Windows Server 2003 – LDP Support Tool Utility Tutorial

Windows Server 2003 – LDP Support Tool Utility

LDP is the forgotten tool in the Windows Server 2003 toolkit.  Here on this page is a step-by-step tutorial for getting started with LDP.  In my opinion, it should be called not LDP but LDAP, as that’s what it configures.  Perhaps LDP is overlooked because it’s so hard to get going, I will reveal the secrets of how you search for Active Directory information with this Microsoft utility.

Tutorial Topics for LDP


Getting Started with Microsoft’s LDP

Installing LDP is easy.  From the CD \support\tools, double click suptools.msi.  Alternatively, here is a free download of Microsoft’s LDP. There are a number of ways of executing ldp.exe, to begin with, let us call for the Run dialog box and type ldp.LDP main menu Connect, connections

Scenario: We wish to view our domain and check on users whose first name begins with ‘a’.

The more choices a program gives, the more difficult it is for a beginner to get started.  In the case of LDP, you have to perform three operations in sequence before you can start.

1) Click on the Connection menu, then Connect, select your server name.  Being an LDAP program, leave the port on 389.  You don’t want Connectionless, therefore leave the default setting.  No tick in the Connectionless box.  No need for SSL either.LDP Connect

2) Next we need to Bind, which is rather like logging on.  Even though you would expect that LDP would use the credentials of the logged on user, it does not always work that way.  So just Bind with an Administrator’s name and password.

3) Click View and select Tree; what you see is a box waiting for baseDN (Distinguished Name).

LDP Tree View of BaseDNNow we come to the crucial step.  The text books say type, DC=yourdomain,DC=com.  The problem comes if you are unsure of your domain name.  For instance, does it have an extension of .com?  Guy says just try pressing OK without entering anything at all in the box.

If it truly is your intention to connect to a domain, then do not use the drop-down menu and select, DC=ForestDnsZones,DC=domain,DC=com, that just does not work for me.

4) What I hope you will see in the left hand LDP panel is a structure that reminds you of Active Directory Users and Computers.LDP Search Filter using Base Dn=domain.

5) Now you have done all the hard work.  It’s time for the first LDAP query.  Click on the Browse menu, and select Search.  Leave the Base Dn: dialog entry as it is, in the Filter box type (givenName=a*).  If you remember our brief was to find all users whose first name begins with ‘A’.  If that produces no results, try (cn=a*).  CN means common name, and surely there will be an administrators’ account in the domain?

6) The fruits of all your LDP efforts should now appear in the right hand menu.  The fact that the latest entries are at the bottom rather than the top, takes a little getting used to, so be prepared to scroll down.

Guy Recommends 3 Free Active Directory ToolsDownload Solarwinds Active Directory Administration Tool

SolarWinds have produced three Active Directory add-ons.  These free utilities have been approved by Microsoft, and will help to manage your domain by:

  1. Seeking and zapping unwanted user accounts.
  2. Finding inactive computers.
  3. Bulk-importing new users.  Give this AD utility a try, it’s free!

Download your FREE Active Directory administration tools.

Here is an example of an LDP printout.


ldap_search_s(ld, "DC=cp,DC=com", 2, "(cn=a*)", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 24 entries:
>> Dn: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com
2> objectClass: top; container;
1> cn: a86fe12a-0f62-4e2a-b271-d27f601f8182;
1> distinguishedName: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com;
1> name: a86fe12a-0f62-4e2a-b271-d27f601f8182;
1> canonicalName:;
>> Dn: CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com
2> objectClass: top; container;
1> cn: ab402345-d3c3-455d-9ff7-40268a1099b6;
1> distinguishedName: CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com;
1> name: ab402345-d3c3-455d-9ff7-40268a1099b6;
1> canonicalName:;
>> Dn: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9,CN=Packages,CN=Class Store,CN=Machine,CN={4627307D-103B-4A81-99D0-B5B06B8AD999},CN=Policies,CN=System,DC=cp,DC=com
2> objectClass: top; packageRegistration;
1> cn: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
1> distinguishedName: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9,CN=Packages,CN=Class Store,CN=Machine,CN={4627307D-103B-4A81-99D0-B5B06B8AD999},CN=Policies,CN=System,DC=cp,DC=com;
1> name: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
1> canonicalName:{4627307D-103B-4A81-99D0-B5B06B8AD999}/Machine/Class Store/Packages/ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
>> Dn: CN=abab2104-5729-4bed-ac94-a65c89516e84,CN=AppCategories,CN=Default Domain Policy,CN=System,DC=cp,DC=com
3> objectClass: top; leaf; categoryRegistration;
1> cn: abab2104-5729-4bed-ac94-a65c89516e84;
1> distinguishedName: CN=abab2104-5729-4bed-ac94-a65c89516e84,CN=AppCategories,CN=Default Domain Policy,CN=System,DC=cp,DC=com;
1> name: abab2104-5729-4bed-ac94-a65c89516e84;
1> canonicalName: Domain Policy/AppCategories/abab2104-5729-4bed-ac94-a65c89516e84;
>> Dn: CN=Account Operators,CN=Builtin,DC=cp,DC=com
2> objectClass: top; group;
1> cn: Account Operators;
1> description: Members can administer domain user and group accounts;
1> distinguishedName: CN=Account Operators,CN=Builtin,DC=cp,DC=com;
1> name: Account Operators;
1> canonicalName: Operators;
>> Dn: CN=Administrator,CN=Users,DC=cp,DC=com
4> objectClass: top; person; organizationalPerson; user;
1> cn: Administrator;
1> description: Built-in account for administering the computer/domain;
1> distinguishedName: CN=Administrator,CN=Users,DC=cp,DC=com;
1> name: Administrator;
1> canonicalName:;
>> Dn: CN=Administrators,CN=Builtin,DC=cp,DC=com
2> objectClass: top; group;
1> cn: Administrators;
1> description: Administrators have complete and unrestricted access to the computer/domain;
1> distinguishedName: CN=Administrators,CN=Builtin,DC=cp,DC=com;
1> name: Administrators;
1> canonicalName:;

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

Summary of LDP

Microsoft’s LDP is a tricky program to get started.  This page gives you a step-by-step tutorial to create LDAP queries against a Windows Server 2003 Active Directory.  Get your copy of LDP from the Windows Server 2003 Support Tools.

Download LDP

If you like this page then please share it with your friends


See more handy Windows utilities

ADSI Edit   • ADSI More Examples   • ADModify Tool   • LDP   •Replmon

Acctinfo – Active Directory Additional Account Info   • Free Realtime Network Monitor