Searching for Objects in a Domain

Most tools that can be used to search Active Directory require a basic understanding of how to perform LDAP searches using a base DN, search scope, and search filter as described in RFC 2251 and 2254. The base DN is where the search begins in the directory tree. The search scope defines how far down in the tree to search from the base DN. The search filter is a prefix notation string that contains equality comparisons of attribute and value pairs.

The scope can be base, onelevel (or one), or subtree (or sub). A base scope will match only the base DN, onelevel will match only objects that are contained directly under the base DN, and subtree will match everything below the base DN (not including the base DN).

The search filter syntax is a powerful way to represent simple and complex queries. An example filter that matches all user objects would be (&(objectclass=user)(ob-jectcategory=Person)). For more information on filters, see RFC 2254.

When you perform a normal LDAP search over port 389, you are searching against a particular partition in Active Directory: the Domain naming context, Configuration naming context, Schema naming context, or application partition. If you have multiple domains in your forest, this type of search applies only to the specified domain.

The global catalog facilitates forest-wide searches. The global catalog contains a subset of the attributes for all objects in the forest (excluding objects in application partitions). Think of it as a subset of all the naming contexts combined. All objects will be contained in the global catalog, except for objects in application partitions, but only some of the attributes will be available. For that reason, if you perform a global catalog search and do not get values for attributes you expected, make sure those attributes are included in the global catalog, also known as the partial attribute set (PAS).

You might notice that searches with large numbers of matches stop displaying after 1000. Domain controllers return only a maximum of 1,000 entries from a search unless paging is enabled. This is done to prevent queries from consuming a lot of resources on domain controllers by retrieving the results all at once.

Paged support is implemented via an LDAP control. LDAP controls were defined in RFC 2251 and the Paged control in RFC 2696. Controls are extensions to LDAP that were not built into the protocol, so not all directory vendors support the same ones.

Active Directory, you can change the default maximum page size of 1000 by modifying the LDAP query policy, but you should avoid doing this unless you have a very good reason.

Active Directory returns a maximum of only 262,144 entries even when paged searching is enabled. This value is defined in the LDAP query policy and can be modified like the maximum page size.

Using a graphical user interface

  1. Open LDP from the Support Tools (ldp.exe).
  2. From the menu, select Connection > Connect.
  3. For Server, enter the name of a domain controller (or leave blank to do a serverless bind).
  4. For Port, enter 389. To perform a forest-wide search using the Global Catalog, enter 3268.
  5. Click OK.
  6. From the menu, select Connection > Bind.
  7. Enter credentials of a user.
  8. Click OK.
  9. From the menu, select Browse > Search.
  10. For BaseDN, type the base distinguished name where to start the search.
  11. For Scope, select the appropriate scope.
  12. For Filter, enter an LDAP filter.
  13. Click Run.

If you expect your search to return a large number of objects (e.g., more than 1000), you’ll need to enable the Paged LDAP control to see them all in LDP.

  1. Click the Options button.
  2. For Timeout (s), enter a value such as 10.
  3. For Page size, enter the number of objects to be returned with each page, (e.g., 1000).
  4. Under Search Call Type, select Paged.
  5. Click OK.
  6. A page of results (i.e., 1000 entries) will be displayed each time you click on Run until all results have been returned.

Using a command-line interface

Use the following command to perform a search against a domain controller:

> dsquery *  -scope  -filter "" -attr ""

The following example searches for all siteLink objects in the Configuration container:

> dsquery * "cn=configuration,dc=rallencorp,dc=com" -scope subtree -filter "(object
 category=sitelink)" -attr "name"

Use the following command to perform a search against the global catalog:

> dsquery *  -gc -scope  -filter "" -attr ""

Use the following command to perform a search in which you expect there to be a large number of matching entries:

> dsquery *  -limit 0 -scope  -filter "" -attr ""

Using VBScript

' This code searches for objects based on the specified criteria.
 strBase    =  ">;" ' BaseDN should be the search base
 strFilter  = ";"           ' Valid LDAP search filter
 strAttrs   = ";"         ' Comma-seperated list
 strScope   = ""             ' Should be on of Subtree, Onelevel, or Base
 ' ------ END CONFIGURATION ---------
set objConn = CreateObject("ADODB.Connection")
 objConn.Provider = "ADsDSOObject"
 objConn.Open "Active Directory Provider"
 set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
 while Not objRS.EOF
     Wscript.Echo objRS.Fields(0).Value
' This code enables paged searching
 strBase    =  ">;"
 strFilter  = ";"
 strAttrs   = ";"
 strScope   = ""
 ' ------ END CONFIGURATION ---------
set objConn = CreateObject("ADODB.Connection")
 objConn.Provider = "ADsDSOObject"
 objConn.Open "Active Directory Provider"
 set objComm = CreateObject("ADODB.Command")
 objComm.ActiveConnection = objConn
 objComm.Properties("Page Size") = 1000
 objComm.CommandText = strBase & strFilter & strAttrs & strScope
 set objRS = objComm.Execute
 while Not objRS.EOF
     Wscript.Echo objRS.Fields(0).Value