This article is loosely based on my German blog article from 2024 (here). Almost every AD security assessment, penetration test or architecture conversation ends up containing the recommendation to “switch from unsecured LDAP to LDAPS” for your Active Directory. Working…
Depending on your environment, default well-known containers may have been renamed or, for example, default locations for new users and computers may have been changed using REDIRUSR.EXE and REDIRCMP.EXE. If you need the actual DNs, you have to read the…
If you are using temporary group memberships introduced as a part of the Privileged Access Management optional feature in Server 2016, the tool to AD and query them, as per Microsoft guidance, is the RSAT PowerShell module for Active Directory.…
To get the currently supported LDAP controls, you can query rootDSE: Be aware that, although the client-side controls “bitwise matching (AND + OR)” and “group chaining” will not appear on the list, they are supported nonetheless. OID Control Additional info…
To get the currently supported LDAP capabilities, you can query rootDSE: Currently the following capabilities are supported: OID Capability 1.2.840.113556.1.4.800 LDAP_CAP_ACTIVE_DIRECTORY_OID 1.2.840.113556.1.4.1670 LDAP_CAP_ACTIVE_DIRECTORY_V51_OID 1.2.840.113556.1.4.1791 LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID 1.2.840.113556.1.4.1920 LDAP_CAP_ACTIVE_DIRECTORY_PARTIAL_SECRETS_OID 1.2.840.113556.1.4.1935 LDAP_CAP_ACTIVE_DIRECTORY_V60_OID 1.2.840.113556.1.4.2080 LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID 1.2.840.113556.1.4.2237 LDAP_CAP_ACTIVE_DIRECTORY_W8_OID
This function is handy for resolving dsHeuristics values:
Many aspects of ADs behavior are governed by the dsHeuristics attribute of the Directory Service configuration object: In contrast to the far more elusive “DSA Heuristics” registry value, dsHeuristics is very well documented and is actively used to add new…
Besides dsHeuristics which is stored in the configuration partition, Domain Controllers’ behavior is also governed by the DSA Heuristics value stored in the local registry of each DC. The registry value is not present by default but can be added…