Active Directory Schema Related LDAP Searches

Overview#

Active Directory Schema Related LDAP Searches are Example LDAP SearchFilters that reveal the Microsoft Active Directory LDAP Schema for your AD Forest
Below examples show linefeeds ONLY for clarification

LDAP Schema: Operational Constructed Attributes#

Constructed Attributes have the FLAG_ATTR_IS_CONSTRUCTED set for SystemFlags 
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?cn,lDAPDisplayName,linkID,objectClass?sub?(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4))
# command line :
ldapsearch -H ldaps://example-dcdc.example.com:636 
    -x 
    -D "administrator@example.com" -W 
    -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" 
    -s sub 
    -a always 
    -z 1000 
    "(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=4))" 
    "cn" "lDAPDisplayName" "linkID" "objectClass"

LDAP Schema: NOT Replicated Attributes#

Results of this query have the FLAG_ATTR_NOT_REPLICATED set for SystemFlags 
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?lDAPDisplayName,cn,objectClass?sub?(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=1))
# command line : 
ldapsearch 
  -H ldaps://example-dcdc.example.com:636 
  -x 
  -D "administrator@example.com" 
  -W 
  -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" 
  -s sub 
  -a always 
  -z 1000 
  "(&(objectCategory=attributeSchema)(systemFlags:1.2.840.113556.1.4.803:=1))" 
  "lDAPDisplayName" "cn" "objectClass"

LDAP Schema: Linked Attributes#

This LDAP SearchFilter reveals the Linked Attributes defined within the Microsoft Active Directory Schema. 
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?cn,lDAPDisplayName,linkID,objectClass?sub?(linkID=*)
# command line : 
ldapsearch 
  -H ldaps://example-dcdc.example.com:636 
  -x 
  -D "administrator@example.com" 
  -W 
  -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" 
  -s sub 
  -a always 
  -z 1000 
  "(linkID=*)" 
  "cn" "lDAPDisplayName" "linkID" "objectClass"

LDAP Schema: LDAP Indexed AttributeTypes#

This LDAP SearchFilter reveals the Attributes defined within the Microsoft Active Directory Schema which part of a LDAP Indexes Confidential Attributes have the SearchFlags Bit set as fATTINDEX 
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?lDAPDisplayName,cn,objectClass?sub?(searchFlags:1.2.840.113556.1.4.803:=1)
# command line : 
ldapsearch 
  -H ldaps://example-dcdc.example.com:636 
  -x 
  -D "administrator@example.com" 
  -W 
  -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" 
  -s sub 
  -a always 
  -z 1000 
  "(searchFlags:1.2.840.113556.1.4.803:=1)" 
  "lDAPDisplayName" "cn" "objectClass"

LDAP Schema: Confidential Attributes#

Confidential Attributes have the SearchFlags Bit set as fCONFIDENTIAL 
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?lDAPDisplayName,cn,objectClass?sub?(searchFlags:1.2.840.113556.1.4.803:=128)
# command line : 
ldapsearch 
  -H ldaps://example-dcdc.example.com:636 
  -x 
  -D "administrator@example.com" 
  -W 
  -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" 
  -s sub 
  -a always 
  -z 1000 
  "(searchFlags:1.2.840.113556.1.4.803:=128)" 
  "lDAPDisplayName" "cn" "objectClass"

LDAP Schema: Attributes in the Global Catalog#

Attributes in the Global Catalog have the value of isMemberOfPartialAttributeSet set to TRUE 
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?lDAPDisplayName,cn,objectClass?sub?(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))
# command line : 
ldapsearch 
  -H ldaps://example-dcdc.example.com:636 
  -x 
  -D "administrator@example.com" 
  -W 
  -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" 
  -s sub 
  -a always 
  -z 1000 
  "(&(objectCategory=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))" 
  "lDAPDisplayName" "cn" "objectClass"

LDAP Schema: Ambiguous Name Resolution (ANR)#

Ambiguous Name Resolution Attributes have the SearchFlags Bit set as fANR 
# LDAP URL     : ldaps://example-dcdc.example.com:636/CN=Schema,CN=Configuration,DC=root-example,DC=com?lDAPDisplayName,cn,objectClass?sub?(searchFlags:1.2.840.113556.1.4.803:=4)
# command line : 
ldapsearch 
  -H ldaps://example-dcdc.example.com:636 
  -x 
  -D "administrator@example.com" 
  -W 
  -b "CN=Schema,CN=Configuration,DC=root-example,DC=com" 
  -s sub 
  -a always 
  -z 1000 
  "(searchFlags:1.2.840.113556.1.4.803:=4)" 
  "lDAPDisplayName" "cn" "objectClass"

All objects which can't be deleted:#

(systemFlags:1.2.840.113556.1.4.803:=-2147483648)

All objects which can't be renamed##

(systemFlags:1.2.840.113556.1.4.803:=134217728)

More Information#

There might be more information for this subject on one of the following:
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!