Today Active Directory Security is mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.


Monday, June 20, 2016

LDP.exe for Active Directory - Download, Usage, Tutorial and Examples

Folks,

In a few days, I'll start shedding some light on vital Active Directory Security related matters that I believe most organizations seem to be in the dark about today. Until then, I just wanted to share some simple technical stuff on a few technical topics.


Today's is on LDP.exe,  a helpful free tool from Microsoft that can be used to perform LDAP operations in Active Directory.
LDP.exe

Technically speaking, LDP is a simple Lightweight Directory Access Protocol (LDAP) client that allows users to perform various operations (connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as and including Active Directory. It can also be used to view replication metadata and Active Directory security descriptors.

In this blog entry, I've covered the following aspects of LDP as succinctly as possible -
  1. Where to download LDP from
  2. An overview of how to use LDP
  3. Connecting to Active Directory using LDP
  4. Performing a successful bind in LDP
  5. An overview of operations possible with LDP
  6. How to view Active Directory contents with LDP
  7. How to search Active Directory using LDP
  8. How to view Active Directory NT Security Descriptors
  9. Ten common LDP usage examples
  10. Helpful tips on using LDP 

By the way, this primer shouldn't be new stuff for many folks, but the world's a big place, and so while 1000s of IT personnel likely use LDP, 100s of 1000s of IT personnel, including many cyber security professionals, may have yet to discover LDP.exe.




1. Download LDP.exe

First things first. You can instantly download LDP from here. (Simply locate, then click on LDP Utility.)


Download LDP.exe
Download LDP.exe


Tip - LDP.exe is a nifty tool, especially for Active Directory analysis. However it requires some Active Directory technical knowledge. If you don't want to deal with the technicals, or don't have the time to ramp up on the technicals, and are primarily interested in its search capabilities to perform basic yet essential Active Directory security audits, as an alternative/addition, this free Active Directory Audit Tool could save you a lot time and effort.



2. An Overview of How to Use LDP

LDP.exe is fairly easy to use, but it requires you to have some basic technical background on LDAP, Windows Security etc.

Here's a quick overview of how to use LDP.exe -
  1. Connect to an Active Directory domain or Domain Controller, after launching LDP.exe.
  2. Perform a successful LDAP bind by authenticating to Active Directory
  3. Specify a target Active Directory object as the base DN for permitted operations
  4. Perform the desired operations (e.g. search, modify, add, delete, view SD, etc.)
  5. Disconnect, when done. 
To help you get started and become acquainted, I've illustrated these steps below step-by-step.




3. Connecting to Active Directory using LDP.exe

Once you've downloaded LDP.exe, just double-click on it to launch it. Then, the first thing to do is connect to Active Directory.

To connect to an Active Directory domain, you launch LDP.exe, then select the Connection item from the application menu on the top to locate and click the Connect option, which displays the Connect dialog box.
LDP Connect

In the Connect dialog box, you specify the Active Directory domain or domain controller you wish to connect to, by entering its complete domain DNS name (e.g. root.local, dc1.root.local etc.), as well as the port you'd like to connect on (389 for LDAP and 3268 for a Global Catalog), and optionally, whether you'd like to use SSL.
LDP Connect Dialog

Once connected, LDP.exe will display the root of the directory data tree on a directory server, i.e. the value of the rootDSE attribute which includes various nuggets of valuable technical information.
LDP displaying rootDSE info

Specifically, rootDSE is an operational attribute that provides helpful information about the Active Directory domain (and domain controller) to which it is connected, such as the current time on the DC, the domain and forest functional levels, the SASL mechanisms supported, the LDAP policies and controls supported, whether the DC is also a Global Catalog etc.

Here's an example of what the rootDSE details look like -
ld = ldap_open("", 389);
Established connection to .

Retrieving base DSA information...

