IT Training Modules - Classroom Tasks

IT Training Module3 Homepage
Home | How To | Name & IP Address | Domain Service (ADDS) | Build a Company Structure | PowerShell AD Users | Administrative Centre | Sites & Services | Password Policy | Group Policy | LDAP | Back Up AD | Azure AD |

LDAP Exercise - Understanding the Structure.

In this excersise you will use a third party LDAP browser to query the new AD structure you created. Using LDAP Queries you can collect information from AD and use it with other software. EX. An addressbook for mail recipients on a printer.

1.   Login to the Client AMS-CL1 using canon\adminstrator and Canon-01

2.   Download the following:

Softerra LDAP Administrator (http://www.ldapadministrator.com/download.htm) 

3.   Install LDAP Administrator (2020.1) in the screenshot, using the wizard.

4.   Open the tree to display AMS-DC1.canon.training

5.   DC = Domain Component, CN = Common Name, OU = Organizational Unit. Locate Domain Component canon and expand it. Inside you will see all the Containers and OUs for canon.training

6.   Open AD Users and Computers Snap in. Compare the view. Notice the marking to differentiate an OU form a CN.

7.   Open the Head Office OU in the LDAP Browser. Then select a user from the list. Look at the data contained in the users Container.

8.   Locate the users distinguised name, sAMAccountName, and objectSid. Note the data they contain for the user.

9.   Now use PowerShell to retrieve the ADuser in the same way you did in lesson 4. Get-ADUser (username) -properties *

10.   In the screensot Get-ADUser D.Johnston -properties *

Create an LDAP Query / Search

  1.   Use LDAP to find information we use queries. In this excersise you will build queries which will increase in complexity. Eventually you can see how a query is used to import selected data into another software tite. In this case uniFLOW.

2.   The first query to try is filtering a DN to display user accounts. Open the Search feature using the DN canon.

   In the object class field type. (objectClass=User).

3.   Now try filtering for just Computer Accounts

4.   Next try a filter for OU - (objectClass=OrganizationalUnit)

(objectClass=computer)

5.   Next you will join the two together. This time the query will have an AND a NOT function.

AND (& )

NOT (! )

(&(objectClass=user)(!(objectClass=computer)))

6.   Next we will look at the userAccountControl and it flags. Below is an example of userAccountControl it has flags which are used to check details of user accounts. The one below will show any disabled accounts.

(userAccountControl:1.2.840.113556.1.4.803:=2)

7.   Here is a table of some useful userAccountControl flags.

2 ACCOUNT DISABLED
64 PASSWORD CANT CHANGE
65536  PASSWORD DOES NOT EXPIRE
8388608 PASSWORD EXPIRED

8.    The last filter to try is the default filter used in uniFLOW. Work out what it will allow in the way od users to be available. Use the search to confirm what you expected to see.

(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=computer)))

9.   Now we will perform a search using the Users Atributes. In the example below I have selected distinguised name, sAMAccountName, and objectSid as in the erlier example.

NOTE: LDAP can be used to create live connections to an Active Directory there are many uses and many tool available for LDAP. If you have any free time have a look at using LDAP queries in PowerShell.

Footer