Overview#
Microsoft Active Directory is Directory Service based on x.500 and provides LDAP services created by Microsoft.Table of Contents
- Overview
- LDAP Query Examples for AD
- LDAP and Active Directory
- Active Directory and Passwords
- Active Directory Groups
- User-Account-Control Attribute
- Active Directory Functional Levels
- Microsoft Active Directory Cool Things
- Microsoft Active Directory Anomalies
- Microsoft Active Directory Technical Details
- Active Directory Tools
- More Information
LDAP Query Examples for AD#
LDAP Query Examples for AD are broken down as:- Active Directory Computer Related LDAP Query
- Active Directory User Related Searches
- Active Directory Group Related Searches
- Active Directory RISK Related Searches
- Active Directory Schema Related LDAP Searches
LDAP and Active Directory#
Information about Microsoft Active Directory and LDAP including:- Common Active Directory Bind Errors - are the LDAP Result Codes codes you might see along with error 49 (LDAP_INVALID_CREDENTIALS), and their definitions.
- determining the FDN of the user to login with.
- LDAPs and AD
- AD TCP Ports
- LDAP policy in Active Directory
Active Directory and Passwords#
Some information on Active Directory and Passwords.- AD Determining Password Expiration
- Active Directory Account Lockout - method for locking accounts|Active Directory Account Lockout]
- AD Determining Password Expiration
Active Directory Groups#
Some information on AD GroupsUser-Account-Control Attribute#
Microsoft Active Directory User-Account-Control Attribute is always confusing.Active Directory Functional Levels#
In Windows Servers Microsoft Active Directory, Domain Controllers can run different versions of Windows Server Operating System versions. The Active Directory Functional Levels of a domain or AD Forest depends on which versions of Windows Server operating systems are running on the domain controllers in the domain or forest. The Active Directory Functional Levels or forest controls which advanced features are available in the AD DOMAIN or AD Forest.Microsoft Active Directory Cool Things#
Everyone appears to be critical of Microsoft Active Directory, but here are some things that other LDAP Server Implementations Vendors should add to their offerings.Microsoft Active Directory Anomalies#
Some things that Microsoft Active Directory does or does not do, that you should know about.Microsoft Active Directory Technical Details#
- Global Catalog
- Active Directory Groups
- Ambiguous Name Resolution (ANR)
- How Domain Controllers Are Located in Windows describes the mechanism used by Windows to locate a domain controller in a Windows-based domain.
- Microsoft Active Directory Attributes
- MAD Naming Attributes -There is often some confusion in as to what labels correspond to specific LDAP AttributeTypes in Microsoft Active Directory
- Howto: Active Directory Schema Changes
- Forefront Identity Manager
- Tombstone - Some information on the Tombstone container
Active Directory Tools#
Some tools we have found helpful for Active Directory.More Information#
There might be more information for this subject on one of the following:- 1.2.840.113556
- 1.2.840.113556.1.2.436
- 1.2.840.113556.1.5.8
- 1.2.840.113556.1.5.9
- 2.5.5.10
- 2.5.5.11
- 2.5.5.12
- 2.5.5.13
- 2.5.5.14
- 2.5.5.15
- 2.5.5.2
- 2.5.5.3
- 2.5.5.5
- 2.5.5.6
- 2.5.5.7
- 2.5.5.8
- 2.5.5.9
- ACCOUNTDISABLE
- AD
- AD DOMAIN
- AD Determining Password Expiration
- AD Forest
- ADAM
- ADDriver
- ADUC
- ANR attribute set
- AS Exchange
- Access Control List
- Access Control Model-Microsoft Windows
- Access Point
- Account
- Account Expiration
- AccountExpires
- Active Directory Account Lockout
- Active Directory Functional Levels
- Active Directory Groups
- Active Directory Lightweight Directory Service
- Active Directory Locked Accounts
- Active Directory RISK Related Searches
- Active Directory Schema Attributes
- Active Directory Schema Related LDAP Searches
- Active Directory Service Interfaces
- Active Directory Site
- Active Directory and Passwords
- ActiveDirectorySchemaChanges
