Searching Active Directory Objects
One of the advantages of Microsoft's Active Directory is that it allows
users to search objects in the database by performing Lightweight Directory
Access Protocol queries. LDAP is an industry standard used by several
directory services to access information within the directory database.
Microsoft's Active Directory supports both LDAP versions 2 and 3.
Although there are many tools that administrators and users can use to
update or query information in Active Directory, LDAP is the main protocol
used to gain access to that information. For example, Active Directory
Users and Computers, ADSI Edit, LDP and other tools use LDAP to communicate
with Active Directory.
Tech Help—Just An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
at mailto:[email protected];
the best questions get answered in this column and garner
the questioner with a nifty MCPmag.com baseball-style
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Protocols and Ports Used in Search
There are several protocols involved in searching the Active Directory.
At the transport layer LDAP uses Transmission Control Protocol (TCP),
a connection-oriented protocol. Connection-oriented means that the receiving
end must acknowledge receipt of the packets or else the sender will have
to resend the packets. At the network layer, LDAP uses Internet Protocol
(IP), which handles routing and addressing of packets. If you wish to
encrypt LDAP communication, you can use Secure Socket Layer (SSL), which
requires certificate services.
To search Active Directory, there are several network ports that are
used. These ports are primarily related to LDAP and Global Catalog. The
following table describes the TCP ports used by Active Directory searches.
|Table 1. Network
ports used by Active Directory.
|LDAP over SSL
|Global Catalog LDAP
|Global Catalog LDAP over SSL
The Search Process
Let's take a closer look at the process of Active Directory searches from
the client's perspective and see what's involved in the process. In order
for an Active Directory client to perform a successful LDAP search, the
client first must locate an LDAP server. This is accomplished with the
help of a Domain Name System (DNS) server. Then the client establishes
a TCP connection to the server. Once the connection is made, the client
must authenticate to the server. The authentication process is referred
to as "binding" to the server. After the client successfully
authenticates (binds) to the server, the client is then able to perform
an Active Directory search.
By default, the client searches are limited to 1,000 objects. This is
done to improve the query response time. For default Active Directory
tools, such as Active Directory Users and Computers, you can modify the
maximum query limit for your environment by using a Group Policy setting.
The setting is located at \Administrative Templates\Desktop\Active Directory\Maximum
size of Active Directory searches. This is a user-based policy, so it
only affects default tools and will not have any impact on LDAP queries
that are performed programmatically. In addition, the user must log off
and then log back on for the setting to have an affect.
If you want to modify the maximum query limit on Active Directory clients,
you also have the option to modify the registry on their local computer.
The setting is located at HKEY_CURRENT_USER\Software\Policies\Microsoft\
Windows\Directory. If the client has not joined the Active Directory domain,
you won't see this Directory folder in the registry.
Tools Used for Searching Active Directory
To perform an Active Directory search and locate objects in Active Directory,
such as users, computers or printers, the client can use one of several
tools listed below. "Clients" in this context doesn't mean end users; it
simply means anyone who has the ability to perform LDAP searches based
on their authentication.
Active Directory Users and Computers This
tool is installed on the Domain Controllers and can be used by Administrators
to search the directory. However, end users will not have access to this
tool unless you specifically give them access, which is not very likely.
ADSI Edit This tool is part of Windows Support
Tools. Administrators can use this tool not only for searches but also
to perform other functions. End users will not have access to this tool.
LDP The LDP is another tool that is part of
Windows Support Tools. This graphical user interface (GUI) tool is available
only to administrators, not to the end users.
Dsquery This is a command-line tool in Windows
Server 2003 that can be used by administrators to search the Active Directory.
Search Companion This is the Search tool on
the Start Menu that is available on Windows Server 2003 and Windows XP.
This has some limited search capabilities that end users can use.
My Network Places End users can go to My Network
Places and use the option Search Active Directory (see Figure 1). This
option is only available on computers that have joined an Active Directory
[Click image to view larger version.]
|Figure 1. Searching Active Directory.
When you click the link in Figure 1, you have all kinds of options for
LDAP searches. You can search for users, contacts, groups, computers,
printers, shared folders and Organizational Units. In addition, with
the Custom Search option, you have unlimited capabilities to perform LDAP
searches. If you are familiar with LDAP language, on the Advanced tab
of Custom Search you can type your LDAP query. Figure 2 shows a custom
LDAP query for an administrator that will list all users that have never
logged in to the domain.
[Click image to view larger version.]
|Figure 2. Custom LDAP query.
Creating Your Own Custom Search Icon
There are numerous methods to search Active Directory. Here's one method
that you may find useful in your corporate environment. You can add a
custom icon to the clients' Quick Launch bar in Windows XP/2000/2003.
When users want to perform LDAP queries, such as looking for shared folders,
they can simply click on the icon to quickly bring up the search tool
shown in Figure 3. In the Find button you can select the type of objects
that you want to search (e.g. Shared Folders).
[Click image to view larger version.]
|Figure 3. Searching for Shared Folders.
Here's the procedure for creating a custom icon.
- Right-click on your desktop.
- Select New, Shortcut.
- In Create Shortcut box type a name of any executable in the path,
e.g. find.exe and click Next.
- In the "Select a Title for the Program" dialog box, type
a name for the shortcut, like Search.
- Click on Finish.
- Right-click on the icon that you just created and select Properties.
- In the target box, on the Shortcut tab, delete the existing entry
and type this case-sensitive command:
Note: There's only one space in this command just after
- You can also change the icon if you want. Click on Change icon on
the Shortcut tab and in the File name box delete what's there and type
SHELL32.DLL. You can select one of the dozens of icons that are available.
- Click and drag this icon on the Quick Launch bar, or on the Start
menu. If you wish, you can delete the icon on the desktop at that point.
The rundll32 command can also be used at the command prompt or Start,
Run. Just remember that the command is case sensitive.
Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at [email protected].