Overview#

A directory service based on x.500 and LDAP provided by Microsoft.

Common Active Directory Bind Errors#

Common Active Directory Bind Errors are the error codes you might see along with error 49 (LDAP_INVALID_CREDENTIALS), and their definitions.

LDAP Query Examples for AD#

LDAP Query Examples for AD are broken down as:

• Active Directory Computer Related LDAP Query
• Active Directory User Related Searches
• Active Directory Group Related Searches

LDAP and Active Directory#

Information about Microsoft Active Directory and LDAP including:

• determining the FDN of the user to login with.
• LDAPs and AD
• AD TCP Ports
• LDAP policy in Active Directory

Active Directory Functional Levels#

In Windows Servers Active Directory, domain controllers can run different versions of Windows Server operating systems versions. The Active Directory Functional Levels of a domain or forest depends on which versions of Windows Server operating systems are running on the domain controllers in the domain or forest. The Active Directory Functional Levels or forest controls which advanced features are available in the domain or forest.

Microsoft Active Directory Cool Things#

Everyone appears to be critical of Microsoft Active Directory, but here are some things that other LDAP Server Implementations Vendors should add to their offerings.

Microsoft Active Directory Anomalies#

Some things that Microsoft Active Directory does or does not do, that you should know about.

Microsoft Active Directory Attributes#

Some details on Microsoft Active Directory Attributes

Active Directory Groups#

Some information on AD Groups

MAD Naming Attributes#

There is often some confusion in as to what labels correspond to specific LDAP AttributeTypes in Microsoft Active Directory

User-Account-Control Attribute#

• AD Determining Password Expiration

Ambiguous Name Resolution#

How ANR works and how you can use it.

Active Directory Tools#

Some tools we have found helpful for Active Directory.

Active Directory and Passwords#

Some information on Active Directory and Passwords.

Active Directory Account Lockout#

Active Directory Account Lockout method for locking accounts|Active Directory Account Lockout]

Howto: Active Directory Schema Changes#

How Domain Controllers Are Located in Windows#

How Domain Controllers Are Located in Windows describes the mechanism used by Windows to locate a domain controller in a Windows-based domain.

FIM#

Forefront Identity Manager

Tombstone#

Some information on the Tombstone container

More Information#

There might be more information for this subject on one of the following:

• 1.2.840.113556
• 1.2.840.113556.1.2.436
• 1.2.840.113556.1.4.1941
• 1.2.840.113556.1.4.803
• 1.2.840.113556.1.4.804
• 1.2.840.113556.1.5.8
• 1.2.840.113556.1.5.9
• 2.5.5.10
• 2.5.5.11
• 2.5.5.12
• 2.5.5.13
• 2.5.5.14
• 2.5.5.15
• 2.5.5.2
• 2.5.5.3
• 2.5.5.5
• 2.5.5.6
• 2.5.5.7
• 2.5.5.8
• 2.5.5.9
• AD
• AD DOMAIN
• AD Determining Password Expiration
• AD Forest
• ADAM
• ADUC
• AS Exchange
• Access Control List
• Access Point
• Account Expiration
• AccountExpires
• Active Directory Account Lockout
• Active Directory Functional Levels
• Active Directory Groups
• Active Directory Lightweight Directory Service
• Active Directory Locked Accounts
• Active Directory Service Interfaces
• Active Directory and Passwords
• ActiveDirectorySchemaChanges
• Ambiguous Name Resolution
• Ambiguous Naming Resolution Algorithm
• Assistant
• AttributeSchema
• Audio
• AuxiliaryClass attribute
• Bad-Pwd-Count
• Cached and Stored Credentials
• Centrify
• Cn
• Common Active Directory Bind Errors
• Common JNDI LDAP Methods
• Configuration Directory Partition
• Connection-less Lightweight Directory Access Protocol
• Constructed Attribute
• Converting AD Times
• Count Of Subordinates
• Country-Code
• CountryCode
• Create a MAD Service To Run
• CreateTimestamp
• DN Syntax
• DNWithOctetString
• DONT_EXPIRE_PASSWORD
• Delegation vs Impersonation
• Deleted object
• Deleted-objects
• Determine LDAP Server Vendor
• Determining the FDN
• Digest SSP
• Digital Identity
• DirXML
• DirXML PWFILTER.DLL
• DirXML Remote Loader
• DirectReports
• Directory Partition Hierarchy
• Directory Partition Subtrees
• Dirxml-uACDontExpirePassword
• Dirxml-uACEncryptedTextPasswordAllowed
• Dirxml-uACHomedirRequired
• Dirxml-uACInterdomainTrustAccount
• Dirxml-uACLockout
• Dirxml-uACNormalAccount
• Dirxml-uACPasswordCantChange
• Dirxml-uACScript
• Dirxml-uACServerTrustAccount
• Dirxml-uACWorkstationTrustAccount
• DisplayName
• Distinguished Name Case Sensitivity
• Distribution Group
• Domain Controller
• Domain Directory Partition
• Domain Local Group
• Domain Naming Master FSMO Role
• DomainControllerFunctionality
• DomainFunctionality
• Dsquery
• Dynamic Access Control
• Dynamically Linked Auxiliary Classes
• ERROR_ACCOUNT_EXPIRED
• ERROR_PASSWORD_MUST_CHANGE
• Enumeration syntax
• Example - Active Directory Change Password JNDI
• ExtensibleMatch
• FLAG_ATTR_IS_CRITICAL
• FLAG_ATTR_IS_RDN
• FLAG_ATTR_NOT_REPLICATED
• FLAG_SCHEMA_BASE_OBJECT
• Filtering for Bit Fields
• Fine Grained Password Policies
• Flexible Single Master Operation
• Forest Root Domain
• ForestFunctionality
• Forward Reference
• Generic Security Service Application Program Interface
• Global Catalog
• Global Group
• Graded Authentication
• Group Policy Object
• GroupType
• Handle Multi-to-single valued conversions
• History of LDAP
• How Domain Controllers Are Located in Windows
• How passwords are used in Windows
• How to get OpenSSL to recognise an Active Directory CA
• Identity Cube
• Impersonation
• InitRecvTimeout
• Integer8
• Internal Cross-References
• Intruder Lockout Check
• IsDeleted
• IsRecycled
• JNDI Examples
• Kerberos
• Kerberos Database
• Kerberos Delegation
• Kerberos Error Codes
• Kerberos Pre-Authentication
• Kerberos SSP
• Kerberos Service Account
• Kim Cameron
• LAN Manager authentication level
• LDAP Authentication
• LDAP Filter Choices
• LDAP Group
• LDAP Query Examples for AD
• LDAP Server Implementations
• LDAP and Global Catalog
• LDAP ping
• LDAP policy in Active Directory
• LDAPSyntaxes
• LDAP_CONSTRAINT_VIOLATION
• LDAP_SERVER_EXTENDED_DN_OID
• LDAP_SERVER_NOTIFICATION_OID
• LDAP_SERVER_RANGE_OPTION_OID
• LDAP_SERVER_RANGE_OPTION_OID_CODE_SAMPLE
• LDAP_TYPE_OR_VALUE_EXISTS
• LDIF Generator
• LOCKOUT
• LargeInteger
• LargeInteger Date
• Last Login Time
• LastLogon
• LastLogonTimeStamp
• Law of Justifiable Parties
• LeftMenu
• Local Administrative Accounts
• Local Security Authority
• Locked Account Check
• Lockouttime
• MAD Determine the Classes Associated With an Entry
• MAD LDAP Client
• MAD Naming Attributes
• MAXIMUM_LOGINS_EXCEEDED
• MMC Account Tab
• MMC General Tab
• MaxActiveQueries
• MaxConnIdleTime
• MaxConnections
• MaxDatagramRecv
• MaxNotificationPerConnection
• MaxPoolThreads
• MaxQueryDuration
• MaxResultSetSize
• MaxTempTableSize
• MemberOf
• Microsoft Active Directory And Group Issues
• Microsoft Active Directory Anomalies
• Microsoft Active Directory Driver
• Microsoft Active Directory Extensible Match Rules
• Microsoft Active Directory Group Synchronization
• Microsoft Active Directory Syntax
• Microsoft Active Directory Technical Specification
• Microsoft Management Console
• Microsoft Response Codes
• Microsoft TIME
• ModifyTimestamp
• MsDS-Approx-Immed-Subordinates
• MsDS-HasInstantiatedNCs
• MsDS-LockoutDuration
• MsDS-LockoutObservationWindow
• MsDS-LockoutThreshold
• MsDS-MinimumPasswordAge
• MsDS-MinimumPasswordLength
• MsDS-PSOAppliesTo
• MsDS-PasswordComplexityEnabled
• MsDS-PasswordHistoryLength
• MsDS-PasswordReversibleEncryptionEnabled
• MsDS-PasswordSettings
• MsDS-PasswordSettingsContainer
• MsDS-PasswordSettingsPrecedence
• MsDS-SupportedEncryptionTypes
• MsDS-UserPasswordExpiryTimeComputed
• NT LAN Manager
• NT-Sec-Desc
• NTDSService
• NTLM SSP
• Negotiate SSP
• Netlogon attribute
• Not Synchronized
• Ntdsutil.exe
• OID Syntax
• OR-Name
• ObjectClass vs ObjectCategory
• ObjectGUID
• ObjectSID
• OctetString
• On-Demand Password Synchronization
• PASSWD_NOTREQD
• PDC Emulator FSMO Role
• Partial Attribute Set
• Pass-the-ticket
• Password Expiration
• Password Flow From Active Directory to eDirectory
• Password History
• Password MUST Change
• Password Maximum Length
• Password Minimum Length
• Password Policy
• Passwords Must Meet Complexity Requirements
• Passwords Using LDIF
• Perl Add User Sample
• PrimaryGroupID
• Pwd-Last-Set attribute
• PwdProperties
• Recycled-object
• Relative IDentifier
• Remote Authentication Dial-In User Service
• Replica Link
• Root Domain Directory Partition
• SID string
• SPNEGO
• Schannel SSP
• Schema Directory Partition
• Schema MAD
• Schema Master FSMO Role
• SchemaFlagsEx
• ScriptPath
• Search Filters Limitations
• Security Account Manager
• Security Descriptor
• Security Group
• Security Identifier
• Security Support Provider
• SecurityPrincipal
• Server Message Block
• Service Connection Points
• Set Active Directory Password From Java
• Setting and Changing Microsoft Active Directory Passwords
• Sid
• Simple Paged Results Control
• Simple and Protected GSSAPI Negotiation Mechanism
• Single Sign-On Scenarios
• Statically Linked Auxiliary Classes
• String(Sid)
• StructuralObjectClass Attribute
• Subtree Delete Control
• System-Id-Guid
• SystemFlags
• Telex
• Tombstone
• TombstoneLifetime
• UnicodePwd
• Universal Group
• Universally Unique Identifier
• User
• User Access Control
• User-Account-Control Attribute
• User-Account-Control Attribute Values
• UserAccountControl
• UserPrincipalName
• VIS
• Verify DNS Records
• Virtual Attribute
• WILL_NOT_PERFORM
• Web Blog_blogentry_010415_1
• Web Blog_blogentry_280714_1
• WhenChanged
• Windows Integrated Authentication
• Windows Security Log Event
• Windows Server 2000
• Windows Server NT
• X-SCHEMAFLAGSEx
• XACML
• ZOOMIT Corporation