- Ambiguous Name Resolution
- Ambiguous Naming Resolution Algorithm
- Apple Directory
- Application Directory Partitions
- Assistant
- AttributeID
- AttributeSchema
- AttributeSyntax
- AttributeTypes
- Audio
- AuxiliaryClass attribute
- BackLink
- Bad-Pwd-Count
- Boolean
- Cached and Stored Credentials
- Centrify
- Cn
- Common Active Directory Bind Errors
- Common JNDI LDAP Methods
- Configuration Directory Partition
- Connection-less Lightweight Directory Access Protocol
- Constructed Attribute
- Container
- Converting AD Times
- Count Of Subordinates
- Country-Code
- CountryCode
- Create a MAD Service To Run
- CreateTimestamp
- DN Syntax
- DNWithOctetString
- DONT_EXPIRE_PASSWORD
- DefaultHidingValue
- Delegation vs Impersonation
- Deleted object
- Deleted-objects
- Determine LDAP Server Vendor
- Determining the FDN
- Digest SSP
- Digital Identity
- DirXML
- DirXML PWFILTER.DLL
- DirXML PassSync Agent
- DirXML Remote Loader
- DirectReports
- Directory Partition Hierarchy
- Directory Partition Subtrees
- Directory Synchronization Control Extended
- Dirxml-uACDontExpirePassword
- Dirxml-uACEncryptedTextPasswordAllowed
- Dirxml-uACHomedirRequired
- Dirxml-uACInterdomainTrustAccount
- Dirxml-uACLockout
- Dirxml-uACNormalAccount
- Dirxml-uACPasswordCantChange
- Dirxml-uACScript
- Dirxml-uACServerTrustAccount
- Dirxml-uACWorkstationTrustAccount
- Discretionary Access Control List
- DisplayName
- Distinguished Name Case Sensitivity
- Distribution Group
- Domain Controller
- Domain Directory Partition
- Domain Local Group
- Domain Naming Master FSMO Role
- DomainControllerFunctionality
- DomainFunctionality
- Dsquery
- Dynamic Access Control
- Dynamically Linked Auxiliary Classes
- ERROR_ACCOUNT_EXPIRED
- ERROR_PASSWORD_MUST_CHANGE
- Enable UserPassword in Microsoft Active Directory
- Enumeration syntax
- Example - Active Directory Change Password JNDI
- ExtensibleMatch
- FLAG_ATTR_IS_CRITICAL
- FLAG_ATTR_IS_OPERATIONAL
- FLAG_ATTR_IS_RDN
- FLAG_ATTR_NOT_REPLICATED
- FLAG_SCHEMA_BASE_OBJECT
- File Replication Service Protocol
- Filtering for Bit Fields
- Fine Grained Password Policies
- Flexible Single Master Operation
- Forest Root Domain
- ForestFunctionality
- Forward Reference
- Forward link
- Generic Security Service Application Program Interface
- Global Catalog
- Global Group
- Graded Authentication
- Group
- Group Policy Object
- Group-AD
- GroupType
- Groups Are Bad
- Handle Multi-to-single valued conversions
- History of LDAP
- How Domain Controllers Are Located in Windows
- How passwords are used in Windows
- How to get OpenSSL to recognise an Active Directory CA
- IA5String
- INTERDOMAIN_TRUST_ACCOUNT
- Identity Cube
- Impersonation
- Infrastructure Master FSMO Role
- InitRecvTimeout
- Integer8
- Internal Cross-References
- Intruder Lockout Check
- IsDeleted
- IsRecycled
- IsSingleValued
- JNDI Examples
- Join AD Domain
- Kerberos
- Kerberos Database
- Kerberos Delegation
- Kerberos Error Codes
- Kerberos Pre-Authentication
- Kerberos SSP
- Kerberos Service Account
- Key Distribution Center
- Kim Cameron
- Knowledge Consistency Checker
- LAN Manager authentication level
- LDAP Authentication
- LDAP Filter Choices
- LDAP Group
- LDAP Query Examples for AD
- LDAP Server Implementations
- LDAP Signing
- LDAP and Bind Throttling
- LDAP and Global Catalog
- LDAP ping
- LDAP policy in Active Directory
- LDAPDisplayName
- LDAPServerIntegrity
- LDAPSyntaxes
- LDAP_CONSTRAINT_VIOLATION
- LDAP_MATCHING_RULE_BIT_AND
- LDAP_MATCHING_RULE_BIT_OR
- LDAP_MATCHING_RULE_IN_CHAIN
- LDAP_SERVER_EXTENDED_DN_OID
- LDAP_SERVER_NOTIFICATION_OID
- LDAP_SERVER_RANGE_OPTION_OID
- LDAP_SERVER_RANGE_OPTION_OID_CODE_SAMPLE
- LDAP_SERVER_SD_FLAGS_OID
- LDAP_STRONG_AUTH_REQUIRED
- LDAP_TYPE_OR_VALUE_EXISTS
- LDIF Generator
- LOCKOUT
- LOWERBOUND
- LSA Protection
- LargeInteger
- LargeInteger Date
- Last Login Time
- LastLogon
- LastLogonTimeStamp
- Law of Justifiable Parties
- LeftMenu
- LinkID
- Linked Attribute
- Local Administrative Accounts
- Local Security Authority
- Locked Account Check
- Lockouttime
- MAD Determine the Classes Associated With an Entry
