAPDisplayName" "linkID" "objectClass"

LDAP Schema: LDAP Indexed AttributeTypes#

This LDAP SearchFilter reveals the Attributes defined within the Microsoft Active Directory Schema which part of a LDAP Indexes Confidential Attributes have the SearchFlags Bit set as fATTINDEX
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?lDAPDisplayName,cn,objectClass?sub?(searchFlags:1.2.840.113556.1.4.803:=1)
# command line : ldapsearch -H ldaps://example-dcdc.example.com:636 -x -D "administrator@example.com" -W -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" -s sub -a always -z 1000 "(searchFlags:1.2.840.113556.1.4.803:=1)" "lDAPDisplayName" "cn" "objectClass"

LDAP Schema: Confidential Attributes#

Confidential Attributes have the SearchFlags Bit set as fCONFIDENTIAL
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?lDAPDisplayName,cn,objectClass?sub?(searchFlags:1.2.840.113556.1.4.803:=128)
# command line : ldapsearch -H ldaps://example-dcdc.example.com:636 -x -D "administrator@example.com" -W -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" -s sub -a always -z 1000 "(searchFlags:1.2.840.113556.1.4.803:=128)" "lDAPDisplayName" "cn" "objectClass"

LDAP Schema: Attributes in the Global Catalog#

Attributes in the Global Catalog have the value of isMemberOfPartialAttributeSet set to TRUE
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?lDAPDisplayName,cn,objectClass?sub?(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))
# command line : ldapsearch -H ldaps://example-dcdc.example.com:636 -x -D "administrator@example.com" -W -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" -s sub -a always -z 1000 "(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" "lDAPDisplayName" "cn" "objectClass"

LDAP Schema: Ambiguous Name Resolution (ANR)#

Ambiguous Name Resolution Attributes have the SearchFlags Bit set as fANR
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?lDAPDisplayName,cn,objectClass?sub?(searchFlags:1.2.840.113556.1.4.803:=4)
# command line : ldapsearch -H ldaps://example-dcdc.example.com:636 -x -D "administrator@example.com" -W -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" -s sub -a always -z 1000 "(searchFlags:1.2.840.113556.1.4.803:=4)" "lDAPDisplayName" "cn" "objectClass"

More Information#

There might be more information for this subject on one of the following: