Learn AD in 15 Minutes a Week: Lightweight Directory Access Protocol Page 4

Using LDAP to Query Active Directory Objects

To search the Active Directory for objects you would open the Active Directory Users and Computers console and choose whichever domain or container in the console tree you wanted to search and click Find.

You can change the FIND field by dropping the selection window and choosing from the different selections given. Also, if you decided that you no longer wish to search the domain you have chosen but rather the entire directory, you can change that in the IN field.

The global catalog contains a partial replica of the entire Active Directory. The local global catalog server stores all of the information about every object in the local domain and a partial subset of information from all objects in every other domain in the tree and forest. Because the global catalog contains information about every object, a user can find information regardless of which domain in the tree or forest contains the data. Active Directory automatically generates the contents of the global catalog from the domains that make up the directory.

Below are some of the object types that can be found via the FIND method

Object Type


User account

Allows a user to log on to Windows 2000. This object will have other optional fields that can be filled in as well, usually dealing with the user. (e.g. phone number, email address, etc.)


This object will have information pertaining to the workplace or organizational, as well as other optional fields. (e.g. phone number, email address, etc.).


This object is a collection of user accounts, groups, or computers that you can create to simplify administration.

Shared folder

This object is a pointer (think alias or shortcut) to the shared folder on a computer. The actual shared folders and printers exist in the registry of a computer. When a shared folder is published in Active Directory, an object that contains a pointer to the shared object is created.


This object is a pointer (think alias or shortcut) to the shared printer on a computer. You must manually publish a printer on a computer that is not in Active Directory, such as Windows 95, 98 and NT. Microsoft Windows 2000 automatically adds printers that you create on domain computers to Active Directory.


The information about a computer that is a member of the domain.

Domain controllers

This object contains the information about the domain controllers, their Domain Name System (DNS) names, its legacy alias, the version of the operating system it is running, the location, and the name of the administrator who is responsible for managing the domain controller.

Organizational Unit (OU)

Contains other objects, including other OUs. Used to organize Active Directory objects.

Below are some of the fields and entry values for searching Active Directory.

Search Data

Description of Field


A list of object types for which you can search. A custom search builds the Lightweight Directory Access Protocol (LDAP) query or allows you to enter your own LDAP query based on parameters you enter.


Sets the focus of the search.


Allows you to look for a search path or parameter.


Allows you to define specific search criteria to locate objects. When you choose custom search, the Advanced tab allows you to type in the query or create a search using one of the common available attributes, organized by object type on the Custom Search tab. The Custom Search tab provides the same elements that are otherwise found on the Advanced tab.


Located in the Advanced tab, FIELD allows you to define specific search criteria to locate objects when you choose custom search.


Located in the Advanced tab, it allows you to further define the search criteria for an attribute.


Located in the Advanced tab, VALUE allows you to enter the value for the condition of the field (attribute) that you are using to search the Directory.

Search Criteria

Located in the Advanced tab, this box lists each search criteria that you have defined. To define a search criterion you use the Field list, Condition list, and Value box, then click Add. To remove search criteria, select the criteria, then click Remove. You can add or remove search criteria to broaden or narrow your search.


Using LDP.EXE to Perform Active Directory Searches

In the Windows 2000 Resource Kit there is the LDP.EXE utility, which is a GUI-based tool that can be used to perform LDAP searches. This also allows administrators to query data that might not otherwise be visible through the Administrative tools, such as objects stored in Active Directory along with their metadata, security descriptors and replication metadata. LDP.EXE is found in Support Tools kit under \support\tools.

In-depth information on this tool and its use can be found in the Microsoft Knowledgebase article - Using Ldp.exe to Find Data in the Active Directory (Q224543)


Well, that wraps up this section of Lightweight Directory Access Protocol (LDAP). I hope you found it informative and will return for the next installment of Learn Active Directory Design and Administration in 15 Minutes a Week.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write good, solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Until then, best of luck in your studies.

Jason Zandri


This article was originally published on Jun 6, 2002
Page 4 of 4

Thanks for your registration, follow us on our social networks to keep up-to-date