LDAP Search Clients

Several clients that are available with Windows 2000 Server provide varying degrees of sophistication for searching Active Directory.

Administrative Clients

Administrative clients such as the Active Directory Users and Computers MMC snap-in provide search and filter options when certain objects are selected. In addition, when you open Network Places, Entire Network, or Directory, the Find option that is available provides the same search capabilities as the Find option in Active Directory Users and Computers.

Using the Filter Options Command in Active Directory Users and Computers

In Active Directory Users and Computers, you can use filter options to define the information that you want to view. When you apply a filter, only the objects you specify in the filter are displayed in the filtered container. The default filtering option displays all types of objects (that is, no filter is applied). However, it is possible to select only certain types of objects to be displayed, such as users, groups, contacts, and so on. Also, you can customize the kind of information that is displayed within each object type by selecting fields and specifying a condition and value, or by entering an LDAP query. The filter remains in effect until you remove it. It is not displaced or overridden by any other filter.

Active Directory Users and Computers provides options for filtering that do not require you to create an LDAP query. (For more information about using standard filter options, see Windows 2000 Server Help.)

However, if the options in the standard filter user interface do not meet your needs, you can use advanced (customized) filter options to write an LDAP query that does. For example, the standard filter user interface allows you to select "users" as the objects to filter, but it does not provide the ability to specify all possible attributes for a user. For example, if you want to display only the user accounts that were created after a specific date, you can use an LDAP filter to retrieve only these users by using the whenCreated attribute value in an LDAP filter.

To use Filter Options to apply a filter to a container by using an LDAP query

  1. In Active Directory Users and Computers, in the console tree pane, click the container for which you want to filter objects.

  2. On the View menu, click Filter Options .

  3. In the Filter Options dialog box, click Create custom filter , and then click Customize .

  4. Click the Advanced tab.

  5. In the Enter LDAP query box, type an LDAP query string, for example:
    (&(objectCategory=user)( whenCreated=991122000000Z))


    The time format YYMMDDHHMMSSZ must be used to represent the two-digit year (YY), month (MM), day (DD), hour (HH), minutes (MM), and seconds (SS) and must end with an uppercase "Z". You can use zeros to fill in the time elements if you are not interested in the time of creation.

  6. Click OK twice. Double-click the container to view the filtered objects.

A filter remains in place until you remove it. You can remove a filter in Active Directory Users and Computers by clicking the Filter icon on the toolbar and then, in the Filter Options dialog box, click Show all types of objects .

Using the Find Command in Active Directory Users and Computers

You also can use an LDAP query to search a container without applying a filter to the container. To create an LDAP query to display only specific objects in a container, use the Find option on the container shortcut menu, as described in the following procedure.

To use Find to search a container by using an LDAP query

  1. In Active Directory Users and Computers, right-click the container you want to search, and then click Find .

  2. In the Find box, click Custom search , and then click the Advanced tab.

  3. In the Enter LDAP query box, type an LDAP query string, for example:

  4. Click Find Now to display the search results.


In advanced filters, you can use matching rules to implement search flags if you know the correct LDAP control object identifier (also known as an "OID") value to use and how to compute the value. For example, you can search on the userAccountControl attribute to specify users who have disabled accounts, or you can search on the groupType attribute to find all the Global groups in a search base. For more information about using search flags and matching rules, see the Microsoft Platform SDK link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources .

Windows Address Book

Windows Address Book is a generic LDAP search client that is designed to work with any LDAP server. Address Book is integrated into the Windows 2000, Microsoft® Internet Explorer version 4.0 and later, and Windows 95 and Windows 98 shells to provide the capability to search for people in one or more directory services, including Active Directory. Address Book version 5.0 is included with Windows 2000 and Microsoft® Internet Explorer 5, and provides a set of accounts that are preconfigured to enable easy access to information in several Internet "white pages" directories, such as InfoSpace and VeriSign.

Address Book Access to Active Directory

In Windows 2000, Address Book provides access to Active Directory as follows:

  • It is automatically configured to search the Global Catalog of the forest to which the user is bound when the user selects Search and then Find People on the Start menu.

  • It supports UTF-8 to expose Unicode characters, which enables customers to search for users and resources whose names contain non-ASCII characters. This feature is important in European and Asian countries/regions.

  • By using the property access control lists (ACLs) on an object, it can display an edit box if the user has permissions to modify the property.

  • It provides flexible matching by using support for ambiguous name resolution.

  • It can gain access to properties of objects that are created from extended object classes.

  • It exposes an API for processing LDAP URLs. Address Book is included with Internet Explorer and registers itself as an LDAP URL (ldap://) handler.

  • It supports chasing LDAP referrals (RFC 2251) when the Address Book searches in Active Directory over port 389.

By default, a server name and account name of NULL are configured for Address Book. Active Directory dynamically provides the server name that is cached during domain controller location for the server name, and it uses the logon name of the authenticated user as the account name. The Active Directory properties in Address Book show the default settings.

To view Active Directory properties in Address Book

  1. On the Start menu, point to Programs , point to Accessories , and then click Address Book .

  2. On the Tools menu, click Accounts .

  3. Click Active Directory , and then click Properties . The property sheet displays the directory service account settings, as shown in Figure 3.3.


    Figure 3.3 Server Settings in the Active Directory Properties Dialog Box in Address Book

Search Base in Address Book Searches

As an LDAP directory, Active Directory requires an RFC 2247–compliant distinguished name, or search base, to perform an LDAP search. By default, a search base distinguished name of NULL is configured in Address Book. During domain controller location, the Locator caches the DNS name of the found domain controller. When requesting a search of Active Directory, Address Book uses as the search base the cached distinguished name of the domain in which the logon account was authenticated.

The Advanced tab in the Active Directory Properties dialog box displays the settings that determine how Address Book searches are performed, as shown in Figure 3.4.


By default, the port setting identifies the Global Catalog port 3268. Clicking Use Default changes the port to the default LDAP port 389.


Figure 3.4 Advanced Search Settings in the Active Directory Properties Dialog Box in Address Book

Active Directory Availability on Windows 98 and Windows NT 4.0 Clients

Computers that are running Windows 98 or Windows NT 4.0 that have Internet Explorer 5 installed are not able to gain access to Active Directory unless the clients are configured with a server name and search base and, if the server requires an authenticated logon, an account name (for example, domainName \ userName ). These values must be entered in the General and Advanced tabs to define Active Directory as an LDAP server for Address Book.

For instructions about how to change the Address Book settings, see Address Book Help. For more information about domain controller location, see "Locating Active Directory Servers" earlier in this chapter.


Ldp is a tool that you can use to search in Active Directory by using LDAP filters. You also can use Ldp to add, delete, and modify objects in Active Directory and to perform extended LDAP operations by using LDAP controls. To use Ldp, install the Support Tools that are located in the Support\Tools folder on the Windows 2000 Server operating system CD. To install the tools, double-click the Setup icon in that folder. For information about installing and using the Windows 2000 Support Tools and Support Tools Help, see the file Sreadme.doc in the Support\Tools folder of the Windows 2000 operating system CD. You can run the Ldp tool from the Start/Run menu, or from the command line by typing ldp .

For more information about how to use Ldp, see Ldp Help in Microsoft Windows   2000 Resource Kit Tools Help. For more information about using Ldp for directory management and troubleshooting tasks, see "Active Directory Diagnostics, Troubleshooting, and Recovery" in this book.