101
Chapter 4. Searching and Manipulating
Objects
Introduction
Recipe 4.1. Viewing the RootDSE

Recipe 4.2. Viewing the Attributes of an Object
Recipe 4.3. Using LDAP Controls
Recipe 4.4. Using a Fast or Concurrent Bind
Recipe 4.5. Searching for Objects in a Domain
Recipe 4.6. Searching the Global Catalog
Recipe 4.7. Searching for a Large Number of Objects
Recipe 4.8. Searching with an Attribute-Scoped Query
Recipe 4.9. Searching with a Bitwise Filter
Recipe 4.10. Creating an Object
Recipe 4.11. Modifying an Object
Recipe 4.12. Modifying a Bit-Flag Attribute
Recipe 4.13. Dynamically Linking an Auxiliary Class
Recipe 4.14. Creating a Dynamic Object

Recipe 4.15. Refreshing a Dynamic Object
Recipe 4.16. Modifying the Default TTL Settings for Dynamic Objects
Recipe 4.17. Moving an Object to a Different OU or Container
Recipe 4.18. Moving an Object to a Different Domain
Recipe 4.19. Renaming an Object

102
Recipe 4.20. Deleting an Object
Recipe 4.21. Deleting a Container That Has Child Objects
Recipe 4.22. Viewing the Created and Last Modified Timestamp of an Object

Recipe 4.23. Modifying the Default LDAP Query Policy
Recipe 4.24. Exporting Objects to an LDIF File
Recipe 4.25. Importing Objects Using an LDIF File
Recipe 4.26. Exporting Objects to a CSV File
Recipe 4.27. Importing Objects Using a CSV File
Introduction
Active Directory is based on the Lightweight Directory Access Protocol (LDAP) and supports
the LDAP v3 specification defined in RFC 2251. And while many of the AD tools and interfaces,
such as ADSI, abstract and streamline LDAP operations to make things easier, any good AD
administrator or developer must have a thorough understanding of LDAP to fully utilize Active
Directory. This chapter will cover the some of the basic LDAP-related tasks you may need to do
with Active Directory, along with other items related to searching and manipulating objects in
the directory.
The Anatomy of an Object
The Active Directory schema is composed of a hierarchy of classes. These classes support
inheritance, which enables reuse of existing class definitions. At the top of the inheritance tree is
the top class, from which every class in the schema is derived. Table 4-1 contains a list of some
of the attributes that are available from the top class, and subsequently are defined on every
object that is created in Active Directory.
Table 4-1. Common attributes of objects
Attribute Description
cn
Relative distinguished name (RDN) attribute for most object classes
createTimestamp
Timestamp when the object was created. See Recipe 4.22 for more
information
description
Multivalued attribute that can be used as a generic field for storing a
description of the object


103
Table 4-1. Common attributes of objects
Attribute Description
displayName
Name of the object displayed in administrative interfaces
distinguishedName
Distinguished name of the object
modifyTimestamp
Timestamp when the object was last changed. See Recipe 4.22
for
more information
name
RDN of the object. The value of this attribute will mirror the naming
attribute (e.g., cn, ou, dc)
nTSecurityDescriptor
Security descriptor assigned to the object
objectCategory
Used as a grouping mechanism for objects with a similar purpose
(e.g., Person)
objectClass
List of classes from which the object's class was derived
objectGUID
Globally unique identifier for the object
uSNChanged
Update sequence number (USN) assigned by the local server after the
last change to the object (can include creation)
uSNCreated
USN assigned when the object was created
Recipe 4.1 Viewing the RootDSE
4.1.1 Problem

You want to view attributes of the RootDSE, which can be useful for discovering basic
information about a forest, domain, or domain controller.
4.1.2 Solution
4.1.2.1 Using a graphical user interface
1. Open LDP.
2. From the menu, select Connection Connect.
3. For Server, enter a domain controller, domain name, or leave blank to do a serverless
bind.
4. For Port, enter 389.
5. Click OK.
6. The contents of the RootDSE will be shown in the right pane.
4.1.2.2 Using a command-line interface
> enumprop "LDAP://RootDSE"

104
4.1.2.3 Using VBScript
' This code prints the attributes of the RootDSE
set objRootDSE = GetObject("LDAP://RootDSE")
objRootDSE.GetInfo
for i = 0 to objRootDSE.PropertyCount - 1
set strProp = objRootDSE.Item(i)
WScript.Echo strProp.Name & " "
for each strPropval in strProp.Values
WScript.Echo " " & strPropval.CaseIgnoreString
next
next
4.1.3 Discussion
The RootDSE was originally defined in RFC 2251 as part of the LDAPv3 specification. It is not
part of the Active Directory namespace per se. It is a synthetic object that is maintained
separately by each domain controller.

The RootDSE can be accessed anonymously, and in fact, none of the three solutions used
credentials. In the CLI and VBScript solutions, I used serverless binds against the RootDSE. In
that case, the DC Locator process is used to find a domain controller in the domain you
authenticate against. This can also be accomplished with LDP by not entering a server name
from the Connect dialog box.
The RootDSE is key to writing portable AD-enabled applications. It provides a mechanism to
programmatically determine the distinguished names of the various naming contexts among
other things, which means you do not need to hardcode that information in scripts and programs.
Here is an example from LDP when run against a Windows Server 2003-based domain controller:
ld = ldap_open("dc01", 389);
Established connection to dc01.
Retrieving base DSA information . . .
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn:
1> currentTime: 05/26/2003 15:29:42 Pacific Standard Time Pacific Daylight
Time;

1>
subschemaSubentry:CN=Aggregate,CN=Schema,CN=Configuration,DC=rallencorp,DC=co
m;

1> dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=rallencorp,DC=com;

5> namingContexts: DC=rallencorp,DC=com;
CN=Configuration,DC=rallencorp,DC=com;
CN=Schema,CN=Configuration,DC=rallencorp,DC=com;
DC=DomainDnsZones,DC=rallencorp,DC=com;

DC=ForestDnsZones,DC=rallencorp,DC=com;


105
1> defaultNamingContext: DC=rallencorp,DC=com;

1> schemaNamingContext: CN=Schema,CN=Configuration,DC=rallencorp,DC=com;

1> configurationNamingContext: CN=Configuration,DC=rallencorp,DC=com;

1> rootDomainNamingContext: DC=rallencorp,DC=com;

21> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801;
1.2.840.113556.
1.4.473; 1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417;
1.2.840.113556.1.4.619; 1.2.
840.113556.1.4.841; 1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805;
1.2.840.113556.1.
4.521; 1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338;
1.2.840.113556.1.4.474; 1.2.
840.113556.1.4.1339; 1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413;
2.16.840.1.
113730.3.4.9; 2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504;
1.2.840.113556.1.4.
1852; 1.2.840.113556.1.4.802;

2> supportedLDAPVersion: 3; 2;

12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer;
InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize;

MaxQueryDuration;
MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange;

1> highestCommittedUSN: 53242;

4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;

1> dnsHostName: dc01.rallencorp.com;

1> ldapServiceName: rallencorp.com:dc01$@RALLENCORP.COM;

1> serverName: CN=DC01,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=rallencorp,DC=com;

3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670;
1.2.840.
113556.1.4.1791;

1> isSynchronized: TRUE;

1> isGlobalCatalogReady: TRUE;

1> domainFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );

1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );

1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
4.1.3.1 Using VBScript

106

All attributes of the RootDSE were retrieved and displayed. Typically, you will need only a few
of the attributes; in which case, you'll want to use Get or GetEx as in the following example:
strDefaultNC = objRootDSE.Get("defaultNamingContext")
Or if want to get an object based on the distinguished name (DN) of one of the naming contexts,
you can call GetObject using an ADsPath:
set objUser = GetObject("LDAP://cn=administrator,cn=users," & _
objRootDSE.Get("defaultNamingContext") )
4.1.4 See Also
RFC 2251, MS KB 219005 (Windows 2000: LDAPv3 RootDSE), MSDN: IADsPropertyEntry,
MSDN: IADsProperty Value, MSDN: IADs::Get, and MSDN: IADs::GetEx
Recipe 4.2 Viewing the Attributes of an Object
4.2.1 Problem
You want to view one or more attributes of an object.
4.2.2 Solution
4.2.2.1 Using a graphical user interface
1. Open LDP.
2. From the menu, select Connection Connect.
3. For Server, enter the name of a domain controller or domain that contains the object.
4. For Port, enter 389.
5. Click OK.
6. From the menu, select Connection Bind.
7. Enter credentials of a user that can view the object (if necessary).
8. Click OK.
9. From the menu, select View Tree.
10. For BaseDN, type the DN of the object you want to view.
11. For Scope, select Base.
12. Click OK.
4.2.2.2 Using a command-line interface
> dsquery * "<ObjectDN>" -scope base -attr *
For Windows 2000, use this command:

