SelfADSI Tutorial

LEX - The LDAP Explorer : New version 1.3.005 is available

Sun, 29 May 2011 14:00:00 GMT

The new version 1.3.005 of the LDAP browser / LDAP admin tool LEX - The LDAP Explorer is available. In this version, new LDAP syntax and data converter tool are introduced, among other improvements for general performance and stability.

New SelfADSI Tutorial article about the pwdLastSet attribute

Sun, 20 Feb 2011 08:00:00 GMT

This new SelfADSI tutorial article describes the LDAP attribute pwdLastSet. This attribute represents the exat timestamp of the last password change for the regarding Active Directory account. Since this attribute is stored as a Microsoft Integer-8 value (100-nanosecond steps since 01/01/1600...), is needs some effort to handle this value in scripts. The article gives sript examples how to convert theses values into readable date and times or how to search for users whose password wasn't change for a certain period of time.

LUMAX v1.0 - A free tool for Active Directory user maintenance

Sun, 09 Jan 2011 15:00:00 GMT

Today I released the first public version of LUMAX, our new free GUI tool for Active Directory user/account maintenance. LUMAX lets you easily create reports of important AD account information like Real Last Last Logon Time, Lockout State, Creation Date, Password Expiry Date, Fine Grained Password Policy State and much more... Convenient ways to highlight, filter, sort and export these information. LUMAX comes with pre-defined account filters like these:

show only accounts that are disabled
show only accounts that are locked
show only accounts which did log on in the last hour / day / week...
show only accounts which did NOT log on for a week / six months / a year...
show only accounts which never logged on
show only accounts whose password was never changed / not changed in the last 2 weeks / 4 weeks / 6 months
show only accounts which are subjec to a fine-grained password policy
show only accounts whose password will expire today / in the next two days / is already expired / will never expire

...and many more. The tool also allows you to log on over LDAP/LDAP SSL to any domain with credentials.

LUMAX is a free child project in the development of the commercial LDAP browser 'LEX The LDAP Explorer'..

How to search and find hidden recipients in an Exchange environment per script

Sun, 05 Dec 2010 18:00:00 GMT

This is a new article in the 'LDAP search factory' section of the SelfADSI tutorial. It provides script examples demonstrating the search for Exchange mail recipients which are hidden from the adress book.

New Version of LIZA, the free tool for Active Directory Security, Permission and ACL Analysis

Wed, 01 Dec 2010 17:00:00 GMT

I made a new version of LIZA available for download. Liza is a free tool for analysis of AD object permissions. The new release is 1.4 now. The new version fixes some minor issues in dealing with AD LDS directories. Another reason: LIZA is an offshoot of LEX - The LDAP Explorer (my commercial LDAP browser and administration tool). If LIZA is installed on the same computer as LEX, then LIZA can share connection profiles and the directory cache with LEX. The new version LIZA is needed to integrate smoothly with the latest LEX version 1.3.02.

New Version of LAZARUS, the free tool for Active Directory Deleted Object Recovery

Wed, 17 Nov 2010 15:00:00 GMT

I made a new version of LAZARUS available for download. Liza is a free tool for accessing the deleted obejcts container and recovery for deleted objects in AD environments. The new release is 1.6 now. The new version fixes some minor issues in dealing with AD LDS directories. Another reason: LAZARUS is an offshoot of LEX - The LDAP Explorer (my commercial LDAP browser and administration tool). If LAZARUS is installed on the same computer as LEX, then LAZARUS can share connection profiles and the directory cache with LEX. The new version LAZARUS is needed to integrate smoothly with the latest LEX version 1.3.02.

Attributes for controlling the Ad replication: uSNCreated and uSNChanged

Mon, 01 Nov 2010 08:00:00 GMT

A new tutorial article describes the two object attributes uSNCreated and uSNChanged. These are the local update sequence numbers (USN) for each domain controller at the time of the creation or the last modification of an object. For a better understanding of the importance of the USN values in the Active Directory replication, I've made a few videos which illustrate the processes in the AD replication.

LEX - The LDAP Explorer : New version 1.3.002 is available

Sun, 24 Oct 2010 14:00:00 GMT

The new version 1.3.002 of the LDAP browser / LDAP admin tool LEX - The LDAP Explorer is available. In this version, many improvements in the handling of LDAP filters and directory search operations were introduced. LEX can create now for example from a list of names, email addresses or other attributes very easyly a proper LDAP filter for the display of the regardin objects. Just copy the list to the clipboard (also from an Excel spreadsheet) and paste it into the search dialog or in the LEX Pipe Factory...