Getting 1 entries:

>> Dn:
 1> currentTime: 06/17/2016 22:27:47 Pacific Standard Time;
 1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=root,DC=local;
 1> dsServiceName: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=root,DC=local;
 5> namingContexts: DC=root,DC=local; CN=Configuration,DC=root,DC=local; CN=Schema,CN=Configuration,DC=root,DC=local; DC=DomainDnsZones,DC=root,DC=local; DC=ForestDnsZones,DC=root,DC=local;
 1> defaultNamingContext: DC=root,DC=local;
 1> schemaNamingContext: CN=Schema,CN=Configuration,DC=root,DC=local;
 1> configurationNamingContext: CN=Configuration,DC=root,DC=local;
 1> rootDomainNamingContext: DC=root,DC=local;
 29> supportedControl: 1.2.840.113556.1.4.319 = ( LDAP_PAGED_RESULT_OID_STRING ); 1.2.840.113556.1.4.801 = ( LDAP_SERVER_SD_FLAGS_OID ); 1.2.840.113556.1.4.473 = ( LDAP_SERVER_SORT_OID ); 1.2.840.113556.1.4.528 = ( LDAP_SERVER_NOTIFICATION_OID ); 1.2.840.113556.1.4.417 = ( LDAP_SERVER_SHOW_DELETED_OID ); 1.2.840.113556.1.4.619 = ( LDAP_SERVER_LAZY_COMMIT_OID ); 1.2.840.113556.1.4.841 = ( LDAP_SERVER_DIRSYNC_OID ); 1.2.840.113556.1.4.529 = ( LDAP_SERVER_EXTENDED_DN_OID ); 1.2.840.113556.1.4.805 = ( LDAP_SERVER_TREE_DELETE_OID ); 1.2.840.113556.1.4.521 = ( LDAP_SERVER_CROSSDOM_MOVE_TARGET_OID ); 1.2.840.113556.1.4.970 = ( LDAP_SERVER_GET_STATS_OID ); 1.2.840.113556.1.4.1338 = ( LDAP_SERVER_VERIFY_NAME_OID ); 1.2.840.113556.1.4.474 = ( LDAP_SERVER_RESP_SORT_OID ); 1.2.840.113556.1.4.1339 = ( LDAP_SERVER_DOMAIN_SCOPE_OID ); 1.2.840.113556.1.4.1340 = ( LDAP_SERVER_SEARCH_OPTIONS_OID ); 1.2.840.113556.1.4.1413 = ( LDAP_SERVER_PERMISSIVE_MODIFY_OID ); 2.16.840.1.113730.3.4.9 = ( LDAP_CONTROL_VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( LDAP_CONTROL_VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( LDAP_SERVER_ASQ_OID ); 1.2.840.113556.1.4.1852 = ( LDAP_SERVER_QUOTA_CONTROL_OID ); 1.2.840.113556.1.4.802 = ( LDAP_SERVER_RANGE_OPTION_OID ); 1.2.840.113556.1.4.1907 = ( LDAP_SERVER_SHUTDOWN_NOTIFY_OID ); 1.2.840.113556.1.4.1948; 1.2.840.113556.1.4.1974; 1.2.840.113556.1.4.1341; 1.2.840.113556.1.4.2026; 1.2.840.113556.1.4.2064; 1.2.840.113556.1.4.2065; 1.2.840.113556.1.4.2066;
 2> supportedLDAPVersion: 3; 2;
 16> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; ThreadMemoryLimit; SystemMemoryLimitPercent;
 1> highestCommittedUSN: 1651102;
 4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
 1> dnsHostName: DC1.root.local;
 1> ldapServiceName: root.local:dc1$@ROOT.LOCAL;
 1> serverName: CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=root,DC=local;
 5> supportedCapabilities: 1.2.840.113556.1.4.800 = ( LDAP_CAP_ACTIVE_DIRECTORY_OID ); 1.2.840.113556.1.4.1670 = ( LDAP_CAP_ACTIVE_DIRECTORY_V51_OID ); 1.2.840.113556.1.4.1791 = ( LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID ); 1.2.840.113556.1.4.1935; 1.2.840.113556.1.4.2080;
 1> isSynchronized: TRUE;
 1> isGlobalCatalogReady: TRUE;
 1> domainFunctionality: 4;
 1> forestFunctionality: 4;
 1> domainControllerFunctionality: 4;
-----------

You are now connected to an Active Directory domain controller.




4. Performing a successful LDAP Bind

Once connected, the next step is to perform a successful bind i.e. to authenticate yourself to the Active Directory.