> enumprop "LDAP://<ObjectDN>"
4.2.2.3 Using VBScript

107
' This code prints all attributes for the specified object.
' SCRIPT CONFIGURATION
strObjectDN = "<ObjectDN>" ' e.g. cn=jsmith,cn=users,dc=rallencorp,dc=com
' END CONFIGURATION

DisplayAttributes("LDAP://" & strObjectDN)

Function DisplayAttributes( strObjectADsPath )

set objObject = GetObject(strObjectADsPath)
objObject.GetInfo

'Declare the hash (dictionary), constants and variables
'Values taken from ADSTYPEENUM
set dicADsType = CreateObject("Scripting.Dictionary")
dicADsType.Add 0, "INVALID"
dicADsType.Add 1, "DN_STRING"
dicADsType.Add 2, "CASE_EXACT_STRING"
dicADsType.Add 3, "CASE_IGNORE_STRING"
dicADsType.Add 4, "PRINTABLE_STRING"
dicADsType.Add 5, "NUMERIC_STRING"
dicADsType.Add 6, "BOOLEAN"
dicADsType.Add 7, "INTEGER"
dicADsType.Add 8, "OCTET_STRING"
dicADsType.Add 9, "UTC_TIME"
dicADsType.Add 10, "LARGE_INTEGER"

dicADsType.Add 11, "PROV_SPECIFIC"
dicADsType.Add 12, "OBJECT_CLASS"
dicADsType.Add 13, "CASEIGNORE_LIST"
dicADsType.Add 14, "OCTET_LIST"
dicADsType.Add 15, "PATH"
dicADsType.Add 16, "POSTALADDRESS"
dicADsType.Add 17, "TIMESTAMP"
dicADsType.Add 18, "BACKLINK"
dicADsType.Add 19, "TYPEDNAME"
dicADsType.Add 20, "HOLD"
dicADsType.Add 21, "NETADDRESS"
dicADsType.Add 22, "REPLICAPOINTER"
dicADsType.Add 23, "FAXNUMBER"
dicADsType.Add 24, "EMAIL"
dicADsType.Add 25, "NT_SECURITY_DESCRIPTOR"
dicADsType.Add 26, "UNKNOWN"
dicADsType.Add 27, "DN_WITH_BINARY"
dicADsType.Add 28, "DN_WITH_STRING"

for intIndex = 0 To (objObject.PropertyCount - 1)
set objPropEntry = objObject.Item(intIndex)
for Each objPropValue In objPropEntry.Values
value = ""

if (dicADsType(objPropValue.ADsType) = "DN_STRING") then
value = objPropValue.DNString

elseIf (dicADsType(objPropValue.ADsType) = "CASE_EXACT_STRING") then
value = objPropValue.CaseExactString



108
elseIf (dicADsType(objPropValue.ADsType) = "CASE_IGNORE_STRING")
then
value = objPropValue.CaseIgnoreString

elseIf (dicADsType(objPropValue.ADsType) = "PRINTABLE_STRING") then
value = objPropValue.PrintableString

elseIf (dicADsType(objPropValue.ADsType) = "NUMERIC_STRING") then
value = objPropValue.NumericString

elseIf (dicADsType(objPropValue.ADsType) = "BOOLEAN") then
value = CStr(objPropValue.Boolean)

elseIf (dicADsType(objPropValue.ADsType) = "INTEGER") then
value = objPropValue.Integer

elseIf (dicADsType(objPropValue.ADsType) = "LARGE_INTEGER") then
set objLargeInt = objPropValue.LargeInteger
value = objLargeInt.HighPart * 2^32 + objLargeInt.LowPart

elseIf (dicADsType(objPropValue.ADsType) = "UTC_TIME") then
value = objPropValue.UTCTime

else
value = "<" & dicADsType.Item(objPropEntry.ADsType) & ">"

end if
WScript.Echo objPropEntry.Name & " : " & value

next
next
End Function
4.2.3 Discussion
Objects in Active Directory are made up of a collection of attributes. Attributes can be single- or
multivalued. Each attribute also has an associated syntax that is defined in the schema. See
Recipe 10.7 for a complete list of syntaxes.
4.2.3.1 Using a graphical user interface
You can customize the list of attributes returned from a search with LDP by modifying the
Attributes: field under Options Search. To include all attributes enter *. For a subset enter a
semicolon-separated list of attributes.
4.2.3.2 Using a command-line interface
The -
attr option for the dsquery command accepts a whitespace-separated list of attributes to
display. Using a
* will return all attributes.
For the
enumprop command, you can use the /ATTR option and a comma-separated list of
attributes to return. In the following example, only the name and whenCreated attributes would
be returned:

