Windows Advisor

Searching Active Directory Objects

One of the advantages of Microsoft's Active Directory is that it allows users to search objects in the database by performing Lightweight Directory Access Protocol queries. LDAP is an industry standard used by several directory services to access information within the directory database. Microsoft's Active Directory supports both LDAP versions 2 and 3.

Although there are many tools that administrators and users can use to update or query information in Active Directory, LDAP is the main protocol used to gain access to that information. For example, Active Directory Users and Computers, ADSI Edit, LDP and other tools use LDAP to communicate with Active Directory.

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty baseball-style cap.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Protocols and Ports Used in Search
There are several protocols involved in searching the Active Directory. At the transport layer LDAP uses Transmission Control Protocol (TCP), a connection-oriented protocol. Connection-oriented means that the receiving end must acknowledge receipt of the packets or else the sender will have to resend the packets. At the network layer, LDAP uses Internet Protocol (IP), which handles routing and addressing of packets. If you wish to encrypt LDAP communication, you can use Secure Socket Layer (SSL), which requires certificate services.

To search Active Directory, there are several network ports that are used. These ports are primarily related to LDAP and Global Catalog. The following table describes the TCP ports used by Active Directory searches.

Table 1. Network ports used by Active Directory.
Service TCP Port Number
LDAP 389
LDAP over SSL 636
Global Catalog LDAP 3268
Global Catalog LDAP over SSL 3269

The Search Process
Let's take a closer look at the process of Active Directory searches from the client's perspective and see what's involved in the process. In order for an Active Directory client to perform a successful LDAP search, the client first must locate an LDAP server. This is accomplished with the help of a Domain Name System (DNS) server. Then the client establishes a TCP connection to the server. Once the connection is made, the client must authenticate to the server. The authentication process is referred to as "binding" to the server. After the client successfully authenticates (binds) to the server, the client is then able to perform an Active Directory search.

By default, the client searches are limited to 1,000 objects. This is done to improve the query response time. For default Active Directory tools, such as Active Directory Users and Computers, you can modify the maximum query limit for your environment by using a Group Policy setting. The setting is located at \Administrative Templates\Desktop\Active Directory\Maximum size of Active Directory searches. This is a user-based policy, so it only affects default tools and will not have any impact on LDAP queries that are performed programmatically. In addition, the user must log off and then log back on for the setting to have an affect.

If you want to modify the maximum query limit on Active Directory clients, you also have the option to modify the registry on their local computer. The setting is located at HKEY_CURRENT_USER\Software\Policies\Microsoft\ Windows\Directory. If the client has not joined the Active Directory domain, you won't see this Directory folder in the registry.

Tools Used for Searching Active Directory
To perform an Active Directory search and locate objects in Active Directory, such as users, computers or printers, the client can use one of several tools listed below. "Clients" in this context doesn't mean end users; it simply means anyone who has the ability to perform LDAP searches based on their authentication.

Active Directory Users and Computers This tool is installed on the Domain Controllers and can be used by Administrators to search the directory. However, end users will not have access to this tool unless you specifically give them access, which is not very likely.

ADSI Edit This tool is part of Windows Support Tools. Administrators can use this tool not only for searches but also to perform other functions. End users will not have access to this tool.

LDP The LDP is another tool that is part of Windows Support Tools. This graphical user interface (GUI) tool is available only to administrators, not to the end users.

Dsquery This is a command-line tool in Windows Server 2003 that can be used by administrators to search the Active Directory.

Search Companion This is the Search tool on the Start Menu that is available on Windows Server 2003 and Windows XP. This has some limited search capabilities that end users can use.

My Network Places End users can go to My Network Places and use the option Search Active Directory (see Figure 1). This option is only available on computers that have joined an Active Directory domain.

Searching AD
[Click image to view larger version.]
Figure 1. Searching Active Directory.

When you click the link in Figure 1, you have all kinds of options for LDAP searches. You can search for users, contacts, groups, computers, printers, shared folders and Organizational Units. In addition, with the Custom Search option, you have unlimited capabilities to perform LDAP searches. If you are familiar with LDAP language, on the Advanced tab of Custom Search you can type your LDAP query. Figure 2 shows a custom LDAP query for an administrator that will list all users that have never logged in to the domain.

Custom LDAP query
[Click image to view larger version.]
Figure 2. Custom LDAP query.

Creating Your Own Custom Search Icon
There are numerous methods to search Active Directory. Here's one method that you may find useful in your corporate environment. You can add a custom icon to the clients' Quick Launch bar in Windows XP/2000/2003. When users want to perform LDAP queries, such as looking for shared folders, they can simply click on the icon to quickly bring up the search tool shown in Figure 3. In the Find button you can select the type of objects that you want to search (e.g. Shared Folders).

Searching for Shared Folders
[Click image to view larger version.]
Figure 3. Searching for Shared Folders.

Here's the procedure for creating a custom icon.

  1. Right-click on your desktop.
  2. Select New, Shortcut.
  3. In Create Shortcut box type a name of any executable in the path, e.g. find.exe and click Next.
  4. In the "Select a Title for the Program" dialog box, type a name for the shortcut, like Search.
  5. Click on Finish.
  6. Right-click on the icon that you just created and select Properties.
  7. In the target box, on the Shortcut tab, delete the existing entry and type this case-sensitive command:

    rundll32.exe dsquery,OpenQueryWindow

    Note: There's only one space in this command just after .exe.
  8. You can also change the icon if you want. Click on Change icon on the Shortcut tab and in the File name box delete what's there and type SHELL32.DLL. You can select one of the dozens of icons that are available.
  9. Click and drag this icon on the Quick Launch bar, or on the Start menu. If you wish, you can delete the icon on the desktop at that point.

The rundll32 command can also be used at the command prompt or Start, Run. Just remember that the command is case sensitive.

About the Author

Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site,, is dedicated to technical resources for IT professionals. Zubair may be reached at [email protected].

comments powered by Disqus