To perform a successful bind, you select the Connection item from the application menu on the top to locate and access the Bind option, which displays the Bind dialog box.
LDP Bind

In the Bind dialog box, you enter your credentials then click on OK. You can enter your credentials in various formats (e.g. UPN, <domain>\<samAccountName> etc.). If you're logged in using a domain user account and are connecting to an Active Directory domain to which a trust path exists from your domain, the simplest way to bind is to use the Bind as currently logged on user option.
LDP Bind Dialog Box

If successfully authenticated, LDP will indicate so by displaying an Authenticated as DN:<identity> line in the right pane.
Successful LDP Bind

You have now successfully completed a bind and are ready to perform operations against Active Directory.




5. Possible Active Directory Operations with LDP.exe

With LDP.exe, you can perform the following operations against Active Directory -
  1. View Active Directory contents
  2. Search Active Directory
  3. View Active Directory Security Descriptors
  4. View Active Directory Replication Metadata
  5. View the Enterprise Tree
  6. Create, delete and modify Active Directory content
In this blog entry, I will focus on illustrating how to view Active Directory content, perform Active Directory searches and view Active Directory security descriptors, as these are the most common usage scenarios.
Tip - If you're looking to fulfill advanced Active Directory security analysis/audit needs, such as to audit privileged user access in Active Directory, determine effective permissions in Active Directory etc. you may find this helpful.



6. Viewing Active Directory Contents using LDP.exe

Once you have performed a successful bind, you can perform various operations against Active Directory, and one of the most common ones is to view Active Directory contents, such as to view all attributes on a specific user account.

To do so, you select the View item from the application menu on the top to locate and click on the Tree option.
LDP Tree Option

Clicking on the Tree option displays the Tree dialog box, which is used to specify the distinguished name (DN) of the Active Directory object (/base of tree) you wish to view or focus on. By default, the Tree dialog box presents a few options including the domain root of the target domain, as well as the roots of the Configuration and Schema partitions of the target forest.
LDP Tree Specification Dialog Box

The domain root of the target domain is generally a good place to start, so simply select it and click OK.

When you do so, LDP.exe will display the root of the domain in the left pane.
Domain Root displayed in LDP.exe

A single-click on an object in the left pane will display the attributes (and their values) present on that object, in the right pane. A double-click will expand and display, in the left pane, the tree rooted at that object.

In this manner, once you know the DN of an object, such as that of a specific organizational unit (OU), a domain user account, a domain computer account, an NTDS Settings object, a SiteLink object, a Schema class/attribute object etc. that you are interested in, you can use the Tree dialog box to enter that object's DN and have LDP focus on that object.

Tip - The quickest way to find the DN of almost any object in Active Directory without requiring any technical knowledge is by using the inbuilt Search utility of this free tool.




7. Searching Active Directory using LDP.exe

Once you have specified a target object, you can perform a variety of operations on it. For instance, you can perform an LDAP search rooted at that object in Active Directory.

To do so, in the left pane, simply locate the object that you wish to have as the base of your search, then right-click on it, to view a set of available options, one of which should be Search.
Accessing Search in LDP.exe

Tip - Note that alternatively, you can also access the Search dialog box by selecting the General option from the application menu and then clicking on Search.


Selecting the Search option will open the Search dialog box. In this dialog box you basically need to specify the search filter and its scope. To specify the filter, you need to enter a valid LDAP filter, and to specify the scope, you simply choose from amongst, Base, One-Level or Sub-Tree.
LDP Search Dialog
 
In some cases, you'll also want to click on the Options button to be able to specify and set various options such as Time limit, Size limit, Timeout (s), Timeout (ms), Page size, Search Call Type, Sort Keys and Controls etc. as well as the list of attributes that you would like to have retrieved.
LDP Search Options Dialog

By default, LDP.exe will retrieve and display all attributes on all objects that meet the criteria of the specified LDAP filter.

If you're only interested in a subset of attributes, you can specify them using the Attributes text-box. Additionally, if you merely require a summary listing of the objects (i.e. no attributes to be returned), simply enter a . (i.e. a period) in the Attributes box.
Setting LDP Search Options to obtain a Summary listing
(when set, no attributes will be retrieved or returned)

Due to lack of time, I'm not going to delve into the various details of Sort Keys and Controls, but there's sufficient info out on MS TechNet that can help you learn more about their details and uses.
 
