Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Tuesday, June 28, 2016

How to find out who can control/manage the AdminSDHolder object in Active Directory?

Folks,

As you may know, at Paramount Defenses, we lead and operate the world's largest community of Active Directory Security Professionals on LinkedIn, compromised of 2500+ individuals from 1000+ top organizations across 100+ countries worldwide.

(Our group is a sales-free and recruiter-free technical discussion group, and is completely free to join.)

Active Directory Domain Controllers

Earlier today, during one of our many technical discussions titled "What are the security implications of someone being able to modify the security descriptor protecting the domain root object in Active Directory", one of our valued members, Daniel Ulrichs raised a very good question (mentioned below) that merited its own discussion.

(Incidentally, on the question above, Daniel also recently publicly shared his thoughts on the question on his blog here.)



Q: Who can control the AdminSDHolder object in Active Directory?

Daniel's thoughtful inputs prompted our latest conversation which focuses on the question - "How to find out who can control AdminSDHolder i.e. who can change the ACL stamped on the AdminSDHolder object?"
As you may know, all accounts considered to have (unrestricted) administrative access in Active Directory are secured by a special protected ACL, which happens to be the ACL on the AdminSDHolder object.


This is one of the most important questions in cyber security today since it directly impacts privileged user access in Microsoft Active Directory deployments and thus profoundly impacts the foundational security of 85% of all organizations worldwide.
Needless to say, anyone who can control the security of the ACL on the AdminSDHolder object holds the "Keys to the Kingdom" because he/she can impact the security of every administrative account in Active Directory.
Today, ideally all organizations should, at all times, know exactly who can change the ACL on the AdminSDHolder.

Ideally, along the same lines, there are many such questions that all organizations must know the exact answers to at all times, but for now, we're focused on this one fundamental Active Directory security question because it is cardinal to cyber security.

I, of course know the answer to the question. I'm only asking this for the benefit of our group members. Should you wish to participate in this discussion, or explore numerous such discussions, you're welcome to join the group and the conversation.

To join, simply visit - http://www.linkedin.com/groups?gid=2006946

Best wishes,
Sanjay

Wednesday, June 22, 2016

Our Free Active Directory Audit Tool

Folks,

In a few days, I'll start shedding some light on vital Active Directory Security related matters that I believe most organizations seem to be in the dark about today. Until then, I just wanted to share some simple technical stuff on a few technical topics.


Today's is on our Free Active Directory Audit Tool,  the free version of our Gold Finger Active Directory Audit Tool, that we released recently to help organizations worldwide have a trustworthy choice when it comes to free security audit tooling for Microsoft Active Directory -
Free Active Directory Audit Tool

My time is very valuable, and the only reason I'm going to spend any time on this is because we care deeply about the foundational cyber security of all organizations worldwide. In case you find yourself wondering as to what a free Active Directory audit tool has to do with foundational cyber security, I think you'll find the answer to that question here.

Now that you know why this is important, you'll hopefully understand why I'm spending precious time on a blog entry on a free Active Directory Audit Tool. That said, the rest of this blog entry illustrates reports that IT personnel can generate from this tool.



Download Point

First things first. The tool can be downloaded from - http://www.paramountdefenses.com/free-active-directory-audit-tool.html.


Download


Our audit tool can be instantly downloaded and installed on virtually any computer in under 2 minutes. It does not require any administrative access or any changes to Active Directory to install, and it does not require any technical knowledge to use.





7 Helpful Features of our Free Active Directory Audit Tool

Our free Active Directory Audit Tool is a limited version of our licensable Active Directory Security Audit Tool, which is used by the world's top organizations across 6 continents worldwide today. Here are 7 helpful audit/reporting features that it offers -

Fully-automated one-button touch
Active Directory Security Audit Reporting

1. 100 Built-in Reports – Instantly generate 100+ essential ready-to-generate Active Directory audit reports
2. Custom LDAP Filters – Customize any report by specifying an LDAP filter of your choice (e.g. (title=C*O))
3. LDAP Filter Library – Define and use a custom LDAP filter library to generate a repeatable set of audit reports
4. Scope and Depth Control – Target any scope (domain, OU, etc.) and optionally restrict scope up to 10 levels
5. DC Specific Analysis and Alternate Credential Use – Target any DC and use alternate credentials
6. True Last Logon Reports – Generate 9 true last-logon reports based on non-replicated lastLogon attribute
7. Last Logon DC Identification – Identify the DC that authenticated the actual last logon of any account

The only limitation in the free version of our Active Directory Audit Tool is in its ability to perform data exports to CSV and PDF.




Unmatched Ease of Use

Here's how easy it is to use our free Active Directory Audit Tool to perform basic yet essential Active Directory security audits -
Generating Active Directory Security Audit Reports in 3 Simple Steps

Once the Gold Finger application has been launched, generating reports as easy as -
Step 1 - Select a report from amongst 100+ built-in Active Directory security audit reports.
Step 2 - Enter the distinguished name of your target Active Directory domain in the Scope field.
Tip - You can point Gold Finger to any OU, container, user account etc. of your choice The inbuilt search utility can be used to instantly locate any object (and its DN) in Active Directory.
You can also specify any LDAP filter, set scope (Base, One-Level, Sub-Tree) and restrict depth.
Step 3 - Press the Gold Finger button.

That's it. Gold Finger will instantly generate the report for you within seconds, and display the results in the Results Pane.





25 Real-World Examples

Our free Active Directory Audit Tool was specifically designed to make it as easy as is possible for organizations worldwide to be able to fulfill a vast majority of their basic yet essential Active Directory cyber security audit needs.

Here are some real-world examples that illustrate its Active Directory security audit capabilities:


1. Let's say you want to enumerate the list of all domain user accounts in your Active Directory domain. Click, done -
List of all domain user accounts in Active Directory

Gold Finger instantly retrieves and displays all domain user accounts in your Active Directory and displays all relevant attributes on every domain user account, including, but not limited to their name, titledepartment, last-logon time*, the date their password was last set, their contact info, email-address, logon name, account statusSAM account namesecurity identifier (SID), account expiration date, and other valuable information.




2. Let's say you want to generate a true last-logon report that documents the actual times at which all Active Directory domain users were authenticated by any one of our Domain Controllers. Click, done -
Active Directory True Last-logon Report

Whether your have 1 domain controller or 1,000 domain controllers, Gold Finger will automatically determine the true last-logon time for every domain user account in the domain, based on the retrieval and comparison of last-logon values from every domain controller in the domain.




3. Let's say you want to identify all domain user accounts in the domain that may have failed a logon attempt in the last 24 hours. Click, done -
Active Directory user accounts that may have failed a logon attempt in the last 24 hours

Such a report could help identify domain user accounts against which an insider may possibly be trying to carry our a password guessing attack.




4. Let's say you want to audit all domain user accounts that do not currently require passwords to logon. Click, done -
Active Directory user accounts that do not require passwords to logon
 
Ideally, there should be no domain user accounts that do not require a password to logon. (For instance, in the report displayed above, only the disabled Guest account meets this criteria.)

However, sometimes due to an accidental change by an administrator, settings could accidentally be changed, resulting in a situation wherein some domain user accounts may not require a password to logon to.

If a user could logon using someone else's account, he/she could potentially engage in malicious activity that could not be traced to them. Such a report could help identify such accounts.




5. Let's say you want to audit all domain user accounts that have not changed their password in the last 90 days. Click, done -
Active Directory user accounts that have not changed their password in the last 90 days.

Such a report could help enforce an established organizational password policy, which for instance, may require that all domain user account holders change their passwords every 90 days.

With Gold Finger, the number of days for all time-based can range up to 5000 days.




6. Let's say you want to identify all domain user accounts that do not have an expiration date set. Click, done -
Active Directory user accounts that do not have an expiration date.

It is generally desirable to ensure that domain user accounts have an expiration date set. Such a report could help identify any domain user accounts that do not currently have an expiration date.




7. Let's say you want to generate an audit report that documents the list of all domain user accounts that are not marked as sensitive, and thus can be delegated (; Kerberos delegation). Click, done -
Active Directory user accounts that are not sensitive and can be delegated.

In general, at the very least, ideally all administrative and executive domain user accounts should be marked as "Sensitive and cannot be delegated." This report could help find out whether they are any administrative or executive domain user accounts that can currently be delegated. (By delegation, the reference is to Kerberos delegation, not to administrative delegation.)




8. Let's say you want to audit all domain user accounts that can logon to any workstation. Click, done -
Active Directory user accounts that can long to any workstation.

In general, at the very least, administrative accounts should have designated workstations and ideally should not be permitted to logon to other workstations. This advice is primarily intended to help organizations minimize the possibility of Pass-the-Hash (PtH) attacks as well as Kerberos ticket replay related attacks.

This simple report could help find out whether they are any administrative accounts that can currently logon to any workstation. (By delegation, the reference is to Kerberos delegation, not to administrative delegation.)




9. Let's say you want to generate an audit report that documents the list of all domain user accounts that are considered to be "administrative" by Active Directory. Click, done -
Active Directory accounts considered by Active Directory as "administrative".

At the very least, all organizations must know at all times, exactly who is effectively provisioned what level of privileged access in their foundational Active Directory. While most organizations are not there yet, at the very least they should be able to identify exactly which domain user accounts in their Active Directory are considered "administrative" by Active Directory. This simple report can help them make this determination in seconds.

For advanced users, this report can also help them identify orphaned AdminSDHolder objects/accounts.




10. Let's say you want to audit all executive domain user accounts in Active Directory. Click, done -
All executive domain user accounts in Active Directory.

This report is a good example of how you can focus Gold Finger on any organizational unit. For instance, in this case, all executive user accounts are located in the Executive Mgmt OU, so by focusing Gold Finger on this OU, you can instantly enumerate all domain user accounts in the OU.

Alternatively, the same report could also be generated by focusing on the domain root and adding an LDAP filter such as (title=Chief*Officer) with any domain user account management reports.




11. Let's say you want to take a closer look at the CEO's domain user account in Active Directory. Click, done -
The CEO's domain user account in Active Directory.

Similarly, you can focus Gold Finger on any object in your Active Directory, such as a domain user account, a computer account, an OU, a service connection point etc., as well as view its details.




12. Let's say you want to quickly enumerate the list of all computers joined to the Active Directory. Click, done -
List of all computers joined to Active Directory.

For each domain computer account in Active Directory, Gold Finger will retrieve and obtain all relevant attributes such as the computer's nameDNS name, location, operating system, who it's managed by, the time it last authenticated, its SAM account nameSecurity Identifier (SID) and other relevant details.




13. Let's say you want to identify all domain computers that are currently trusted for unconstrained delegation. Click, done -
Domain-joined computers that are trusted for unconstrained delegation.

This report could help you identify all computers, that if compromised, could potentially be used to impersonate any domain user account who could be lured into being a client of an application running as System on this computer. A knowledgeable perpetrator could easily use this information to identify prime entry-level targets in your Active Directory.




14. Let's say you want to obtain a list of all domain controllers in Active Directory. Click, done -
List of all Domain Controllers in Active Directory.

For each domain controller, Gold Finger will retrieve and obtain all important attributes including their DNS name, location, operating system, who it's managed by, the time it last authenticated, its SAM account nameSecurity Identifier (SID) and other relevant details.

Of course, with our advanced tooling, you can instantly obtain substantially more high-value information, such as who can change the group policies linked to the Domain Controllers OU, or obtain administrative access over the domain computer account of a Domain Controller to then be able to easily elevate their privilege to that of a Domain Admin /Enterprise Admin rather easily.




