This article is loosely based on my German blog article from 2024 (here). Almost every AD security assessment, penetration test or architecture conversation ends up containing the recommendation to “switch from unsecured LDAP to LDAPS” for your Active Directory. Working…
If you are using temporary group memberships introduced as a part of the Privileged Access Management optional feature in Server 2016, the tool to AD and query them, as per Microsoft guidance, is the RSAT PowerShell module for Active Directory.…
To get the currently supported LDAP controls, you can query rootDSE: Be aware that, although the client-side controls “bitwise matching (AND + OR)” and “group chaining” will not appear on the list, they are supported nonetheless. OID Control Additional info…
To get the currently supported LDAP capabilities, you can query rootDSE: Currently the following capabilities are supported: OID Capability 1.2.840.113556.1.4.800 LDAP_CAP_ACTIVE_DIRECTORY_OID 1.2.840.113556.1.4.1670 LDAP_CAP_ACTIVE_DIRECTORY_V51_OID 1.2.840.113556.1.4.1791 LDAP_CAP_ACTIVE_DIRECTORY_LDAP_INTEG_OID 1.2.840.113556.1.4.1920 LDAP_CAP_ACTIVE_DIRECTORY_PARTIAL_SECRETS_OID 1.2.840.113556.1.4.1935 LDAP_CAP_ACTIVE_DIRECTORY_V60_OID 1.2.840.113556.1.4.2080 LDAP_CAP_ACTIVE_DIRECTORY_V61_R2_OID 1.2.840.113556.1.4.2237 LDAP_CAP_ACTIVE_DIRECTORY_W8_OID