How to search and find user accounts in Active Directory

Sun, 26 Sep 2010 09:00:00 GMT

In most cases in which I see sample scripts for LDAP searchoperations for Active Directory users, the following LDAP filter is used: (&(objectClass=user)(objectCategory=person)). However, this is not the optimal method to search for user accounts. This filter syntax causes an unnecessary amount of server performance consumption. This tutorial article shows a more efficient LDAP filter for the user objects search - and provides several example scripts which demonstrate the use of this filter (all users in the own domain, the own forest and so on)

How to find all members of an Active Directory group

Sat, 11 Sep 2010 12:00:00 GMT

In Active Directory Scripts the members of a group are searched often by binding to the regarding group object and evaluating it's API property members or LDAP attribute member - or by evaluating the 'opposite' user attribute memberOf. However, this is not exactly the same, because group memberships can be implemented not only through this attribute pair, but also in the form of 'primary groups', this is set in the user attribute primaryGroupID. So the actual group membership of a directory object consists always of two attributes!

By default, for new users the primary group property is set to 'domain users', so it is often not important that this group membership is missing in the basic evaluation of the member values. However, if other groups are registered as a primary group, this traditional way of membership evaluation is not accurate enough! Therefore, this article describes next to the qick-and-dirty method also how to determine a complete list of the members of a group.

Description for the LDAP attributes of an Active Directory Contact object

Thu, 19 Aug 2010 12:00:00 GMT

Today i added the attribute description for Active Directory contact objects to the SelfADSI tutorial. For a long time now, the corresponding topics for the LDAP attributes for AD users and LDAP attributes for AD groupsare among the most-wanted topics of the tutorial, so it was logical to round out this section. Once again I tried to show the LDAP attribute names for all the fields in the admin GUIs:

Windows 2008 AD Users and Computers	Windows 2000 / Windows 2003 AD Users and Computers	Exchange 2003 AD Users and Computers	Exchange 2007 Exchange Management Console

LEX - The LDAP Explorer : New version 1.3.000 is available

Wed, 21 Jul 2010 20:00:00 GMT

The new version 1.3.000 of my LDAP browser / LDAP admin tool LEX - The LDAP Explorer is available. New features in this version:

The new Pipe Factory is integrated now: Launch any script or application directly from an objects context menu and pass the distinguished name as a command line parameter: You can build your own plug-ins now for directory object handling.
LEX can handle linked attribute now - just as an OpenLDP 'memberOf' overlay would do: If you change values of a linked atribute (eg like 'member' or 'memberOf'), LEX changes the appropriate linked attribute value at the regarding reference/backlink object also. Works also for system-reserved backlink attributes which are normally readonly: You can change for example the 'memberOf' attribute in Active Directory environments now just like a normal attribute.
...and many minor improvments, including an editor for GUID values.

Name Translation : How to detect the LDAP path of a user

Sat, 17 Jul 2010 14:00:00 GMT

... if you know only the user's logon name. A Tutorial for the usage of the IADsNameTranslate Interface in a VB script. This allows NetBIOS logon name (sAMAccountName) and UPN (User Principal Name) to be converted easily in the full LDAP path of that user accounts - this LDAP path (Distinguished Name) is needed to access the directory object.

Script Example: Is this domain controller a global catalog?

Thu, 15 Jul 2010 22:00:00 GMT

A small example script that can be tested for a given domain controller, whether it is a global catalog server in Active Directory. This LDAP script examines the specific options in the configuration partition.

Script Tutorial: LDAP Search operations in the AD global catalog

Sat, 10 Jul 2010 14:00:00 GMT

A new article in the SelfADSI tutorial: It demonstrates how to perform an LDAP search operation on the global catalog. This enables you to find objects in the entire Active Diectory forest with specific search criteria. With detailed example scripts for different situations (LDAP search with or without credentials, GC search with SSL, and search when you don't know the name of yor own domain / forest).

How to connect to gobal catalog objects in a script

Tue, 22 Jun 2010 15:00:00 GMT

A new article in the SelfADSI tutorial: It demonstrates how to perform an LDAP BIND operation on an object in the global catalog. This is neccessary to read data from the Active Director GC with scripts. With detailed example scripts for different situations (access with or without credentials, serverless binding, GC-bind with SSL, and bind when you don't know the name of yor own domain / forest).

How to detect the Name of the own Active Directory Domain

Tue, 15 Jun 2010 21:00:00 GMT

This short article demonstrate how to detect in a script the different names of the domain to which the user running the script is logged in to: LDAP PFadname of the domain, NetBIOS domain name and full qualifierd DNS domain name.