109
> enumprop /ATTR:name,whenCreated "LDAP://<ObjectDN>"
4.2.3.3 Using VBScript
The DisplayAttributes function prints the attributes that contain values for the object passed
in. After using GetObject to bind to the object, I used the IADs::GetInfo method to populate
the local property cache with all of the object's attributes from AD. In order to print each value of
a property, I have to know its type or syntax. The ADsType method returns an integer from the
ADSTYPEENUM enumeration that corresponds with a particular syntax (e.g., boolean). Based on the
syntax, I call a specific method (e.g., Boolean) that can properly print the value. If I didn't

incorporate this logic and tried to print all values using the CaseIgnoreString method for
example, an error would get generated when the script encountered an octet string because octet
strings (i.e., binary data) do not have a
CaseIgnoreString representation.
I stored the values from the
ADSTYPEENUM enumeration in key/value pairs in a dictionary object
(i.e., Scripting.Dictionary). In the dictionary object, the key for the dictionary is the
ADSTYPEENUM integer, and the value is a textual version of the syntax. I used the dictionary object
so I could print the textual syntax of each attribute. I iterated over all the properties in the
property cache using IADsPropertyList and IADsPropertyEntry objects, which are
instantiated with the IADsPropertyList::Item method.

The DisplayAttributes function is used throughout the book in examples
where the attributes for a given type of object are displayed.

4.2.4 See Also
Chapter 19, IADs and the Property Cache, from Active Directory, Second Edition, MSDN:
IADsPropertyEntry, MSDN: IADsPropertyList, MSDN: ADSTYPEENUM, and MSDN:
IADs::GetInfo
Recipe 4.3 Using LDAP Controls
4.3.1 Problem
You want to use an LDAP control as part of an LDAP operation.
4.3.2 Solution
4.3.2.1 Using a graphical user interface
1. Open LDP.
2. From the menu, select Options Controls.
3. For the Windows Server 2003 version of LDP, select the control you want to use under
Load Predefined. The control should automatically be added to the list of Active Controls.

110

For the Windows 2000 version of LDP, you'll need to type the object identifier (OID) of
the control under Object Identifier.
4. Enter the value for the control under Value.
5. Select whether the control is server- or client-side under Control Type.
6. Check the box beside Critical if the control is critical.
7. Click the Check-in button.
8. Click OK.
9. At this point, you will need to invoke the LDAP operation (for example, Search) that will
use the control. In the dialog box for any operation, be sure that the "Extended" option is
checked before initiating the operation.
4.3.2.2 Using VBScript
None of the ADSI automation interfaces directly expose LDAP controls. That means they cannot
be utilized from VBScript. On the other hand, many of the controls, such as paged searching or
deleting a subtree, are wrapped within their own ADSI methods that can be used within
VBScript.
Any LDAP-based API, such as the Perl Net::LDAP modules, can be used to set controls as part
of LDAP operations.
4.3.3 Discussion
LDAP controls were defined in the LDAPv3 specification as a way to extend LDAP and its
operations without breaking the protocol. Many controls have been implemented, some of which
are used when searching the directory (e.g., paged searching, VLV, finding deleted objects, and
attribute scoped query), and some are needed to do certain modifications to the directory (e.g.,
cross-domain object moves, tree delete, and permissive modify). Controls can be marked as
critical, which means they must be processed with the request, or an error is returned. If an
unsupported control is not flagged as critical, the server can continue to process the request and
ignore the control.
The complete list of controls supported by Active Directory is included in Table 4-2
.
Table 4-2. LDAP controls supported by Active Directory
Name OID Description

Paged Results 1.2.840.113556.1.4.319
Instructs the server to return search results in
"pages."
Cross Domain
Move
1.2.840.113556.1.4.521 Used to move objects between domains.
DIRSYNC 1.2.840.113556.1.4.841 Used to find objects that have changed over a