Community Articles

Find and share helpful community-sourced technical articles.
Labels (1)
avatar
Contributor

Many times, Support need to have a look at the Microsoft AD tree for AD internal configuration (e.g. CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, <domain>). The problem with this part of the AD tree is - it is not visible by default in the AD directory structure.

This article will help the reader to explore the hidden AD tree. Any change in AD should be carried out by the customer’s AD team or admin.

Instructions

Here are the steps:

  1. Log on to the AD server
  2. Run the ADSIEdit.exe program from Start > Run menu.
  3. Select the top-most entry of the left side, and then, select Action > Connect to... from the menu.
    d775220d-6df9-4e27-b6e8-8edc16633d4c.png
  4. In the next dialog box, select Select a well known Naming Context radio button, and select Configuration from the drop-down menu.719d4fd2-0ad0-42e4-a62c-8f9b3a49fde4.png
  5. Click OK and ADSI Edit will now show CN=Configuration and its sub-tree.
    19255b87-ed7d-4072-a558-6bdfa501e1c7.png
  6. We can now traverse to CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, <domain> part easily as seen above.

Example: For Microsoft AD vulnerability (CVE-2021-42282), if the user wants to check the value of dSHeuristics attribute under CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration, <domain>, they can follow the steps above, and then, right-click on CN=Directory Service and select Properties > Attribute Editor and find the value of dSHeuristics attribute.

7cf8bec2-34a9-44a3-a450-d64175c09274.png

21,010 Views
0 Kudos
Version history
Last update:
‎01-11-2022 08:21 PM
Updated by:
Contributors