When you click OK, LDP.exe will perform the specified search for you and display the results in the right navigation pane.
Search Results Retrieved and Displayed in LDP.exe

Note that if you had specified that only the DNs be returned (i.e. no attributes), the results would look like the following.
Search Results (List of Objects Only; No Attributes)

In general, in order to be able to perform a variety of searches, you'll want to gain familiarity with how to define LDAP filters.
Tip - The quickest way to search for Active Directory content and perform Active Directory security audits without requiring any technical knowledge is to use the inbuilt Search utility of this free Active Directory audit tool.




8. Viewing Active Directory Security Descriptors using LDP.exe

LDP can also be used to view the NT Security Descriptors of Active Directory objects. The NT Security Descriptor contains / specifies the object's Owner, Group, ACL and SACL. Most IT professionals seek to do so to fulfill a variety of Active Directory cyber security analysis needs, such as those outlined in the 10 Helpful Time and Effort Saving Pointers section below.

Tip - You may find that one of the easiest and quickest ways to view, analyze and dump/export Active Directory security permissions and access control lists (ACL) is by using this AD acldump tool.


Consider the following Active Directory object. Lets see how to use LDP to view its NT Security Descriptor.
LDP focused on a specific Active Directory object
 
 
To view the NT Security Descriptor of an Active Directory object, you right-click on the object, then select Advanced then select Security Descriptor. 
Accessing the Security Descriptor Dialog in LDP

Doing so will display the Security Descriptor dialog box, which additionally presents two options -
Security Descriptor Dialog Box

  1. SACL - If selected, LDP will additionally* retrieve the object's SACL.
  2. Text dump - If selected, LDP will dump the security descriptor as text in the right pane.
* To view the SACL, you'll need to be effectively granted the Manage auditing and security log user right in the resulting Group Policy applicable to that domain controller (typically the default Domain Controller policy).

You specify these options as required, and then click OK. When you do so, LDP.exe will retrieve and display the Security Descriptor of the target object.

By default, the security descriptor is displayed in a special Security Descriptor dialog box.
Security Descriptor on an Active Directory Domain User Account Object


If the text dump option is selected, the security descriptor is displayed in text format in the right navigation pane.
NT Security Descriptor Text Dump in LDP.exe

Here's a partial text dump of an NT Security Descriptor of an Active Directory object -
Security Descriptor:
Security Descriptor:SD Revision: 1
SD Control:  0x8c14
  SE_DACL_PRESENT
  SE_SACL_PRESENT
  SE_DACL_AUTO_INHERITED
  SE_SACL_AUTO_INHERITED
  SE_SELF_RELATIVE
Owner: ROOT\Domain Admins [S-1-5-21-393905754-1721216372-3318422012-512]
Group: ROOT\Domain Admins [S-1-5-21-393905754-1721216372-3318422012-512]
DACL:
 Revision      4
 Size:         2532 bytes
