Windows 10 – Built-in Tools to Query AD/LDAP

active-directoryldapwindows 10windows-domain

I'm on a domain joined Windows 10 Computer and want to query the attributes of my own user account. Are there any built-in tools for that?

It is not an admin computer and I don't have RSAT installed. My computer does not seem to have:

  • dsget
  • dsquery
  • ldapsearch
  • ldp
  • PowerShell ActiveDirectory module

Are there any other tools built-in? I mean, there must be something, because at least my computer is able to query the AD, but are there tools that I can also use as a user?

Best Answer

Windows has the ADSI interface available to programs, which supports general LDAP access.

PowerShell has access to ADSI via System.DirectoryServices types:

  • The [System.DirectoryServices.DirectoryEntry] type (aliased to [ADSI]) represents a specific entry – when given an LDAP object, its attributes directly correspond to the LDAP entry's attributes:

    $obj = [adsi] "LDAP://CN=foo,OU=bar,DC=example,DC=com"
echo $obj.displayName
$obj | fl *

    You don't need to specify a server – Windows will use the AD directory by default. (The LDAP:// part is case-sensitive; this is an ADSI binding string, not a URL.)

  • The [System.DirectoryServices.DirectorySearcher] type (aliased to [ADSISearcher]) represents an LDAP search query which can be used to find your user DN if you don't already know it:

    $qry = [adsisearcher] "(sAMAccountName=stackprotector)"
$qry.FindAll().Path

    More verbose example copied from some-or-other MSDN docs page (in AD, searching for the anr pseudo-attribute is how GUI tools resolve names):

    $qry = New-Object DirectoryServices.DirectorySearcher
$qry.Filter = '(&(objectCategory=person)(anr=Stack))'
$qry.SearchRoot = 'LDAP://OU=Laptops,OU=Computers,DC=contoso,DC=com'
$qry.FindAll()

But ADSI is originally a COM+ API that predates PowerShell and even .NET in general, so of course Microsoft has examples for using it from VBScript and from ADODB (and even from ASP, not that it helps here).

You should also be able to install and use some RSAT tools without needing any special privileges (aside from local Windows admin to do the installation). By default, the directory is wide open to any authenticated client.

You can use third-party LDAP clients with AD – the domain controllers will accept authentication using your user credentials, which is how most Windows GUI tools look up data in AD in the first place (with the machine join account being needed only for some tasks). However, it's best to use clients which support Kerberos authentication via GSSAPI or GSS-SPNEGO, as that's guaranteed to work with any AD setup. Tools which use NTLM or "simple bind" (password authentication) may or may not work depending on domain configuration.

For example, SysInternals ADExplorer comes from Microsoft and works without installation. (When prompted for server details, leave all fields blank and just click "Connect".)

(The RSAT tools "ADSIEdit" and "dsa.msc" can technically be used without a full installation, indeed even official Microsoft instructions used to say "extract these files from the .cab and regsvr32 them", but you do need Windows local admin access for the regsvr32 part.

Related Question