How to search and find disabled Active Directory user accounts

Sun, 13 Jun 2010 18:00:00 GMT

This is a new article in the 'LDAP search factory' section of the SelfADSI tutorial. It provides script examples demonstrating the search for disabled AD users.

Scripting the global catalog

Sun, 06 Jun 2010 20:00:00 GMT

A new topic of the SelfADSI tutorial describes the scripting with the global catalog in Active Directory environments. For the moment, there are two sub topics available:

How to search and find locked Active Directory user accounts

Wed, 26 May 2010 20:00:00 GMT

This is a new article in the 'LDAP search factory' section of the SelfADSI tutorial. It provides interesting script examples according the LDAP search for locked AD user accounts and how to calculate the remaining lockout time for each user. There's lots of important attributes and properties regarding the lockout mechanism: lockoutDuration, lockoutTime, msDS-User-Account-Control-Computed, IsAccountLocked... it's easy to get the most out of them if you know how!

New Version of LAZARUS, the free tool for AD deleted objects recovery

Tue, 25 May 2010 20:00:00 GMT

Today i released a new version of LAZARUS, my tool for accessing the Active Directory 'deleted objects' container and restoring objects and subtrees. The current release is v1.5 now. I made a few changes which helps LAZARUS to better operate in AD LDS (ADAM) environments. Yes - deleted objects in AD LDS directories can be restored with Lazarus also! :) Just use the 'Connect' button, provide server address, LDAP port of the regarding instance und user credentials, and here we go...

How to search and find Active Directory domain controllers

Sat, 22 May 2010 14:00:00 GMT

The first topic website of my new tutorial subdivision 'LDAP Search Factory' with the VBScript examples for finding all the domain controller is online. I have put much emphasis on showing how to start a general search in the own domain, with the name of this Domäen is first determined automatically. A further example shows the search in any other domain, or OU - where appropriate, with other credentials. Finally another example that automatically searches for all DCs in the entire AD forest - a demonstration of an LDAP search in the global catalog.

New attribute descriptions for Active Directory users

Sat, 22 May 2010 13:00:00 GMT

Step by step I complete the list of important attributes for LDAP Active Directory user accounts. New are topics for description and info. Admittedly, not the most interesting attributes. But the list is getting more complete, and I plan the next more interesting attributes to describe: uSNCreated, uSNChanged pwdLastSet uind lockOutTime ...

The userAccountControl attribute for Active Directory users

Mon, 10 May 2010 23:00:00 GMT

A tutorial article about the handling of userAccountControl, an important LDAP attribute for Active Directory user accounts. A lot of important information and status configuration regarding the account is provided by this value. Detailed descriptions of each flag in userAccountControl are given as well as script examples how you can set or erase single flags in your own scripts.

New Version of LIZA, the free tool for Active Directory Security, Permission and ACL Analysis

Sun, 25 Apr 2010 20:00:00 GMT

Today i released a new version of Liza, my tool for analyzing AD permissions. The current release is v1.1 now. The new LIZA can display and analyse permissions not only for container objects, but also on any leaf object in Active Directory environments if needed.

Scripting Novell ZENworks : Distribution Rules for Application Objecte

Mon, 19 Apr 2010 23:00:00 GMT

Distribution Rules are very important when you are dealing with software deployment in a Novell ZENWorks environment. You can specify with these rules that an application is installed or available on a machine only if certain prerequisites are met. We have to deal with the LDAP attributes 'zenAppInventory', 'zenAppInventoryTree' and 'zenAppInventoryApplication'. These are binary fields - unfortunately, the content of these LDAP attributes and their relation to each other is not intuitively clear. I had to script the distribution rules for many ZEN application objects, but you cannot find any documentation to rule internals on the manufacturer's (Novell) website! So i had to pull some strings with old relationsships (once i worked as a developer for NetWare Server FDDI drivers...), and with a few lines of the original source code and a bit reverse engineering i tried to bring light into the ZENWorks jungle: This Article is the result.

LIZA v1.0 - A free tool for Active Directory Security, Permission and ACL Analysis

Mon, 05 Apr 2010 20:00:00 GMT

Today i released the first public version of Liza, my new GUI tool for analyzing AD permissions. I always found the out-of-the-box possibilities to examine the object security in Active Directory environments rather unwieldy to handle for complex permission settings. So i made a tool for fast and lucid display of container permissions and audit configurations in Active Directory environments. What i added is an analysis option: Where in the directory hierarchy are permissions granted for an account (including it's group memberships)?