 # Aces:       53
 Ace[0]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000010
   ACTRL_DS_READ_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Account Restrictions - 4c164200-20c0-11d0-a768-00aa006e0529
  Object Ace Sid:   ROOT\RAS and IAS Servers [S-1-5-21-393905754-1721216372-3318422012-553]
 Ace[1]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000010
   ACTRL_DS_READ_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Logon Information - 5f202010-79a5-11d0-9020-00c04fc2d4cf
  Object Ace Sid:   ROOT\RAS and IAS Servers [S-1-5-21-393905754-1721216372-3318422012-553]
 Ace[2]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000010
   ACTRL_DS_READ_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Group Membership - bc0ac240-79a9-11d0-9020-00c04fc2d4cf
  Object Ace Sid:   ROOT\RAS and IAS Servers [S-1-5-21-393905754-1721216372-3318422012-553]
 Ace[3]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000010
   ACTRL_DS_READ_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Remote Access Information - 037088f8-0ae1-11d2-b422-00a0c968f939
  Object Ace Sid:   ROOT\RAS and IAS Servers [S-1-5-21-393905754-1721216372-3318422012-553]
 Ace[4]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000030
   ACTRL_DS_READ_PROP
   ACTRL_DS_WRITE_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  userCertificate - bf967a7f-0de6-11d0-a285-00aa003049e2
  Object Ace Sid:   ROOT\Cert Publishers [S-1-5-21-393905754-1721216372-3318422012-517]
 Ace[5]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  44 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000010
   ACTRL_DS_READ_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  tokenGroupsGlobalAndUniversal - 46a9b11d-60ae-405a-b7e8-ff8a58d456d2
  Object Ace Sid:   BUILTIN\Windows Authorization Access Group [S-1-5-32-560]
 Ace[6]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  44 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000030
   ACTRL_DS_READ_PROP
   ACTRL_DS_WRITE_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  terminalServer - 6db69a1c-9422-11d1-aebd-0000f80367c1
  Object Ace Sid:   BUILTIN\Terminal Server License Servers [S-1-5-32-561]
 Ace[7]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  44 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000030
   ACTRL_DS_READ_PROP
   ACTRL_DS_WRITE_PROP
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Terminal Server License Server - 5805bc62-bdc9-4428-a5e2-856a0f4c185e
  Object Ace Sid:   BUILTIN\Terminal Server License Servers [S-1-5-32-561]
 Ace[8]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  40 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000100
   ACTRL_DS_CONTROL_ACCESS
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Change Password - ab721a53-1e2f-11d0-9819-00aa0040529b
  Object Ace Sid:   Everyone [S-1-1-0]
 Ace[9]
  Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
  Ace Size:  40 bytes
  Ace Flags: 0x0
  Object Ace Mask:  0x00000100
   ACTRL_DS_CONTROL_ACCESS
  Object Ace Flags: 0x1
   ACE_OBJECT_TYPE_PRESENT
  Object Ace Type:  Change Password - ab721a53-1e2f-11d0-9819-00aa0040529b
  Object Ace Sid:   NT AUTHORITY\SELF [S-1-5-10]

 ... 
 Ace[50]
  Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
  Ace Size:  36 bytes
  Ace Flags: 0x12
   CONTAINER_INHERIT_ACE
   INHERITED_ACE
  Ace Mask:  0x000f01ff
   DELETE
   READ_CONTROL
   WRITE_DAC
   WRITE_OWNER
   ACTRL_DS_CREATE_CHILD
   ACTRL_DS_DELETE_CHILD
   ACTRL_DS_LIST
   ACTRL_DS_SELF
   ACTRL_DS_READ_PROP
   ACTRL_DS_WRITE_PROP
   ACTRL_DS_DELETE_TREE
   ACTRL_DS_LIST_OBJECT
   ACTRL_DS_CONTROL_ACCESS
  Ace Sid:   ROOT\Enterprise Admins [S-1-5-21-393905754-1721216372-3318422012-519]
 Ace[51]
  Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
  Ace Size:  24 bytes
  Ace Flags: 0x12
   CONTAINER_INHERIT_ACE
   INHERITED_ACE
  Ace Mask:  0x00000004
   ACTRL_DS_LIST
  Ace Sid:   BUILTIN\Pre-Windows 2000 Compatible Access [S-1-5-32-554]
 Ace[52]
  Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
  Ace Size:  24 bytes
  Ace Flags: 0x12
   CONTAINER_INHERIT_ACE
   INHERITED_ACE
  Ace Mask:  0x000f01bd
   DELETE
   READ_CONTROL
   WRITE_DAC
   WRITE_OWNER
   ACTRL_DS_CREATE_CHILD
   ACTRL_DS_LIST
   ACTRL_DS_SELF
   ACTRL_DS_READ_PROP
   ACTRL_DS_WRITE_PROP
   ACTRL_DS_LIST_OBJECT
   ACTRL_DS_CONTROL_ACCESS
  Ace Sid:   BUILTIN\Administrators [S-1-5-32-544]
SACL:
 Revision      4
 Size:         252 bytes
 # Aces:       5
 Ace[0]
  Ace Type:  0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x92
   CONTAINER_INHERIT_ACE
   INHERITED_ACE
   FAILED_ACCESS_ACE_FLAG
  Object Ace Mask:  0x00000100
   ACTRL_DS_CONTROL_ACCESS
  Object Ace Flags: 0x3
   ACE_OBJECT_TYPE_PRESENT
   ACE_INHERITED_OBJECT_TYPE_PRESENT
  Object Ace Type:  Reset Password - 00299570-246d-11d0-a768-00aa006e0529
  Inherited object type: user - bf967aba-0de6-11d0-a285-00aa003049e2
  Object Ace Sid:   Everyone [S-1-1-0]
 Ace[1]
  Ace Type:  0x2 - SYSTEM_AUDIT_ACE_TYPE
  Ace Size:  20 bytes
  Ace Flags: 0x52
   CONTAINER_INHERIT_ACE
   INHERITED_ACE
   SUCCESSFUL_ACCESS_ACE_FLAG
  Ace Mask:  0x00050000
   DELETE
   WRITE_DAC
  Ace Sid:   Everyone [S-1-1-0]
 Ace[2]
  Ace Type:  0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x52
   CONTAINER_INHERIT_ACE
   INHERITED_ACE
   SUCCESSFUL_ACCESS_ACE_FLAG
  Object Ace Mask:  0x00000100
   ACTRL_DS_CONTROL_ACCESS
  Object Ace Flags: 0x3
   ACE_OBJECT_TYPE_PRESENT
   ACE_INHERITED_OBJECT_TYPE_PRESENT
  Object Ace Type:  Reset Password - 00299570-246d-11d0-a768-00aa006e0529
  Inherited object type: user - bf967aba-0de6-11d0-a285-00aa003049e2
  Object Ace Sid:   Everyone [S-1-1-0]
 Ace[3]
  Ace Type:  0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x5a
   CONTAINER_INHERIT_ACE
   INHERIT_ONLY_ACE
   INHERITED_ACE
   SUCCESSFUL_ACCESS_ACE_FLAG
  Object Ace Mask:  0x00000020
   ACTRL_DS_WRITE_PROP
  Object Ace Flags: 0x3
   ACE_OBJECT_TYPE_PRESENT
   ACE_INHERITED_OBJECT_TYPE_PRESENT
  Object Ace Type:  gPLink - f30e3bbe-9ff0-11d1-b603-0000f80367c1
  Inherited object type: organizationalUnit - bf967aa5-0de6-11d0-a285-00aa003049e2
  Object Ace Sid:   Everyone [S-1-1-0]
 Ace[4]
  Ace Type:  0x7 - SYSTEM_AUDIT_OBJECT_ACE_TYPE
  Ace Size:  56 bytes
  Ace Flags: 0x5a
   CONTAINER_INHERIT_ACE
   INHERIT_ONLY_ACE
   INHERITED_ACE
   SUCCESSFUL_ACCESS_ACE_FLAG
  Object Ace Mask:  0x00000020
   ACTRL_DS_WRITE_PROP
  Object Ace Flags: 0x3
   ACE_OBJECT_TYPE_PRESENT
   ACE_INHERITED_OBJECT_TYPE_PRESENT
  Object Ace Type:  gPOptions - f30e3bbf-9ff0-11d1-b603-0000f80367c1
  Inherited object type: organizationalUnit - bf967aa5-0de6-11d0-a285-00aa003049e2
  Object Ace Sid:   Everyone [S-1-1-0]
Security for "CN=Satya Nadella,OU=IT Admin Accounts,OU=IT,OU=Newport Beach,OU=USA,OU=Americas,OU=Corp,DC=root,DC=local"
-----------
 
