Active Directory Object LDAP Syntax

ADManager Plus | February 12, 2015 | 2 min read

A typical day of an Active Directory administrator entails working within a tool, such as Active Directory Users and Computers (ADUC), Active Directory Sites and Services (ADSS), ADManager Plus, or ADAudit Plus. These tools mask the complexities that can be hidden behind most of the objects that you are working with.

However, there might be times when you will need to work with the more complex representations of the objects, such as the distinguished name (DN), LDAP path, global unique identifier (GUID), or security identifier (SID).

It can be difficult to find these more complex representations of the objects, so here are some tips to help you find them.

Find all complex representations of AD objects – DN, GUID, SID, etc. – easily, without depending on ADUC or PowerShell, using ADManager Plus

One option is to go into ADUC and look at the object properties. To do this, you simply right-click on the object you need details on, then select Properties from the drop down menu. Within the Properties window of the object, select the Attribute Editor, as shown in Figure 1.

ldap syntax figure1

Figure 1. Attribute Editor for an object in ADUC.

As you can see, you have a very lengthy list of attributes that you can look up for the object. If you double click on any attribute, you will get a new window displaying the object attribute. Now, you can copy the attribute without needing to retype it, making simple mistakes in typing a thing of the past!

Another option is to use PowerShell and get the listing of object attributes that way. In essence, it will get you the same listing of attributes, but this is just another solution. You will need to get the Active Directory Module for PowerShell, which is described in this Microsoft article: https://technet.microsoft.com/en-us/library/dd378937(v=ws.10).aspx.

Now that you have the Active Directory module for PowerShell up and running, you can run basic queries to obtain the details you need. For example, let’s say you need to get the distinguished name and SID for a group, you simply type “get-adgroup [groupname]” in the PowerShell interface, which is shown in Figure 2.

ldap syntax figure2

Figure 2. Active Directory module for PowerShell can get detailed object references.

If you want to get all of the attributes for the object, similar to what we did in ADUC, you just type the following in your PowerShell interface:

Get-adgroup [groupname] –properties *

This will get you a verbose listing of the attributes (properties) for that object.