15. Let's say you want to obtain a list of all domain security groups in Active Directory. Click, done -
List of all domain security groups in Active Directory.

This report could help you identity how many domain security groups exist in Active Directory, who's responsible for managing them, where in Active Directory they are located, etc.

Of course, with our advanced tooling, you could also easily enumerate their memberships, analyze their ACLs, find out where they have permissions in Active Directory, determine who can change their memberships, as well as who can control all of them, at the touch of a button.




16. Let's say you want to identify all domain security groups that are considered "administrative" by Active Directory. Click, done -
List of all domain security groups considered "administrative" by Active Directory.

At the very least, all organizations must know at all times, which domain security groups in Active Directory are considered "administrative" by Active Directory. Although this is merely the tip of the iceberg, this simple report can help them make this determination in seconds.

In general, organizations that need to be able to identify all privileged users/groups in Active Directory can do so based on our advice on how to correctly identify privileged access in Active Directory.




17. Let's say you want to identify all non-empty domain security groups in Active Directory. Click, done -
List of all non-empty domain security groups in Active Directory.




18. Let's say you want to quickly obtain a list of all organizational units in Active Directory. Click, done -
List of all organizational units in Active Directory.

Such a report could help ensure that management responsibilities for all OUs are assigned to someone and adequately covered.





19. Let's say you wanted to obtain a list of all Organizational Units within a specific Organizational Unit. Click, done -
List of all organizational units within a specific organizational unit.

For instance, the snapshot above shows how to easily enumerate the list of all OUs in the USA OU.





20. Let's say you want to generate a list of all Organizational Units that are located that are within 3 levels of depth from the domain root. Click, done -
List of all OUs that are within 3 levels of depth away from Active Directory.

Such a report could help IT personnel easily enumerate all high-level OUs in your Active Directory, that might possibly contain a large number of Active Directory users, groups, computers etc.





21. Let's say you want to audit the list of all Group Policy Objects (GPOs) in Active Directory. Click, done -
List of all group policies in Active Directory.




22. Let's say you want to generate a list of all printers that are published in Active Directory. Click, done -
List of all printers published in Active Directory.




23. Let's say you want to obtain a list of all Service Connection Points (SCPs) in Active Directory. Click, done -
List of all service connection points in Active Directory.





24. Let's say you want to obtain a list of all objects in your Active Directory. Click, done -
List of all objects in Active Directory.

This report can be focused on any tree in any partition, including the Configuration and Schema partitions, so for instance, combined with an LDAP filter, you could audit everything from the list of all Sites in the Configuration container, to all Schema classes in the Schema, to all authenticable security principals in your domain all identified in a single report.





25. Finally, let's say you wanted to generate a custom Active Directory security audit report, such as generating a report that lists all domain user accounts whose title contains the world cloud. Click, done -
Scope options in Gold Finger.

I should also mention that you can not only focus any security audit report available in Gold Finger on any domain, organizational unit, container or object in Active Directory, you can also apply a custom LDAP filter to every report as well as specify the scope, and set a custom depth level.


With our free Active Directory Audit Tool, you can do this in any domain in the world today, for free.




1%

I should mention that Gold Finger's Security Audit Reports are only 1% of what Gold Finger is capable of and was designed for.

We primarily built Gold Finger to help organizations do what no other entity (company, vendor, group or individual) in the world can help them do i.e. correctly identify who effectively has what privileged access across an entire Active Directory domain.
Effective Privileged User/Access Insight

Again, the only reason we're even spending 5 minutes on sharing more about our free Active Directory audit tool is to protect 1000s of organizations worldwide from potentially being compromised by the use of untrustworthy (malicious) tooling.





Option to Generate CSV Exports and PDF Reports

It might be helpful to know that with a simple upgrade to a paid license, the results of every report available in our free Active Directory Audit Tool can both, be instantly exported (in CSV format), as well as you can also generate completely customizable professional-grade PDF reports, complete with custom headings, fields, logo, footer, password etc.
A custom PDF report.

For more information on CSV exports and PDF report generation, you can visit - http://www.paramountdefenses.com/active-directory-security-audit-tool.html





4 Benefits

Our free Active Directory Audit Tool delivers the following benefits to organizations worldwide –
Fully-automated Active Directory security audit report generation.

1.  Instantly, easily and trustworthily perform a complete or custom inventory of Active Directory content. 
2.  Easily audit the state, status and settings of any, some or all resources stored in Active Directory.
3.  Efficiently, cost-effectively and trustworthily fulfill all basic and essential Active Directory security audit requirements. 
4.  Obtain 365-24-7, on-demand, real-time insight into the security state of all vital IT resources and content stored in Active Directory.




Delivering Unique Value

As mentioned above, our Security Audit Tool delivers only about 1% of the value that we deliver to organizations worldwide. What we care deeply about is helping organizations address possibly the biggest cyber security challenge they are faced with today - helping them accurately identify exactly who has what privileged access in Active Directory -

Effective Privileged Access Audit

Towards that end, here are a few of our high-value tools that we uniquely focus on -
1. Active Directory Administrative/Privileged Access and Delegation Audit Tool
2. Active Directory True Effective Permissions / Effective Access Audit Tool

Of course, we also build simpler Active Directory audit tools including the world's best Active Directory Permissions Analyzer, Active Directory ACL Viewer/Exporter, Kerberos Token-size Calculator, and a Group Membership Enumeration tool.





Trustworthiness Matters

As the world's top cyber security company, we care deeply about security and trust, so we go to great lengths to set the gold standard when it comes to the trustworthiness of the software we build for the world.


We also believe that all organizations deserve to have a trustworthy option when it comes to free Active Directory Audit Tooling, which is why we decided to build and make available a free version of our tooling.





Wrapping up

So there you have it. My time's up - that was a quick 5 minute overview our free Active Directory Audit Tool.

