Jaa


Identifying Attributes That Are Members of the Partial Attribute Set in Active Directory

In my earlier post, I showed how to add an attribute to the Partial Attribute Set in Active Directory.  But how can you tell which attributes are already part of the Partial Attribute Set in the first place?  You can certainly check each one manually, but that will take forever.  Is there any other way that's more convenient?

In fact, let me show you two ways to do it that will make life a great deal easier.

USING LDP

The LDP utility is a graphical LDAP tool for use with Active Directory that allows you to perform very granular searches against your full directory structure.  It was first made available in the Windows 2000 Support Tools, but is included with Windows 2008 and is available if you have Active Directory Domain Services installed as a role on your server.

To use LDP to list the attributes in your Schema that belong to the Partial Attribute Set, take the following steps:

  1. Open the LDP utility by going to Start and entering LDP in the initial search window.
  2. Connect to a Domain Controller by selecting Connection and choosing Connect...
  3. In the Server field, type the fully qualified domain name of your Domain Controller.
  4. In the Port field, enter 389 (we are doing an LDAP query, not a Global Catalog query)

At this point, your information should be similar to the following:

Once you select OK, you will see the RootDSE information on the right-hand screen.  This information contains the top-level information about your directory and can be useful in understanding the basics of your directory structure.

At this point, you've connected, but you still need to authenticate to Active Directory, so you'll do an LDAP Bind.

  1. Select Connection again in the menu bar and choose Bind...
  2. Choose how you want to bind to Active Directory.  If you want to use alternate credentials, select Bind with credentials and you'll be asked to input the specific credentials in the fields above.
  3. Once you have decided how you want to bind to the directory, select OK and you'll see a statement on the right-hand side similar to the following statement:

If you get any other type of message, you likely have not used the right credentials and will need to get that resolved.

At this point, you have connected to your DC and have successfully completed an LDAP bind to authenticate against the directory.  Now it's time to do what we came for.

To use LDP to find out which attributes belong to the Partial Attribute Set, take the following steps:

  1. Go to Browse in the menu bar and select Search (Ctrl+S)
  2. In the resulting Search window, enter the top of your search tree (where your search will begin) in the Base DN field.  This will take the form of: CN=Schema,CN=Configuration,DC=<domain component>,DC=com
  3. Enter your query into the Filter field as follows: (&(objectClass=attributeSchema)(isMemberOfPartialAttributeSet=TRUE))
  4. In the Scope, select Subtree and in Attributes select whichever attributes you wish to be displayed (if you want only the name of the attribute displayed in your list, enter 'name').
  5. If you want to increase the default page size, you can select Options and enter 9999 in the Page size field of the resulting Search options window.
  6. Select Run to execute your query.

An example of how this might look is shown below:

When your query runs, every object that is part of the Partial Attribute Set (which has its attribute of isMemberOfPartialAttributeSet set to TRUE) will be displayed.  Which attributes of each of these (yes, an attribute of an attribute!) are displayed will be based on which ones you entered in the Search window.

USING LDIFDE

If you'd prefer to work from the command line, you can also use the LDIFDE tool to query Active Directory for this information.  The actual content of the query is largely the same as outlined above, though you'll need to know how to get LDIFDE (in the long run, however, knowing LDIFDE will save you loads of time as an AD Administrator, so I highly recommend it).

If you're going to query Active Directory via LDIFDE, open a command prompt (you'll once again need to make sure you are using elevated credentials) and type the following:

LDIFDE -s <fully qualified server name> -d <Base DN> -r <search criteria> -l <list of attributes to export> -f <file name where the query will be written>

On my server, the command looks as follows:

Either way that you choose, you'll find that both LDP and LDIFDE have numerous uses in your day-to-day work as an Active Directory Administrator.  This is just one example of how valuable these tools can provide, but all of us would be very wise to familiarize ourselves with both of these tools if we're to optimize our efforts to support an Active Directory infrastructure.

Comments

  • Anonymous
    November 16, 2014
    I have been running into this issue a couple of times. You have a forest with multiple domains and you