Skip to content

Instantly share code, notes, and snippets.

@p4yl0ad

p4yl0ad/ldap-cheatsheet.md

Last active March 19, 2024 01:53
Show Gist options
  • Save p4yl0ad/b827b969dcf1c4bdbbb8913180ec3820 to your computer and use it in GitHub Desktop.
Save p4yl0ad/b827b969dcf1c4bdbbb8913180ec3820 to your computer and use it in GitHub Desktop.
Download ZIP
ldap cheatsheet
Raw
ldap-cheatsheet.md

ldapsearch cheatsheet

SCCM

ldapsearch (objectClass=mSSMSManagementPoint) cn,name,dNSHostName,mSSMSSiteCode,mSSMSMPName 0 ""

Maybe these too, need to experiment

mSSMSSite
mSSMSServerLocatorPoint
mSSMSRoamingBoundaryRange

Domain Controllers

ldapsearch (&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))

Domain Trusts

ldapsearch (objectClass=trustedDomain)

ldapsearch (objectclass=trusteddomain) flatName,securityIdentifier,msDS-trustForestTrustInfo,trustAttributes,trustDirection,trustPartner,trustType 0 "" DC=sub,DC=domain,DC=com

(objectclass=foreignSecurityPrincipal)

Interdomain trust account

ldapsearch (&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2048)) sAMAccountName,userPrincipalName 0 ""

SID for current domain

ldapsearch (userAccountControl:1.2.840.113556.1.4.803:=8192)

ldapsearch (userAccountControl:1.2.840.113556.1.4.803:=8192) 0 "" dc.gigantichosting.local DC=gigantichosting,DC=local

Domains

ldapsearch (nETBIOSName=*) "" 0 "" CN=Partitions,CN=Configuration,DC=DOMAIN,DC=COM

Users

Specific user

ldapsearch (|(samaccountname=svc_s_example)(samaccountname=gen_s_example)(samaccountname=gen_s_example2))

Users must change password on next logon

ldapsearch (objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

User with description

ldapsearch (&(objectCategory=user)(description=*))

GMSA

ldapsearch (objectCategory=msDS-GroupManagedServiceAccount)

PasswordNotRequired UAC Value

ldapsearch (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) sAMAccountName,cn 0 sub.domain.com "DC=sub,DC=domain,DC=com"

Computers

All computers

ldapsearch (&(objectClass=Computer)(samaccountname=*))

Computer with description

ldapsearch (&(objectCategory=computer)(description=*))

Computers in specific domain

ldapsearch (&(sAMAccountName=*$)(sAMAccountType=805306369)) 0 "" dc.megabank.local DC=megabank,DC=local

Outdated computers

(&(objectCategory=Computer)(|(operatingSystem=Windows 2000*)(operatingSystem=Windows Vista*)(operatingSystem=Windows XP*)(operatingSystem=Windows 7*)(operatingSystem=Windows 8*)(operatingSystem=Windows Server 200*)(operatingSystem=Windows Server 2012*)))

Delegation

Constrained delegation

ldapsearch (&(objectClass=User)(msDS-AllowedToDelegateTo=*))

ldapsearch (msDS-AllowedToActOnBehalfOfOtherIdentity=*)

ldapsearch (msDS-AllowedToActOnBehalfOfOtherIdentity=*) samaccountname,objectsid,memberOf,msDS-AllowedToActOnBehalfOfOtherIdentity

OUs

ldapsearch (objectCategory=organizationalUnit)

ADIDNS

ldapsearch (objectClass=dnszone) 

ldapsearch (objectClass=dnszone) "" 0 "" DC=domain,DC=com

Service accounts (SPNs)

Kerberoastable

ldapsearch (&(objectClass=user)(servicePrincipalName=*)(!(cn=krbtgt))(!(samaccounttype=805306369)))

Passwords

Password in AD attribute

ldapsearch (|(&(samAccountType=805306368)(userpassword=*))(&(samAccountType=805306368)(unixUserPassword=*))(&(samAccountType=805306368)(msSFU30Password=*))(&(samAccountType=805306368)(unicodepwd=*))(&(samAccountType=805306369)(ms-MCS-AdmPwd=*))(&(samAccountType=805306368)(orclCommonAttribute=*))(&(samAccountType=805306368)(|(description=*password*)(description=*passwd*)(description=*pw:*)))(msFVE-RecoveryPassword=*))

External posts

SpecterOps Manual ldapsearch

Great post about ADIDNS

Good collection of low hangers

Great post from Erica

LDAP Queries for Users, Computers, Groups and Service Connection Points

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment