Active Directory How To

How to make LastLogon and LastLogonTimestamp readable

w32tm /ntte lastlogontimestamp_value

How to run "AD users and computers" remotely

First, get it. Either here or look for the Windows Server Administration Tools Pack
Run to unpack, close any open MMC consoles and install by running adminpak.msi. Use runas to run it:
runas /user:DOMAIN\uberuser "mmc %windir%\system32\admgmt.msc"
Note: Type in the password - there is no easy way to automate it by pasting or piping.

How to find names of AD domain controllers

Run nslookup
Type in the nslookup prompt
set type=all
_ldap._tcp.dc._msdcs.<DOMAIN_NAME>

How to change a Windows 2000 Users Password Through LDAP

The password is stored in the Active Directory on a user object in the unicodePwd attribute. This attribute can be written under restricted conditions, but it cannot be read. The attribute can only be modified; it cannot be added on object creation or queried by a search. In order to modify this attribute, the client must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption.

The syntax of the unicodePwd attribute is octet-string; however, the directory service expects that the octet-string will contain a UNICODE string (as the name of the attribute indicates). This means that any values for this attribute passed in LDAP must be UNICODE strings that are BER-encoded (Basic Encoding Rules) as an octet-string. In addition, the UNICODE string must begin and end in quotes that are not part of the desired password. There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal "user change password" operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it.

The second way to modify this attribute is analogous to an administrator resetting a password for a user. In order to do this, the client must bind as a user with sufficient permissions to modify another user's password. This modify request should contain a single replace operation with the new desired password surrounded by quotes. If the client has sufficient permissions, this password become the new password, regardless of what the old password was.

Source

How to enable LDAP over SSL with a third-party certification authority

See http://support.microsoft.com/kb/32105 or, instead, you could produce the self-signed certificate in the ikeyman, export it into PKSC12 and import into BOTH the local computer personal store and the trusted roots store.

How to search in AD with cygwins OpenLDAP package

ldapsearch -h vmportal -x  -D wpsadmin -w password -b "" -s base objectclass=* | less
-x option is the key here

@HowTo @Microsoft