It is my privilege to share with you that in less than 50 days of its release, our novel free Active Directory Audit Tool has been downloaded in 50+ countries worldwide and is being used by many of the world's top business and government organizations.

You too can download your free version from - http://www.paramountdefenses.com/free-active-directory-audit-tool.html

Thanks,
Sanjay.

Monday, June 20, 2016

LDP.exe for Active Directory - Download, Usage, Tutorial and Examples

Folks,

In a few days, I'll start shedding some light on vital Active Directory Security related matters that I believe most organizations seem to be in the dark about today. Until then, I just wanted to share some simple technical stuff on a few technical topics.


Today's is on LDP.exe,  a helpful free tool from Microsoft that can be used to perform LDAP operations in Active Directory.
LDP.exe

Technically speaking, LDP is a simple Lightweight Directory Access Protocol (LDAP) client that allows users to perform various operations (connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as and including Active Directory. It can also be used to view replication metadata and Active Directory security descriptors.

In this blog entry, I've covered the following aspects of LDP as succinctly as possible -
  1. Where to download LDP from
  2. An overview of how to use LDP
  3. Connecting to Active Directory using LDP
  4. Performing a successful bind in LDP
  5. An overview of operations possible with LDP
  6. How to view Active Directory contents with LDP
  7. How to search Active Directory using LDP
  8. How to view Active Directory NT Security Descriptors
  9. Ten common LDP usage examples
  10. Helpful tips on using LDP 

By the way, this primer shouldn't be new stuff for many folks, but the world's a big place, and so while 1000s of IT personnel likely use LDP, 100s of 1000s of IT personnel, including many cyber security professionals, may have yet to discover LDP.exe.




1. Download LDP.exe

First things first. You can instantly download LDP from here. (Simply locate, then click on LDP Utility.)


Download LDP.exe
Download LDP.exe


Tip - LDP.exe is a nifty tool, especially for Active Directory analysis. However it requires some Active Directory technical knowledge. If you don't want to deal with the technicals, or don't have the time to ramp up on the technicals, and are primarily interested in its search capabilities to perform basic yet essential Active Directory security audits, as an alternative/addition, this free Active Directory Audit Tool could save you a lot time and effort.



2. An Overview of How to Use LDP

LDP.exe is fairly easy to use, but it requires you to have some basic technical background on LDAP, Windows Security etc.

Here's a quick overview of how to use LDP.exe -
  1. Connect to an Active Directory domain or Domain Controller, after launching LDP.exe.
  2. Perform a successful LDAP bind by authenticating to Active Directory
  3. Specify a target Active Directory object as the base DN for permitted operations
  4. Perform the desired operations (e.g. search, modify, add, delete, view SD, etc.)
  5. Disconnect, when done. 
To help you get started and become acquainted, I've illustrated these steps below step-by-step.




3. Connecting to Active Directory using LDP.exe

Once you've downloaded LDP.exe, just double-click on it to launch it. Then, the first thing to do is connect to Active Directory.

To connect to an Active Directory domain, you launch LDP.exe, then select the Connection item from the application menu on the top to locate and click the Connect option, which displays the Connect dialog box.
LDP Connect

In the Connect dialog box, you specify the Active Directory domain or domain controller you wish to connect to, by entering its complete domain DNS name (e.g. root.local, dc1.root.local etc.), as well as the port you'd like to connect on (389 for LDAP and 3268 for a Global Catalog), and optionally, whether you'd like to use SSL.
LDP Connect Dialog

Once connected, LDP.exe will display the root of the directory data tree on a directory server, i.e. the value of the rootDSE attribute which includes various nuggets of valuable technical information.
LDP displaying rootDSE info

Specifically, rootDSE is an operational attribute that provides helpful information about the Active Directory domain (and domain controller) to which it is connected, such as the current time on the DC, the domain and forest functional levels, the SASL mechanisms supported, the LDAP policies and controls supported, whether the DC is also a Global Catalog etc.

Here's an example of what the rootDSE details look like -
ld = ldap_open("", 389);
Established connection to .

Retrieving base DSA information...

Getting 1 entries:

>> Dn:
 1> currentTime: 06/17/2016 22:27:47 Pacific Standard Time;
 1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=root,DC=local;
 1> dsServiceName: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=root,DC=local;
 5> namingContexts: DC=root,DC=local; CN=Configuration,DC=root,DC=local; CN=Schema,CN=Configuration,DC=root,DC=local; DC=DomainDnsZones,DC=root,DC=local; DC=ForestDnsZones,DC=root,DC=local;
 1> defaultNamingContext: DC=root,DC=local;
 1> schemaNamingContext: CN=Schema,CN=Configuration,DC=root,DC=local;
 1> configurationNamingContext: CN=Configuration,DC=root,DC=local;
 1> rootDomainNamingContext: DC=root,DC=local;
 29> supportedControl: 1.2.840.113556.1.4.319 = ( LDAP_PAGED_RESULT_OID_STRING ); 1.2.840.113556.1.4.801 = ( LDAP_SERVER_SD_FLAGS_OID ); 1.2.840.113556.1.4.473 = ( LDAP_SERVER_SORT_OID ); 1.2.840.113556.1.4.528 = ( LDAP_SERVER_NOTIFICATION_OID ); 1.2.840.113556.1.4.417 = ( LDAP_SERVER_SHOW_DELETED_OID ); 1.2.840.113556.1.4.619 = ( LDAP_SERVER_LAZY_COMMIT_OID ); 1.2.840.113556.1.4.841 = ( LDAP_SERVER_DIRSYNC_OID ); 1.2.840.113556.1.4.529 = ( LDAP_SERVER_EXTENDED_DN_OID ); 1.2.840.113556.1.4.805 = ( LDAP_SERVER_TREE_DELETE_OID ); 1.2.840.113556.1.4.521 = ( LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID ); 1.2.840.113556.1.4.970 = ( LDAP_SERVER_GET_STATS_OID ); 1.2.840.113556.1.4.1338 = ( LDAP_SERVER_VERIFY_NAME_OID ); 1.2.840.113556.1.4.474 = ( LDAP_SERVER_RESP_SORT_OID ); 1.2.840.113556.1.4.1339 = ( LDAP_SERVER_DOMAIN_SCOPE_OID ); 1.2.840.113556.1.4.1340 = ( LDAP_SERVER_SEARCH_OPTIONS_OID ); 1.2.840.113556.1.4.1413 = ( LDAP_SERVER_PERMISSIVE_MODIFY_OID ); 2.16.840.1.113730.3.4.9 = ( LDAP_CONTROL_VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( LDAP_CONTROL_VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( LDAP_SERVER_ASQ_OID ); 1.2.840.113556.1.4.1852 = ( LDAP_SERVER_QUOTA_CONTROL_OID ); 1.2.840.113556.1.4.802 = ( LDAP_SERVER_RANGE_OPTION_OID ); 1.2.840.113556.1.4.1907 = ( LDAP_SERVER_SHUTDOWN_NOTIFY_OID ); 1.2.840.113556.1.4.1948; 1.2.840.113556.1.4.1974; 1.2.840.113556.1.4.1341; 1.2.840.113556.1.4.2026; 1.2.840.113556.1.4.2064; 1.2.840.113556.1.4.2065; 1.2.840.113556.1.4.2066;
 2> supportedLDAPVersion: 3; 2;
 16> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; ThreadMemoryLimit; SystemMemoryLimitPercent;
 1> highestCommittedUSN: 1651102;
 4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
 1> dnsHostName: DC1.root.local;
 1> ldapServiceName: root.local:dc1$@ROOT.LOCAL;
 1> serverName: CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=root,DC=local;
 5> supportedCapabilities: 1.2.840.113556.1.4.800 = ( LDAP_CAP_ACTIVE_DIRECTORY_OID ); 1.2.840.113556.1.4.1670 = ( LDAP_CAP_ACTIVE_DIRECTORY_V51_OID ); 1.2.840.113556.1.4.1791 = ( LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID ); 1.2.840.113556.1.4.1935; 1.2.840.113556.1.4.2080;
 1> isSynchronized: TRUE;
 1> isGlobalCatalogReady: TRUE;
 1> domainFunctionality: 4;
 1> forestFunctionality: 4;
 1> domainControllerFunctionality: 4;
-----------

You are now connected to an Active Directory domain controller.




4. Performing a successful LDAP Bind

Once connected, the next step is to perform a successful bind i.e. to authenticate yourself to the Active Directory.

To perform a successful bind, you select the Connection item from the application menu on the top to locate and access the Bind option, which displays the Bind dialog box.
LDP Bind

In the Bind dialog box, you enter your credentials then click on OK. You can enter your credentials in various formats (e.g. UPN, <domain>\<samAccountName> etc.). If you're logged in using a domain user account and are connecting to an Active Directory domain to which a trust path exists from your domain, the simplest way to bind is to use the Bind as currently logged on user option.
LDP Bind Dialog Box

If successfully authenticated, LDP will indicate so by displaying an Authenticated as DN:<identity> line in the right pane.
Successful LDP Bind

You have now successfully completed a bind and are ready to perform operations against Active Directory.




5. Possible Active Directory Operations with LDP.exe

With LDP.exe, you can perform the following operations against Active Directory -
  1. View Active Directory contents
  2. Search Active Directory
  3. View Active Directory Security Descriptors
  4. View Active Directory Replication Metadata
  5. View the Enterprise Tree
  6. Create, delete and modify Active Directory content
In this blog entry, I will focus on illustrating how to view Active Directory content, perform Active Directory searches and view Active Directory security descriptors, as these are the most common usage scenarios.
Tip - If you're looking to fulfill advanced Active Directory security analysis/audit needs, such as to audit privileged user access in Active Directory, determine effective permissions in Active Directory etc. you may find this helpful.



6. Viewing Active Directory Contents using LDP.exe

Once you have performed a successful bind, you can perform various operations against Active Directory, and one of the most common ones is to view Active Directory contents, such as to view all attributes on a specific user account.

To do so, you select the View item from the application menu on the top to locate and click on the Tree option.
LDP Tree Option

Clicking on the Tree option displays the Tree dialog box, which is used to specify the distinguished name (DN) of the Active Directory object (/base of tree) you wish to view or focus on. By default, the Tree dialog box presents a few options including the domain root of the target domain, as well as the roots of the Configuration and Schema partitions of the target forest.
LDP Tree Specification Dialog Box

The domain root of the target domain is generally a good place to start, so simply select it and click OK.

When you do so, LDP.exe will display the root of the domain in the left pane.
Domain Root displayed in LDP.exe

A single-click on an object in the left pane will display the attributes (and their values) present on that object, in the right pane. A double-click will expand and display, in the left pane, the tree rooted at that object.

In this manner, once you know the DN of an object, such as that of a specific organizational unit (OU), a domain user account, a domain computer account, an NTDS Settings object, a SiteLink object, a Schema class/attribute object etc. that you are interested in, you can use the Tree dialog box to enter that object's DN and have LDP focus on that object.

Tip - The quickest way to find the DN of almost any object in Active Directory without requiring any technical knowledge is by using the inbuilt Search utility of this free tool.




7. Searching Active Directory using LDP.exe

Once you have specified a target object, you can perform a variety of operations on it. For instance, you can perform an LDAP search rooted at that object in Active Directory.

To do so, in the left pane, simply locate the object that you wish to have as the base of your search, then right-click on it, to view a set of available options, one of which should be Search.
Accessing Search in LDP.exe

Tip - Note that alternatively, you can also access the Search dialog box by selecting the General option from the application menu and then clicking on Search.


