Best Practice Ezine #44 – LDAP Tips
Last week I had lots of useful feedback. My favourite letter was from Jim W who said: ‘It is great to get a "little bit more" than just what you paid for.’ This sums up my philosophy, I want to help those who purchase my ebooks through the tips in this free Ezine.
By staying in contact I can give you free updates of my ebooks. Recently I gave out a free Exchange Migration upgrade, all I asked was for you to vote in my poll of topics for this ezine. The result indicated that Active Directory was the most requested; followed by Exchange.
I also had a friendly email from Carol about last week’s DHCP. As someone who prides them self on giving clear instructions, I really needed telling when I omitted directions to the DHCP Conflict Detection Box. DHCP, Server, Properties, Advanced Tab.
Guy Recommends: The Free IP Address Tracker (IPAT)
Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:
For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges.
For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker
This week I have listened to what you the reader wants and so here are more tips on Active Directory and LDAP.
One of my delegates once said about LDAP, thank goodness we only have to learn about the LIGHTWEIGHT Directory Access Protocol, this is difficult enough, I would have no chance understanding the Heavyweight version.
LDAP appears in VBScript, and also in the many Active Directory filters. First let us examine Active Directory’s Find.
The idea is to create queries for Active Directory objects. Take the case of one techie who admitted that he spent the whole of one afternoon making a list of disabled user accounts. What he did was trawl through every OU, writing down the name of each disabled account. There were 47 OUs.
He was mortified when I showed him the Find box which is located in Active Directory Users and Computers. Just right-click the Domain Object, Find. From the Find dialog box, select ‘Common Queries’ from the pick list. Check the box which says Disabled Accounts.
Even better, navigate to the Saved Query Folder which is immediately above the Domain Object. Now repeat this Find procedure, by saying, New Query, then Define Query, and so make yourself a permanent list which automatically updates. If you cannot find the Saved Query folder, then you probably have Windows 2000 rather Windows 2003.
As ever my goal is to get you started, once you find that drop down menu under the Find dialog box, then I hope that you will get ideas for queries to suit your environment.
Tip: Experiment with the three tabs under the Find dialog box: Users, Computers and Groups.
Another situation where you can examine LDAP is anytime you create an Active Directory filter. For example, Custom Global Address Lists in Exchange 2000 or 2003.
There again in Exchange 2003, if you create a Recipient Policy or a Query Based Distribution group, as soon as you build a filter, the LDAP language is there just below the surface.
Here is an example of the LDAP language that you see in such filters.
I particularly selected this example to show the pipe symbol | (shift and key nearest z). What the pipe | means is or, Managers or Bosses. Such connectors as or (|) and (&) not (!) are useful if you start writing your own LDAP queries. What most people do is take the nearest query that they can make with the wizard, copy it into notepad, then start adding these logical operators.
See more interesting permissions and Active Directory articles