Table of Contents
- Active Directory Search Overview
- LDAP Search Filters Example to obtain all AD DOMAINs in a AD Forest
- Microsoft Active Directory Search Filters Limitations
- Other helpful Information
- Specific Examples LDAP Query Examples for AD
- Misc
- All objects which can't be deleted:
- All objects which can't be renamed
- More Examples
- More Information
Active Directory Search Overview #
A lot of the information provided here was gathered from http://systemcenterforum.org/wp-content/uploads/ADIntegration_final.pdf
The Microsoft Active Directory database is split into different stores or partitions. Microsoft Active Directory often refers to these partitions as 'naming contexts'.
- The 'Schema' partition contains the definition of object classes and attributes within the Forest.
- The 'Configuration' partition contains information on the physical structure and configuration of the forest (such as the site topology).
- The 'Domain' partition holds all objects created in that domain.
The Domain partition replicates only to Domain Controllers within its domain. A subset of objects in the domain partition are also replicated to domain controllers that are configured as global catalogs.
When we look at our domain, we see the following 'naming contexts':
- CN=Configuration,DC=mad,DC=willeke,DC=com
- CN=Schema,CN=Configuration,DC=mad,DC=willeke,DC=com
- DC=DomainDnsZones,DC=mad,DC=willeke,DC=com
- DC=ForestDnsZones,DC=mad,DC=willeke,DC=com
- DC=mad,DC=willeke,DC=com
LDAP Search Filters Example to obtain all AD DOMAINs in a AD Forest#
You should use a baseObject similar to: CN=Configuration,DC=mad,DC=example,DC=comand a LDAP Search Scope of wholeSubtree
(nETBIOSName=*)
The base for the search should be at the root of the domain. (ie dc=mad,dc=willeke,dc=com) unless noted otherwise.
Microsoft Active Directory Search Filters Limitations#
This is one of several LDAP Query Examples.
Other helpful Information#
Specific Examples LDAP Query Examples for AD #
- Active Directory Computer Related LDAP Query
- Active Directory User Related Searches
- Active Directory Group Related Searches
Misc#
All objects which can't be deleted:#
(systemFlags:1.2.840.113556.1.4.803:=-2147483648)
All objects which can't be renamed#
(systemFlags:1.2.840.113556.1.4.803:=134217728)For information on why this works see how to use Filtering for Bit Fields.
More Examples#
Ldapwiki found this excellent and simple and extensive reference is at: Filter on objectCategory and objectClass
More Information#
There might be more information for this subject on one of the following:- Active Directory Computer Related LDAP Query
- Active Directory Group Related Searches
- Active Directory User Related Searches
- Domain Users
- LDAP Query Examples
- LDAP SearchFilters
- LDAP and Active Directory
- Microsoft Active Directory
- [#1] - Filter on objectCategory and objectClass - based on information obtained 2020-05-30