Selecting the Search option will open the Search dialog box. In this dialog box you basically need to specify the search filter and its scope. To specify the filter, you need to enter a valid LDAP filter, and to specify the scope, you simply choose from amongst, Base, One-Level or Sub-Tree.
LDP Search Dialog
 
In some cases, you'll also want to click on the Options button to be able to specify and set various options such as Time limit, Size limit, Timeout (s), Timeout (ms), Page size, Search Call Type, Sort Keys and Controls etc. as well as the list of attributes that you would like to have retrieved.
LDP Search Options Dialog

By default, LDP.exe will retrieve and display all attributes on all objects that meet the criteria of the specified LDAP filter.

If you're only interested in a subset of attributes, you can specify them using the Attributes text-box. Additionally, if you merely require a summary listing of the objects (i.e. no attributes to be returned), simply enter a . (i.e. a period) in the Attributes box.
Setting LDP Search Options to obtain a Summary listing
(when set, no attributes will be retrieved or returned)

Due to lack of time, I'm not going to delve into the various details of Sort Keys and Controls, but there's sufficient info out on MS TechNet that can help you learn more about their details and uses.
 
When you click OK, LDP.exe will perform the specified search for you and display the results in the right navigation pane.
Search Results Retrieved and Displayed in LDP.exe

Note that if you had specified that only the DNs be returned (i.e. no attributes), the results would look like the following.
Search Results (List of Objects Only; No Attributes)

In general, in order to be able to perform a variety of searches, you'll want to gain familiarity with how to define LDAP filters.
Tip - The quickest way to search for Active Directory content and perform Active Directory security audits without requiring any technical knowledge is to use the inbuilt Search utility of this free Active Directory audit tool.




8. Viewing Active Directory Security Descriptors using LDP.exe

LDP can also be used to view the NT Security Descriptors of Active Directory objects. The NT Security Descriptor contains / specifies the object's Owner, Group, ACL and SACL. Most IT professionals seek to do so to fulfill a variety of Active Directory cyber security analysis needs, such as those outlined in the 10 Helpful Time and Effort Saving Pointers section below.

Tip - You may find that one of the easiest and quickest ways to view, analyze and dump/export Active Directory security permissions and access control lists (ACL) is by using this AD acldump tool.


Consider the following Active Directory object. Lets see how to use LDP to view its NT Security Descriptor.
LDP focused on a specific Active Directory object
 
 
To view the NT Security Descriptor of an Active Directory object, you right-click on the object, then select Advanced then select Security Descriptor. 
Accessing the Security Descriptor Dialog in LDP

Doing so will display the Security Descriptor dialog box, which additionally presents two options -
Security Descriptor Dialog Box

  1. SACL - If selected, LDP will additionally* retrieve the object's SACL.
  2. Text dump - If selected, LDP will dump the security descriptor as text in the right pane.
* To view the SACL, you'll need to be effectively granted the Manage auditing and security log user right in the resulting Group Policy applicable to that domain controller (typically the default Domain Controller policy).

You specify these options as required, and then click OK. When you do so, LDP.exe will retrieve and display the Security Descriptor of the target object.

By default, the security descriptor is displayed in a special Security Descriptor dialog box.
Security Descriptor on an Active Directory Domain User Account Object


If the text dump option is selected, the security descriptor is displayed in text format in the right navigation pane.
NT Security Descriptor Text Dump in LDP.exe

Here's a partial text dump of an NT Security Descriptor of an Active Directory object -
Security Descriptor:
Security Descriptor:SD Revision: 1
SD Control:  0x8c14
  SE_DACL_PRESENT
  SE_SACL_PRESENT
  SE_DACL_AUTO_INHERITED
  SE_SACL_AUTO_INHERITED
  SE_SELF_RELATIVE
Owner: ROOT\Domain Admins [S-1-5-21-393905754-1721216372-3318422012-512]
Group: ROOT\Domain Admins [S-1-5-21-393905754-1721216372-3318422012-512]
DACL:
 Revision      4
 Size:         2532 bytes
 # Aces:       53
 Ace[0]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000010
   ACTRL_DS_READ_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Account Restrictions - 4c164200-20c0-11d0-a768-00aa006e0529
  Object Ace Sid:   ROOT\RAS and IAS Servers [S-1-5-21-393905754-1721216372-3318422012-553]
 Ace[1]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000010
   ACTRL_DS_READ_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Logon Information - 5f202010-79a5-11d0-9020-00c04fc2d4cf
  Object Ace Sid:   ROOT\RAS and IAS Servers [S-1-5-21-393905754-1721216372-3318422012-553]
 Ace[2]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000010
   ACTRL_DS_READ_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Group Membership - bc0ac240-79a9-11d0-9020-00c04fc2d4cf
  Object Ace Sid:   ROOT\RAS and IAS Servers [S-1-5-21-393905754-1721216372-3318422012-553]
 Ace[3]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000010
   ACTRL_DS_READ_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Remote Access Information - 037088f8-0ae1-11d2-b422-00a0c968f939
  Object Ace Sid:   ROOT\RAS and IAS Servers [S-1-5-21-393905754-1721216372-3318422012-553]
 Ace[4]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000030
   ACTRL_DS_READ_PROP
   ACTRL_DS_WRITE_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  userCertificate - bf967a7f-0de6-11d0-a285-00aa003049e2
  Object Ace Sid:   ROOT\Cert Publishers [S-1-5-21-393905754-1721216372-3318422012-517]
 Ace[5]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  44 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000010
   ACTRL_DS_READ_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  tokenGroupsGlobalAndUniversal - 46a9b11d-60ae-405a-b7e8-ff8a58d456d2
  Object Ace Sid:   BUILTIN\Windows Authorization Access Group [S-1-5-32-560]
 Ace[6]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  44 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000030
   ACTRL_DS_READ_PROP
   ACTRL_DS_WRITE_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  terminalServer - 6db69a1c-9422-11d1-aebd-0000f80367c1
  Object Ace Sid:   BUILTIN\Terminal Server License Servers [S-1-5-32-561]
 Ace[7]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  44 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000030
   ACTRL_DS_READ_PROP
   ACTRL_DS_WRITE_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Terminal Server License Server - 5805bc62-bdc9-4428-a5e2-856a0f4c185e
  Object Ace Sid:   BUILTIN\Terminal Server License Servers [S-1-5-32-561]
 Ace[8]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  40 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000100
   ACTRL_DS_CONTROL_ACCESS
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Change Password - ab721a53-1e2f-11d0-9819-00aa0040529b
  Object Ace Sid:   Everyone [S-1-1-0]
 Ace[9]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  40 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000100
   ACTRL_DS_CONTROL_ACCESS
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Change Password - ab721a53-1e2f-11d0-9819-00aa0040529b
  Object Ace Sid:   NT AUTHORITY\SELF [S-1-5-10]

