LDP.exe for Active Directory

Microsoft also provides a free Windows 2000 Support Tools utility called LDP.exe which can be used to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given specific search criteria.

LDP can be used to perform advanced LDAP queries against Active Directory, use a variety of LDAP controls, specify advanced connection, binding and search result options and view objects, object meta-data and raw Security Descriptors as well.

One advantage of LDP is that it is a standards-compliant Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory.

LDP can be used to specify and execute any valid LDAP query and thus generate reports which are more advanced than those generated via the standard Administrative MMC tools provided by Microsoft Windows Server. It can be used to generate advanced time-based reports as well but it requires you to specify all the technical details in LDAP parlance, which can make it a little cumbersome unless you're adept at writing LDAP queries and performing 64-bit time value conversions etc.

Tip: I first looked for ldp in the hope of being able to find which users have restricted logon hours specified in our AD. Unfortunately, I could not do so with LDP, since analyzing logon-hours takes a bit more work.

All in all, its a good tool to have and use if you want to look under the hood of your Active Directory. Another helpful tool to consider if you need to perform advanced AD security analysis is this one.

+ Pros: Free, Can be used for advanced LDAP querying and basic AD reporting

- Cons: Limited in its ability to generate custom IT management and security reports (e.g. True Last Logon)

Download: ldp.exe is a part of the Windows Server 2003 Service Pack 2 32-bit Support Tools set and can be downloaded from here.

No comments:

Post a Comment