Microsoft SIDs and how to handle them in LDAP scripts

Wed, 10 Mar 2010 20:00:00 GMT

A tutorial article about Active Directory SID attributes, in which the structure of these Security Identifiers is explained in detail. Additionally it will be shown how to read the object SID from a AD account in a VBScript, and how to convert it into a readable SID SDDL string (S-1-5-21-.....). There are example scripts for LDAP filters which can be used to find objects with a certain SIDs (->evaluation of the 'tokenGroups' attribute!!) and examples how to bind to an account object using it's SID.

LEX - The LDAP Explorer : New version 1.2.004 is available

Mon, 01 Mar 2010 21:00:00 GMT

The new version of my commercial LDAP browser / LDAP admin tool is available. New features in this version: LEX can set passwords for AD acounts now. When you edit the object permissions, you can take ownership on AD objects now. Many new specific editors and functions for bit flag attributes: userAccountControl, dsHeuristics, systemFlags, searchFlags, groupType, sAMAccountType. OK, that was a bunch of improvements especially for AD environments, new functions for other LDAP directory servers or new general LDAP browser functions will come in the next version ;)

Deleting LDAP objects with ADSI and VBScript

Sun, 07 Feb 2010 13:00:00 GMT

A tutorial article about deleting LDAP objects. Including examples how to delete entire subtress.

How to search for AD users which don't need a password _or_ whose password never expires

Fri, 05 Feb 2010 17:00:00 GMT

The tutorial article about LDAP filters has been refreshed. The part which deals woth filter search in bit fields has been extended with new explanations and exmaples for logical OR search filters (LDAP_MATCHING_RULE_BIT_OR 1.2.840.113556.1.4.804).

How to unlock Active Directory User Accounts by script

Sun, 24 Jan 2010 17:00:00 GMT

This article showy you how to unlock an account which was locked by the Active Directory intruder account lockout mechanism. We can use the API property 'IsAccountLocked' for this (old school) or we could use the Integer8 attribute 'lockoutTime', which would be more elegant.

LAZARUS v1.0 - A free tool for Active Directory deleted objects recovery

Wed, 13 Jan 2010 22:00:00 GMT

Yesterday i released the first public version of Lazarus, my new GUI tool for accessing the hidden Active Directory container 'Deleted Objects'. This is where a domain controller (or ADAM/AD LDS server) stores the deleted directory objects for a while, before they get deleted physically from the Active Directory database. LAZARUS can reanimate these tombstones - if you activated the new AD Recycle Bin feature in your environment, then LAZARUS can undelete the objects with their full referential integrity (no more lost group memberships!). LAZARUS is a child project in the development of my LDAP browser 'LEX The LDAP Explorer'.

The lastLogonTimeStamp attribute for Active Directory users

Wed, 06 Jan 2010 22:00:00 GMT

The lastLogonTimestamp attribute shows when a user did logon to an AD domain the last time - it is replicated to all domain controllers, but only after about 2 weeks. So the lastLogonTimestamp value is rather suitable to shows us the accounts which hasn't been active for a long time. Show this timestamp in a script and learn to handle these values. With this article, you can build easily LDAP filters like: "Which users didn't logon to the domain for the last 6 months?".

The lastLogon attribute for Active Directory users

Fri, 25 Dec 2009 13:00:00 GMT

Show the timestamp of the last authentication in a script and learn to handle these values.

Converting AD Large Integer / Integer8 values into date and time

Thu, 10 Dec 2009 20:00:00 GMT

Script tutorial for the handling of such important Active Directory attributes as lastLogon, lastLogonTimestamp, pwdLastSet, lockOutDuration, ... and many more.

Writing LDAP Directory Object Attributes

Wed, 11 Nov 2009 20:00:00 GMT

Writing LDAP Directory Object Attributes in ADSI scripts

Provider Specific Attributes

Sun, 08 Nov 2009 20:00:00 GMT

How to deal with Provider Specific Attributes in ADSI LDAP scripts

LDAP Object Attributes of type 'Octet String'

Sun, 25 Oct 2009 20:00:00 GMT

Reading and writing LDAP attributes with binary data in scripts

Renaming LDAP Directory Objects

Sun, 27 Sep 2009 20:00:00 GMT

Renaming LDAP Directory Objects

Reading LDAP Directory Object Attributes

Sat, 12 Sep 2009 20:00:00 GMT

Reading LDAP Directory Object Attributes in ADSI scripts