 ... 
 Ace[50]
  Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
  Ace Size:  36 bytes
  Ace Flags: 0x12
   CONTAINER_INHERIT_ACE
   INHERITED_ACE
  Ace Mask:  0x000f01ff
   DELETE
   READ_CONTROL
   WRITE_DAC
   WRITE_OWNER
   ACTRL_DS_CREATE_CHILD
   ACTRL_DS_DELETE_CHILD
   ACTRL_DS_LIST
   ACTRL_DS_SELF
   ACTRL_DS_READ_PROP
   ACTRL_DS_WRITE_PROP
   ACTRL_DS_DELETE_TREE
   ACTRL_DS_LIST_OBJECT
   ACTRL_DS_CONTROL_ACCESS
  Ace Sid:   ROOT\Enterprise Admins [S-1-5-21-393905754-1721216372-3318422012-519]
 Ace[51]
  Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
  Ace Size:  24 bytes
  Ace Flags: 0x12
   CONTAINER_INHERIT_ACE
   INHERITED_ACE
  Ace Mask:  0x00000004
   ACTRL_DS_LIST
  Ace Sid:   BUILTIN\Pre-Windows 2000 Compatible Access [S-1-5-32-554]
 Ace[52]
  Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
  Ace Size:  24 bytes
  Ace Flags: 0x12
   CONTAINER_INHERIT_ACE
   INHERITED_ACE
  Ace Mask:  0x000f01bd
   DELETE
   READ_CONTROL
   WRITE_DAC
   WRITE_OWNER
   ACTRL_DS_CREATE_CHILD
   ACTRL_DS_LIST
   ACTRL_DS_SELF
   ACTRL_DS_READ_PROP
   ACTRL_DS_WRITE_PROP
   ACTRL_DS_LIST_OBJECT
   ACTRL_DS_CONTROL_ACCESS
  Ace Sid:   BUILTIN\Administrators [S-1-5-32-544]
SACL:
 Revision      4
 Size:         252 bytes
 # Aces:       5
 Ace[0]
  Ace Type:  0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x92
   CONTAINER_INHERIT_ACE
   INHERITED_ACE
   FAILED_ACCESS_ACE_FLAG
  Object Ace Mask:  0x00000100
   ACTRL_DS_CONTROL_ACCESS
  Object Ace Flags: 0x3
   ACE_OBJECT_TYPE_PRESENT
   ACE_INHERITED_OBJECT_TYPE_PRESENT
  Object Ace Type:  Reset Password - 00299570-246d-11d0-a768-00aa006e0529
  Inherited object type: user - bf967aba-0de6-11d0-a285-00aa003049e2
  Object Ace Sid:   Everyone [S-1-1-0]
 Ace[1]
  Ace Type:  0x2 - SYSTEM_AUDIT_ACE_TYPE
  Ace Size:  20 bytes
  Ace Flags: 0x52
   CONTAINER_INHERIT_ACE
   INHERITED_ACE
   SUCCESSFUL_ACCESS_ACE_FLAG
  Ace Mask:  0x00050000
   DELETE
   WRITE_DAC
  Ace Sid:   Everyone [S-1-1-0]
 Ace[2]
  Ace Type:  0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x52
   CONTAINER_INHERIT_ACE
   INHERITED_ACE
   SUCCESSFUL_ACCESS_ACE_FLAG
  Object Ace Mask:  0x00000100
   ACTRL_DS_CONTROL_ACCESS
  Object Ace Flags: 0x3
   ACE_OBJECT_TYPE_PRESENT
   ACE_INHERITED_OBJECT_TYPE_PRESENT
  Object Ace Type:  Reset Password - 00299570-246d-11d0-a768-00aa006e0529
  Inherited object type: user - bf967aba-0de6-11d0-a285-00aa003049e2
  Object Ace Sid:   Everyone [S-1-1-0]
 Ace[3]
  Ace Type:  0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x5a
   CONTAINER_INHERIT_ACE
   INHERIT_ONLY_ACE
   INHERITED_ACE
   SUCCESSFUL_ACCESS_ACE_FLAG
  Object Ace Mask:  0x00000020
   ACTRL_DS_WRITE_PROP
  Object Ace Flags: 0x3
   ACE_OBJECT_TYPE_PRESENT
   ACE_INHERITED_OBJECT_TYPE_PRESENT
  Object Ace Type:  gPLink - f30e3bbe-9ff0-11d1-b603-0000f80367c1
  Inherited object type: organizationalUnit - bf967aa5-0de6-11d0-a285-00aa003049e2
  Object Ace Sid:   Everyone [S-1-1-0]
 Ace[4]
  Ace Type:  0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x5a
   CONTAINER_INHERIT_ACE
   INHERIT_ONLY_ACE
   INHERITED_ACE
   SUCCESSFUL_ACCESS_ACE_FLAG
  Object Ace Mask:  0x00000020
   ACTRL_DS_WRITE_PROP
  Object Ace Flags: 0x3
   ACE_OBJECT_TYPE_PRESENT
   ACE_INHERITED_OBJECT_TYPE_PRESENT
  Object Ace Type:  gPOptions - f30e3bbf-9ff0-11d1-b603-0000f80367c1
  Inherited object type: organizationalUnit - bf967aa5-0de6-11d0-a285-00aa003049e2
  Object Ace Sid:   Everyone [S-1-1-0]
Security for "CN=Satya Nadella,OU=IT Admin Accounts,OU=IT,OU=Newport Beach,OU=USA,OU=Americas,OU=Corp,DC=root,DC=local"
-----------
 
Helpful Tip - If you need to dump/export Active Directory ACLs, or easily and quickly analyze them, the easiest and fastest way to do so is by using this AD acldump tool.

