Next to ADFIND.EXE, LDP is the tool I probably use most often when working with Active Directory. It’s an LDAP client that was originally developed for use purely within Microsoft. It can be used for browsing, searching and making changes via the LDAP protocol. Because of its usefulness, Microsoft included LDP in the Support Tools in Windows 2000 and Windows Server 2003. It has now gone mainstream and is included as part of the Windows Server 2008 installation.
Here are some of the improvements I have become aware of in the Windows Server 2008 version of LDP. Note that with the exception of the help documentation, these improvements were first introduced in the versions of LDP that shipped with ADAM in Windows Server 2003 R2 and with the ADAM SP1 download.
Bind as currently logged on user
The long-winded method of getting going with LDP is to Connect and Bind using those options from the Connection menu and fill in all the boxes. With the Windows Server 2000 and 2003 versions of LDP if you simply want to connect and bind to a DC in the domain that you are already logged into then you don’t need to both with all that. You simply select Bind from the Connection menu, leave all the boxes empty and then select OK, as shown below.
That’s it – you are then bound to an in-site DC using your current credentials. There is no need to use the Connect option, unless you need to target a specific DC or port number.
Windows Server 2008 makes this “bind as currently logged on user ” option explicit by a modification to the Bind dialogue options, as shown below.
The behaviour is otherwise the same as the Bind method in earlier versions of LDP.
With LDP you can lookup an object in the directory based on its security identifier (also known as the objectSid attribute). The method for doing this is convoluted and involves specifying the SID value as the search base using a special syntax in the form <SID=<objectSid>>, e.g. <SID=S-1-5-21-2596592837-3109173549-302247358-1116>. For this to work the search scope needs to be set to Base, as shown below.
Windows Server 2008 makes the whole process of SID lookup much easier. You can still use the method shown above, but there is now also a separate SID Lookup option within the Utilities menu. This is much quicker if you simply need to resolve the SID to the friendly name. The screenshot below shows the new feature.
The version of LDP included with Windows Server 2008 delivers the ability to edit object security descriptors (see screenshot below). Previous versions of LDP allowed you to view but not edit DACLs and SACLs.
In earlier versions of LDP help comes in the form of a 13.3MB file by the name of LDP.DOC. While the information in the file is comprehensive and useful, very few people knew of its existence. The documentation for the Windows Server 2008 version of LDP is now fully integrated into Windows Help and Support.
There may well be other improvements within the utility that I am not aware of. If you’re not already familiar with LDP I recommend you take the time get to know it. It seems that Microsoft is committed to maintaining the tool and extending its capabilities.
By the way, all of these improvements were included in ADAM SP1 version of LDP =)
Thanks Pavel. That’s something I should have mentioned and I’ve now updated the article to reflect that.