Recipe15.8.Searching for Objects in a Domain

Recipe 15.8. Searching for Objects in a Domain

Problem

You want to find objects that match certain criteria in a domain.

Solution

Using a graphical user interface

1. Open LDP from the Support Tools (ldp.exe).

2. From the menu, select Connection

   For Server, enter the name of a domain controller (or leave blank to do a serverless bind).

3. For Port, enter 389. To perform a forest-wide search using the Global Catalog, enter 3268.

4. Click OK.

5. From the menu, select Connection

   Enter credentials of a user.

6. Click OK.

7. From the menu, select Browse

   For BaseDN, type the base distinguished name where to start the search.

8. For Scope, select the appropriate scope.

9. For Filter, enter an LDAP filter.

10. Click Run.

If you expect your search to return a large number of objects (e.g., more than 1000), you'll need to enable the Paged LDAP control to see them all in LDP.

1. Click the Options button.

2. For Timeout (s), enter a value such as 10.

3. For Page size, enter the number of objects to be returned with each page, (e.g., 1000).

4. Under Search Call Type, select Paged.

5. Click OK.

6. A page of results (i.e., 1000 entries) will be displayed each time you click on Run until all results have been returned.

Using a command-line interface

Use the following command to perform a search against a domain controller:

> dsquery * <BaseDN> -scope <Scope> -filter "<Filter>" -attr "<AttrList>"

The following example searches for all siteLink objects in the Configuration container:

> dsquery * "cn=configuration,dc=rallencorp,dc=com" -scope subtree -filter "(object category=sitelink)" -attr "name"

Use the following command to perform a search against the global catalog:

> dsquery * <BaseDN> -gc -scope <Scope> -filter "<Filter>" -attr "<AttrList>"

Use the following command to perform a search in which you expect there to be a large number of matching entries:

> dsquery * <BaseDN> -limit 0 -scope <Scope> -filter "<Filter>" -attr "<AttrList>"

Using VBScript

' This code searches for objects based on the specified criteria. ' ------ SCRIPT CONFIGURATION ------ strBase    =  "<LDAP://<BaseDN>>;" ' BaseDN should be the search base strFilter  = "<Filter>;"           ' Valid LDAP search filter strAttrs   = "<AttrList>;"         ' Comma-seperated list strScope   = "<Scope>"             ' Should be on of Subtree, Onelevel, or Base ' ------ END CONFIGURATION ---------     set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst while Not objRS.EOF     Wscript.Echo objRS.Fields(0).Value     objRS.MoveNext wend ' This code enables paged searching ' ------ SCRIPT CONFIGURATION ------ strBase    =  "<LDAP://<BaseDN>>;" strFilter  = "<Filter>;" strAttrs   = "<AttrList>;" strScope   = "<Scope>" ' ------ END CONFIGURATION ---------     set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objComm = CreateObject("ADODB.Command") objComm.ActiveConnection = objConn objComm.Properties("Page Size") = 1000 objComm.CommandText = strBase & strFilter & strAttrs & strScope set objRS = objComm.Execute objRS.MoveFirst while Not objRS.EOF     Wscript.Echo objRS.Fields(0).Value     objRS.MoveNext wend

Discussion

Most tools that can be used to search Active Directory require a basic understanding of how to perform LDAP searches using a base DN, search scope, and search filter as described in RFC 2251 and 2254. The base DN is where the search begins in the directory tree. The search scope defines how far down in the tree to search from the base DN. The search filter is a prefix notation string that contains equality comparisons of attribute and value pairs.

The scope can be base, onelevel (or one), or subtree (or sub). A base scope will match only the base DN, onelevel will match only objects that are contained directly under the base DN, and subtree will match everything below the base DN (not including the base DN).

The search filter syntax is a powerful way to represent simple and complex queries. An example filter that matches all user objects would be (&(objectclass=user)(ob-jectcategory=Person)). For more information on filters, see RFC 2254.

When you perform a normal LDAP search over port 389, you are searching against a particular partition in Active Directory: the Domain naming context, Configuration naming context, Schema naming context, or application partition. If you have multiple domains in your forest, this type of search applies only to the specified domain.

The global catalog facilitates forest-wide searches. The global catalog contains a subset of the attributes for all objects in the forest (excluding objects in application partitions). Think of it as a subset of all the naming contexts combined. All objects will be contained in the global catalog, except for objects in application partitions, but only some of the attributes will be available. For that reason, if you perform a global catalog search and do not get values for attributes you expected, make sure those attributes are included in the global catalog, also known as the partial attribute set (PAS).

You might notice that searches with large numbers of matches stop displaying after 1000. Domain controllers return only a maximum of 1,000 entries from a search unless paging is enabled. This is done to prevent queries from consuming a lot of resources on domain controllers by retrieving the results all at once.

Paged support is implemented via an LDAP control. LDAP controls were defined in RFC 2251 and the Paged control in RFC 2696. Controls are extensions to LDAP that were not built into the protocol, so not all directory vendors support the same ones.

Active Directory, you can change the default maximum page size of 1000 by modifying the LDAP query policy, but you should avoid doing this unless you have a very good reason.

Active Directory returns a maximum of only 262,144 entries even when paged searching is enabled. This value is defined in the LDAP query policy and can be modified like the maximum page size.

Using a graphical user interface

A word of caution when using LDP to display a large number of entries: by default only 2048 lines will be displayed in the right pane. To change that value, go to Options General and change the Line value under Buffer Size to a larger number.

Using a command-line interface

<AttrList> should be a comma-separated list of attributes to return. If left blank, all attributes that have a value will be returned. With -limit set to 0, paging will be enabled and all matching objects will be returned. If -limit is not specified, only 100 matches will be returned.

Using VBScript

The VBScript solution used ADO to perform the search. When using ADO, you must first create a connection object with the following three lines:

set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider"

At this point, you can pass parameters to the Execute method, which will return a ResultSet object. You can iterate over the ResultSet by using the MoveFirst and MoveNext methods.

To enable paged searching in ADO, you must instantiate an ADO Command object. A Command object allows you set various properties of a query, including size limit, time limit, and page size. See MSDN for the complete list.

See Also

RFC 2251 (Lightweight Directory Access Protocol (v3)), RFC 2254 (Lightweight Directory Access Protocol (v3)), MSDN: Searching with ActiveX Data Objects (ADO), and for a good whitepaper on performing queries with LDAP, see: http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/ldap.asp