In this manner you can view and analyze Active Directory security descriptors using LDP.exe.





9. Some Common LDP.exe Uses

The following snapshots illustrate some common uses of LDP.exe.

1. Viewing the domain root object and its attributes (e.g. lockoutObservationWindow) -
Domain Root Object


2. Enumerating all domain user accounts that have a specific term in their Title (e.g. *Cloud*) -
All domain user accounts with the word Cloud in their title
Tip - If you need to generate reports such as List of all active, stale, expired, locked, executive, administrative user accounts in a domain/OU etc. or export this data to a CSV file, or generate a PDF report, the easiest way to do is by using this AD audit tool.


3. Viewing the AdminSDHolder object and the NT Security Descriptor protecting it - 
The AdminSDHolder object
Tip - If you need to find out who has what effective permissions/access on any object in Active Directory (e.g. administrative accounts, groups etc.), the only way to accurately do is by using this Active Directory Effective Permissions Calculator.
 

4. Viewing the Domain Controllers OU and its NT Security Descriptor -
ACL on the Domain Controllers OU
Tip - If you need to find out exactly who can control and manage the security on the Domain Controllers OU, or change the Group Policies (GPOs) linked to it, this tool can help you do so, instantly and accurately.


5. Viewing the Schema partition and its contents -
Schema Partition Root Object
Tip - If you need to know exactly who can modify an existing class or attribute definition in your Active Directory Schema, or extend your Schema, this tool can help you find this out, instantly and accurately.


6. Viewing the Configuration partition and its contents -
Configuration Partition Root Object
Tip - If you need to know exactly who can modify critical content in your Configuration partition, such as creating, modifying or deleting Sites, Subnets, Sitelinks, IP Transports, NTDS Settings objects, Query Policies etc., this tool can help you find this out, instantly and accurately.


7. Viewing Replication Metadata on an object -
Replication Metadata


8. Using Looking up Security Identifiers (SIDs) using the SID Lookup capability -
Looking up Account SIDS using LDP.exe

Tip - If you need to lookup accounts SIDs, or find Active Directory domain user accounts, computer accounts or security groups based on criteria such as their name, title, operating system, manager etc., one of the easiest ways to do so is by using the inbuilt object search utility of this free Active Directory audit  tool.


9. Requesting the ACLs on all domain user accounts -
NT Security Descriptor on multiple Active Directory objects
Tip - If you need to dump the ACLs of multiple Active Directory objects (e.g. all objects in domain, all admin users, all executives, all security groups etc.) into a CSV file, the easiest way to do so is by using this tool.


10. Enumerating all security principals that belong to a specific group, such as the IT Team security group -
Retrieving all security principals that belong to a specific group

Tip - Although LDP can enumerate direct group memberships, it is unable to enumerate and display the complete, flattened out membership of a specific group, or the list of all groups to which a user belongs. If you need to fulfill either of these needs, here is the easiest way to do so. 

In this manner, LDP.exe can be used to query Active Directory content and analyze various operational and security aspects.




10. Some Helpful Tips When Using LDP.exe

Here are some helpful tips when using LDP.exe -
  1. You can clear the contents of the right pane by using Ctrl-N.
  2. You can copy contents from the right pane by right-clicking and using Select All, then Copy.
  3. You can export the data from the right pane by using the Save-As option.
  4. You can increase the buffer size for the number of rows displayed in the right pane by modifying the value for the Number of Lines setting in the Buffer Size section of General Options. The default value is 512.
LDP.exe General Options
 
In general, as you gain familiarity with the tools, you'll likely discover similar helpful tips.




10 Helpful Time and Effort Saving Pointers

If you've read this far, you're likely an IT professional focused on Active Directory or Cyber Security. If so, not only is your time valuable, you know that high-value cyber security insight into your Active Directory is paramount to your organization's security.


You may also likely know not just the benefits of LDP, but also its limits. Specifically, while there's much you can do with it, there also a lot you cannot do with it. For instance, many needs listed below cannot be fulfilled with LDP.exe or most tooling.

If you value your time, you'll find the following pointers helpful, because they're the quickest and easiest ways to accomplish and fulfill a variety of Active Directory focused search, privileged access/user audit and cyber security analysis needs -


1. How to instantly perform an Active Directory security audit
2. How to instantly enumerate Active Directory group memberships
3. How to instantly find out what security groups a user belongs to
4. How to instantly view list of SIDs in another user's account (i.e. whoami for another user)
5. How to instantly identify users with large token sizes (i.e. tokensz for another user)
6. How to instantly view/analyze Active Directory ACLs  (i.e. like dsacls, 10x better)
7. How to instantly dump Active Directory ACLs/permissions
8. How to instantly analyze Active Directory permissions
9. How to instantly determine effective permissions on Active Directory objects
10. How to instantly audit delegations / privileged user access in Active Directory


The first time I used LDP.exe was about 16 years ago. If you've spent even 1/10th of the time I've spent on Active Directory security, I think you'll find these pointers could help you and your organization save 1000s of hours of valuable time.

I hope you've found this little intro to LDP to be useful and I wish you all the best as you proceed to look under the hood and increase your knowledge in the vast subject that is Microsoft Active Directory.

Best wishes,
Sanjay