Decimal Bit Mask Description 1 0x00000001 When applied to an attribute, the attribute will not be replicated.When applied to a Cross-Ref object, the naming context is in NTDS. 2 0x00000002 When applied to an attribute, the attribute will be replicated…
The searchFlags attribute determines the search behaviour of a schema attribute. Decimal Bit mask Code Description 1 0x00000001 fATTINDEX Create a presence index for the attribute. 2 0x00000002 fPDNTATTINDEX Create an index for the attribute in each container. 4 0x00000004…
This article is loosely based on my German blog article from 2024 (here). Almost every AD security assessment, penetration test or architecture conversation ends up containing the recommendation to “switch from unsecured LDAP to LDAPS” for your Active Directory. Working…
To get the currently supported LDAP controls, you can query rootDSE: Be aware that, although the client-side controls “bitwise matching (AND + OR)” and “group chaining” will not appear on the list, they are supported nonetheless. OID Control Additional info…
To get the currently supported LDAP capabilities, you can query rootDSE: Currently the following capabilities are supported: OID Capability 1.2.840.113556.1.4.800 LDAP_CAP_ACTIVE_DIRECTORY_OID 1.2.840.113556.1.4.1670 LDAP_CAP_ACTIVE_DIRECTORY_V51_OID 1.2.840.113556.1.4.1791 LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID 1.2.840.113556.1.4.1920 LDAP_CAP_ACTIVE_DIRECTORY_PARTIAL_SECRETS_OID 1.2.840.113556.1.4.1935 LDAP_CAP_ACTIVE_DIRECTORY_V60_OID 1.2.840.113556.1.4.2080 LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID 1.2.840.113556.1.4.2237 LDAP_CAP_ACTIVE_DIRECTORY_W8_OID
Many aspects of ADs behavior are governed by the dsHeuristics attribute of the Directory Service configuration object: In contrast to the far more elusive “DSA Heuristics” registry value, dsHeuristics is very well documented and is actively used to add new…