Skip to main content
The Ldap tool connects to an LDAP server (typically an Active Directory domain controller) and lets you search for objects by name, run raw LDAP filter queries, monitor directory changes in real time, inspect the schema, and create or modify users, computers, organizational units, and arbitrary objects.

Subcommands

CommandDescription
searchSearch the directory by name using ANR
queryRun a raw LDAP filter query
watchWatch for changes to an object or subtree
schemaRetrieve the directory schema
listsyntaxList all Active Directory attribute syntaxes
namedbitsShow named bit flags for bitfield attributes
addAdd an arbitrary object to the directory
addouAdd a new organizational unit
adduserAdd a new user account
addcomputerAdd a computer account
modModify attributes on an existing object
moduserModify a user account (including password operations)
whoamiDisplay the identity of the authenticated user
For help on any subcommand, run Ldap <subcommand> -h.
Searches the directory by name using Active Directory’s Ambiguous Name Resolution (ANR) feature. ANR matches any designated name-like field (display name, SAM account name, UPN, etc.) that begins with the search string. 
Ldap search [options] -SearchName <String[]> <ServerName> <SearchName>
ServerName
string
required
Name or address of the LDAP server to connect to.
SearchName
string[]
required
Name to search for. Prepend = to require an exact match instead of a prefix match.
-SearchBase
LdapDistinguishedName[]
DN of the search root. Defaults to the domain root. Accepts special names: DomainRoot, ForestRoot, ConfigRoot, SchemaRoot, RootDse.
-Scope
string
Scope of the search. Possible values: BaseObject, Base, SingleLevel, WholeSubtree, Subtree.
-PageSize
number
default:"100"
Number of results to fetch per page.
-RecordLimit (-R)
number
Maximum total number of records to return.
-IncludeDeleted
boolean
Include soft-deleted (tombstoned) objects.
-IncludeRecycled
boolean
Include deleted and recycled objects.
-FollowReferrals (-F)
boolean
Follow LDAP referrals to other servers.
-UserName (-u)
UserPrincipalName
User name to authenticate with (not including the domain).
-UserDomain (-ud)
string
Domain of the authenticating user.
-Password (-p)
string
Password for authentication.
-NtlmHash
string
NTLM hash for pass-the-hash authentication.
-AesKey
string
AES key (128 or 256-bit) for Kerberos authentication.
-Tgt
string
Path to a ticket-granting ticket file (.kirbi or ccache).
-Kdc (-K)
string
KDC endpoint (host:port).
-Anonymous
boolean
Use anonymous (unauthenticated) login.
-Gc (-G)
boolean
Connect to the Global Catalog server.
-Ssl
boolean
Use SSL/TLS for the connection.
-ConsoleOutputStyle (-OutputStyle)
string
Output format. Possible values: Freeform, Raw, Table, List, Csv, Tsv, Json.
-Socks5
string
SOCKS5 proxy endpoint (host:port).

Examples

Ldap search LUMON-DC1 admin
Prefix = to the search term to require an exact match rather than a prefix match. Wildcards are not supported and are treated literally.

query

Issues a raw LDAP filter query to the server. Use -OutputFields to specify which attributes to return; by default, only the DN of matching entries is printed. 
Ldap query [options] <ServerName> [<Filter>]
ServerName
string
required
Name or address of the LDAP server.
Filter
string
LDAP filter string. Quote the filter to avoid shell escaping issues.
-Filter
string
LDAP filter. Supported operators: =, ~=, <=, >=, &= (bit AND), |= (bit OR), *= (transitive match). Negate with !.
-SearchBase
LdapDistinguishedName[]
DN of search root. Accepts special names: DomainRoot, ForestRoot, ConfigRoot, SchemaRoot, RootDse.
-Scope
string
Search scope: BaseObject, Base, SingleLevel, WholeSubtree, Subtree.
-PageSize
number
default:"100"
Results per page.
-RecordLimit (-R)
number
Maximum total records to return.
-IncludeDeleted
boolean
Include tombstoned objects.
-IncludeRecycled
boolean
Include recycled objects.
-DirSync
string
Return only changes since the given DirSync cookie (hex-encoded).
-FollowReferrals
boolean
Follow LDAP referrals.

LDAP filter syntax

Filters take the form (<attr> <op> <value>). Combine multiple filters with & (all must match) or | (at least one must match): 
(&(objectClass=user)(userAccountControl|=TrustedForDelegation))
Active Directory-specific extensions (&=, |=, *=) are supported.

Examples

Ldap query LUMON-DC1 '(samAccountName=milchick)' -OutputFields distinguishedName, objectSid

watch

Watches for changes to an object or subtree using the LDAP DirSync control. The command runs continuously and prints updates as they arrive. 
Ldap watch [options] <ServerName>
ServerName
string
required
Name or address of the LDAP server.
-SearchBase
LdapDistinguishedName[]
DN of the subtree to watch. Defaults to the domain root.
-Scope
string
Search scope: BaseObject, Base, SingleLevel, WholeSubtree, Subtree.
-DirSync
string
Resume watching from a previously saved DirSync cookie.
-OutputFields
string[]
Specific attributes to include in the output.

schema

Retrieves schema information from the directory, including attribute definitions and object classes. 
Ldap schema [options] <ServerName>
ServerName
string
required
Name or address of the LDAP server.
-OutputFields
string[]
Schema fields to include in the output.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.

listsyntax

Lists all Active Directory attribute syntaxes. A syntax describes the format of an attribute’s data and how raw bytes are decoded into logical values. 
Ldap listsyntax [options]
-OutputFields
string[]
Fields to display. Possible values: EqualityContract, syntaxKey, memberName.
-ConsoleOutputStyle (-OutputStyle)
string
Output format: Freeform, Raw, Table, List, Csv, Tsv, Json.

namedbits

Prints named bit flags for bitfield attributes. Use this to discover which bit names to pass when setting attributes like userAccountControl or msDS-SupportedEncryptionTypes. 
Ldap namedbits [options] [<Attribute>]
Attribute
string[]
One or more attribute names to print. Omit to print all known bitfield attributes.
-OutputFields
string[]
Fields to display. Possible values: EqualityContract, Attribute, Name, Value, HexValue.

add

Adds an arbitrary object of a specified object class to the directory. 
Ldap add [options] -ObjectClass <String> -ObjectName <String[]> <ServerName> <ObjectName> <ObjectClass>
ServerName
string
required
Name or address of the LDAP server.
-ObjectName
string[]
required
Name or distinguished name of the object to create.
-ObjectClass
string
required
LDAP object class of the new object (e.g., user, group, computer).
-Attributes
AttributeChangeSpec[]
Additional attributes to set at creation time, as name=value pairs.

addou

Adds a new organizational unit to the directory. 
Ldap addou [options] -ObjectName <String[]> <ServerName> <ObjectName>
ServerName
string
required
Name or address of the LDAP server.
-ObjectName
string[]
required
Name or DN of the OU to create.
-Attributes
AttributeChangeSpec[]
Additional attributes to set, as name=value pairs.

adduser

Adds a new user account to the directory. 
Ldap adduser [options] -ObjectName <String[]> <ServerName> <ObjectName>
ServerName
string
required
Name or address of the LDAP server.
-ObjectName
string[]
required
Name or DN of the user to create.
-NewPassword
string
Initial password for the new account.
-LogonName
string
SAM account name (pre-Windows 2000 logon name).
-GivenName
string
First name.
-Surname
string
Last name.
-DisplayName
string
Display name shown in directory listings.
-UserCerts
string[]
Paths to certificate files to associate with the user.
-MemberOf (-M)
string[]
Groups to add the user to at creation time.
-Attributes
AttributeChangeSpec[]
Additional attributes as name=value pairs.

addcomputer

Adds a computer account to the directory. 
Ldap addcomputer [options] -ObjectName <String[]> <ServerName> <ObjectName>
ServerName
string
required
Name or address of the LDAP server.
-ObjectName
string[]
required
Name or DN of the computer account to create.
-NewPassword
string
Password for the computer account.
-LogonName
string
SAM account name for the computer.
-DisplayName
string
Display name for the account.
-Os
string
Name of the installed operating system.
-OsVersion
string
Version of the installed operating system.
-UserCerts
string[]
Paths to certificate files to associate with the account.
-MemberOf (-M)
string[]
Groups to add the computer to.
-Attributes
AttributeChangeSpec[]
Additional attributes as name=value pairs.

mod

Modifies one or more attributes on an existing directory object. 
Ldap mod [options] -ObjectName <String[]> <ServerName> <ObjectName> [<Changes>]
ServerName
string
required
Name or address of the LDAP server.
-ObjectName
string[]
required
Name or DN of the object to modify.
-Changes
AttributeChangeSpec[]
Attribute changes as name?=value pairs.

Change syntax

Specify each change as name?=value where ?= is one of:
OperatorEffect
+=Add a value
-=Remove a value
=Replace all values
For numeric attributes with named bit flags, you can use comma-separated bit names: 
msDS-SupportedEncryptionTypes=Aes128CtsHmacSha1_96,Aes256CtsHmacSha1_96
Use namedbits to list supported attributes and their bit names.

Examples

Ldap mod LUMON-DC1 -UserName milchick@LUMON -Password Br3@kr00m! ALLENTOWN$ userCertificate:file+=allentown.cer

moduser

Modifies a user account, including password change and reset operations. 
Ldap moduser [options] -ObjectName <String[]> <ServerName> <ObjectName> [<Changes>]
ServerName
string
required
Name or address of the LDAP server.
-ObjectName
string[]
required
Name or DN of the user to modify.
-Changes
AttributeChangeSpec[]
Attribute changes using the same name?=value syntax as mod.
-OldPassword
string
Current password (required for user-initiated password change).
-NewPassword
string
New password (for password change or administrative reset).

whoami

Returns the identity of the currently authenticated user as seen by the LDAP server. 
Ldap whoami [options] <ServerName>
ServerName
string
required
Name or address of the LDAP server.
-OutputFields
string[]
Fields to display. Possible values: SaslString, PrincipalName, Kind.

Common options

All Ldap subcommands that connect to a server accept these shared options.
OptionDescription
-SslUse SSL for the connection
-SslCertPath to a PEM or PFX certificate file
-SslKeyFilePath to a PFX file for SSL client authentication
-SslKeyPasswordPassword for -SslCert or -SslKeyFile
OptionDescription
-AesKeyAES-128 or AES-256 key
-DesKeyDES key
-TgtTGT file path (.kirbi or ccache)
-TicketsService ticket file paths
-TicketCacheTicket cache file path
-Kdc (-K)KDC endpoint (host:port)
-S4UserNameUser to impersonate via S4U
-UserCertCertificate file for PKINIT
-UserKeyKey file for PKINIT
OptionDescription
-HostAddress (-ha)Override network address(es) of the server
-UseTcp6Only (-6)Force IPv6
-UseTcp4Only (-4)Force IPv4
-Socks5SOCKS5 proxy endpoint
-AuthProxyAuthentication proxy endpoint
OptionDescription
-Verbose (-V)Print verbose messages
-Diagnostic (-vv)Print diagnostic messages
-LogLevelMinimum log level: Debug, Verbose, Info, Warning, Error, Critical
-ConsoleLogFormat (-LogFormat)Log format: Text, TextWithTimestamp, Json

Sddl

Parse and describe security descriptors that appear in LDAP attributes.

Cert

Create self-signed certificates to associate with directory accounts.

Build docs developers (and LLMs) love

Get started for freeTalk to us