- MAD LDAP Client
- MAD Naming Attributes
- MAXIMUM_LOGINS_EXCEEDED
- MMC Account Tab
- MMC General Tab
- MS Access Mask
- MS-ADDM
- MSFT Access Token
- ManagedBy
- MapiID
- MaxActiveQueries
- MaxConnIdleTime
- MaxDatagramRecv
- MaxNotificationPerConnection
- MaxPoolThreads
- MaxQueryDuration
- MaxResultSetSize
- MaxTempTableSize
- Maximum Database Record Size
- MemberOf
- Microsoft Active Directory
- Microsoft Active Directory And Group Issues
- Microsoft Active Directory Anomalies
- Microsoft Active Directory Driver
- Microsoft Active Directory Extensible Match Rules
- Microsoft Active Directory Group Synchronization
- Microsoft Active Directory Syntax
- Microsoft Active Directory Technical Specification
- Microsoft Management Console
- Microsoft Response Codes
- Microsoft TIME
- ModifyTimestamp
- MsDS-Approx-Immed-Subordinates
- MsDS-HasInstantiatedNCs
- MsDS-LockoutDuration
- MsDS-LockoutObservationWindow
- MsDS-LockoutThreshold
- MsDS-MinimumPasswordAge
- MsDS-MinimumPasswordLength
- MsDS-PSOAppliesTo
- MsDS-PasswordComplexityEnabled
- MsDS-PasswordHistoryLength
- MsDS-PasswordReversibleEncryptionEnabled
- MsDS-PasswordSettings
- MsDS-PasswordSettingsContainer
- MsDS-PasswordSettingsPrecedence
- MsDS-SupportedEncryptionTypes
- MsDS-User-Account-Control-Computed
- MsDS-UserPasswordExpiryTimeComputed
- NO-USER-MODIFICATION
- NT LAN Manager
- NT-Sec-Desc
- NTDSDSA
- NTDSService
- NTDSSiteSettings
- NamingContext
- Negotiate SSP
- Netlogon Remote Protocol
- Netlogon attribute
- Not Synchronized
- Ntdsutil.exe
- OID Syntax
- OMObjectClass
- OMSyntax
- OR-Name
- ObjectClass
- ObjectClass Types
- ObjectClass vs ObjectCategory
- ObjectGUID
- ObjectSID
- OctetString
- On-Demand Password Synchronization
- PASSWD_NOTREQD
- PDC Emulator FSMO Role
- Partial Attribute Set
- Pass-the-ticket
- Password Expiration
- Password Flow From Active Directory to eDirectory
- Password History
- Password MUST Change
- Password Maximum Length
- Password Minimum Length
- Password Policy
- Passwords Must Meet Complexity Requirements
- Passwords Using LDIF
- Perl Add User Sample
- PosixAccount
- PrimaryGroupID
- Pwd-Last-Set attribute
- PwdLastSet
- PwdProperties
- RangeUpper
- RdnAttId
- Read-Only Domain Controller
- Recycled-object
- Relative IDentifier
- Remote Authentication Dial-In User Service
- Root Domain Directory Partition
- SECURITY_IMPERSONATION_LEVEL
- SID string
- SPNEGO
- STRUCTURAL
- SamAccountName
- Schema Directory Partition
- Schema Master FSMO Role
- Schema Partition
- SchemaFlagsEx
- SchemaIDGUID
- ScriptPath
- Search Filters Limitations
- SearchFlags
- Securable object
- Security Account Manager
- Security Descriptor
- Security Group
- Security Identifier
- Security Support Provider
- Security Support Provider Interface
- SecurityPrincipal
- Server Message Block
- Service Connection Points
- Set Active Directory Password From Java
- Setting and Changing Microsoft Active Directory Passwords
- Sid
- Simple Paged Results Control
- Simple and Protected GSSAPI Negotiation Mechanism
- Single Sign-On Scenarios
- Site
- Statically Linked Auxiliary Classes
- String(Sid)
- StructuralObjectClass Attribute
- Subtree Delete Control
- System-Id-Guid
- SystemFlags
- SystemOnly
- Telex
- Tombstone
- TombstoneLifetime
- TrustAuthIncoming
- TrustAuthOutgoing
- Trusted Domain Object
- TrustedDomain
- UTCTime
- UnicodePwd
- UniqueMember
- Universal Group
- Universally Unique Identifier
- UnixHomeDirectory
- Update Sequence Number
- User
- User Access Control
- User-Account-Control Attribute
- User-Account-Control Attribute Values
- UserAccountControl
- UserPrincipalName
- UsnChanged
- VIS
- Verify DNS Records
- Virtual Attribute
- Virtual List View Control
- WILL_NOT_PERFORM
- Web Blog_blogentry_010415_1
- Web Blog_blogentry_280714_1
- Well-known Security Identifiers
- WhenChanged
- Why is Time Important
- Windows Hello
- Windows Integrated Authentication
- Windows Security Log Event
- Windows Server 2000
- Windows Server NT
- Windows Time service
- X-HIDDEN
- X-SCHEMAFLAGSEx
- X-SEARCH-FLAGS
- X-SYSTEMFLAGS
- XACML
- ZOOMIT Corporation