Helpful Tip - If you need to dump/export Active Directory ACLs, or easily and quickly analyze them, the easiest and fastest way to do so is by using this AD acldump tool.

In this manner you can view and analyze Active Directory security descriptors using LDP.exe.





9. Some Common LDP.exe Uses

The following snapshots illustrate some common uses of LDP.exe.

1. Viewing the domain root object and its attributes (e.g. lockoutObservationWindow) -
Domain Root Object


2. Enumerating all domain user accounts that have a specific term in their Title (e.g. *Cloud*) -
All domain user accounts with the word Cloud in their title
Tip - If you need to generate reports such as List of all active, stale, expired, locked, executive, administrative user accounts in a domain/OU etc. or export this data to a CSV file, or generate a PDF report, the easiest way to do is by using this AD audit tool.


3. Viewing the AdminSDHolder object and the NT Security Descriptor protecting it - 
The AdminSDHolder object
Tip - If you need to find out who has what effective permissions/access on any object in Active Directory (e.g. administrative accounts, groups etc.), the only way to accurately do is by using this Active Directory Effective Permissions Calculator.
 

4. Viewing the Domain Controllers OU and its NT Security Descriptor -
ACL on the Domain Controllers OU
Tip - If you need to find out exactly who can control and manage the security on the Domain Controllers OU, or change the Group Policies (GPOs) linked to it, this tool can help you do so, instantly and accurately.


5. Viewing the Schema partition and its contents -
Schema Partition Root Object
Tip - If you need to know exactly who can modify an existing class or attribute definition in your Active Directory Schema, or extend your Schema, this tool can help you find this out, instantly and accurately.


6. Viewing the Configuration partition and its contents -
Configuration Partition Root Object
Tip - If you need to know exactly who can modify critical content in your Configuration partition, such as creating, modifying or deleting Sites, Subnets, Sitelinks, IP Transports, NTDS Settings objects, Query Policies etc., this tool can help you find this out, instantly and accurately.


7. Viewing Replication Metadata on an object -
Replication Metadata


8. Using Looking up Security Identifiers (SIDs) using the SID Lookup capability -
Looking up Account SIDS using LDP.exe

Tip - If you need to lookup accounts SIDs, or find Active Directory domain user accounts, computer accounts or security groups based on criteria such as their name, title, operating system, manager etc., one of the easiest ways to do so is by using the inbuilt object search utility of this free Active Directory audit  tool.


9. Requesting the ACLs on all domain user accounts -
NT Security Descriptor on multiple Active Directory objects
Tip - If you need to dump the ACLs of multiple Active Directory objects (e.g. all objects in domain, all admin users, all executives, all security groups etc.) into a CSV file, the easiest way to do so is by using this tool.


10. Enumerating all security principals that belong to a specific group, such as the IT Team security group -
Retrieving all security principals that belong to a specific group

Tip - Although LDP can enumerate direct group memberships, it is unable to enumerate and display the complete, flattened out membership of a specific group, or the list of all groups to which a user belongs. If you need to fulfill either of these needs, here is the easiest way to do so. 

In this manner, LDP.exe can be used to query Active Directory content and analyze various operational and security aspects.




10. Some Helpful Tips When Using LDP.exe

Here are some helpful tips when using LDP.exe -
  1. You can clear the contents of the right pane by using Ctrl-N.
  2. You can copy contents from the right pane by right-clicking and using Select All, then Copy.
  3. You can export the data from the right pane by using the Save-As option.
  4. You can increase the buffer size for the number of rows displayed in the right pane by modifying the value for the Number of Lines setting in the Buffer Size section of General Options. The default value is 512.
LDP.exe General Options
 
In general, as you gain familiarity with the tools, you'll likely discover similar helpful tips.




10 Helpful Time and Effort Saving Pointers

If you've read this far, you're likely an IT professional focused on Active Directory or Cyber Security. If so, not only is your time valuable, you know that high-value cyber security insight into your Active Directory is paramount to your organization's security.


You may also likely know not just the benefits of LDP, but also its limits. Specifically, while there's much you can do with it, there also a lot you cannot do with it. For instance, many needs listed below cannot be fulfilled with LDP.exe or most tooling.

If you value your time, you'll find the following pointers helpful, because they're the quickest and easiest ways to accomplish and fulfill a variety of Active Directory focused search, privileged access/user audit and cyber security analysis needs -


1. How to instantly perform an Active Directory security audit
2. How to instantly enumerate Active Directory group memberships
3. How to instantly find out what security groups a user belongs to
4. How to instantly view list of SIDs in another user's account (i.e. whoami for another user)
5. How to instantly identify users with large token sizes (i.e. tokensz for another user)
6. How to instantly view/analyze Active Directory ACLs  (i.e. like dsacls, 10x better)
7. How to instantly dump Active Directory ACLs/permissions
8. How to instantly analyze Active Directory permissions
9. How to instantly determine effective permissions on Active Directory objects
10. How to instantly audit delegations / privileged user access in Active Directory


The first time I used LDP.exe was about 16 years ago. If you've spent even 1/10th of the time I've spent on Active Directory security, I think you'll find these pointers could help you and your organization save 1000s of hours of valuable time.

I hope you've found this little intro to LDP to be useful and I wish you all the best as you proceed to look under the hood and increase your knowledge in the vast subject that is Microsoft Active Directory.

Best wishes,
Sanjay

No comments:

Post a Comment