Monday, October 29, 2012

LDP for Active Directory (LDP.exe)

LDP is a free utility provided by Microsoft for viewing, searching and modifying Active Directory content.
It is provided as a part of the Windows 2000 Support Tools utility and it can be used to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory.

Specifically, LDP can be used to perform advanced LDAP queries against Active Directory, use various LDAP controls, as well as specify advanced connection, binding and search result options.
It can also be used to view all the properties of an Active Directory object, as well as view object meta-data and raw Security Descriptors.

One of the biggest advantages of LDP in addition to being free is that it is a standards-compliant Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory.

LDP can also be used to issue and execute any valid LDAP query so it can be used to generate basic reports as long as you can specify the appropriate LDAP filters for the reports you have in mind.
It can also be used to generate advanced time-based reports, such as to identify list of failed logon attemps, account creations and delegations, recent changes etc, but it requires you to specify all the technical details in LDAP parlance, which can make it a little cumbersome unless you're adept at writing LDAP queries and performing 64-bit time value conversions etc.

Its a very helpful tool to have if you want to get under the hood of your Active Directory content and if you want to modify Active Directory content. It can also be used to perform basic Active Directory Security Analysis, but it is not the best tool to perform an Active Directory Security Audit.


  1. Hello Jesse,

    What are your thoughts about the security implications of outsourcing the management of critical IT services like DNS, DHCP, Active Directory, email (Exhange) etc. to outsourced providers. I think outsourcing of Microsoft's Active Directory technology impacts global security but I would like to hear your thoughts on the same.


  2. Hi Jesse,

    As Domain Admins / Enterprise Admins we often delegate administrative tasks in Active Directory and from time to time need to know who is delegated what access in Active Directory.

    In my experience, I have found that it how to find out who is delegated what access in Active Directory is not as easy as it seems, but in fact can be quite difficult.

    I've seen many admins try to use a Permissions Analyzer for Active Directory but finding out who has what permissions in Active Directory is not the same thing.

    I recently came across an Active Directory Audit Tool that makes is super easy to find out who is delegated what access in Active Directory. Thought you may like to know.