RE: [ActiveDir] LDAP search filter for enabled accounts ?

Dean Wells Thu, 14 Aug 2003 14:37:40 -0700

Non-disabled user accounts (excluding system security principals such as
trust accounts) -


(&(objectcategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!
userAccountControl=2080))

Disabled user accounts (excluding system security principals such as trust
accounts) -

(&(objectcategory=person)((userAccountControl:1.2.840.113556.1.4.803:=2))(!u
serAccountControl=2080))

The 1.2.840.113556.1.4.803 control indicates a bitwise operation. A summary
of the bit triggers known to me is outlined below -

1   ADS_UF_SCRIPT = 0x1
2   ADS_UF_ACCOUNTDISABLE = 0x2
4   = 0x4
8   ADS_UF_HOMEDIR_REQUIRED = 0x8

16  ADS_UF_LOCKOUT = 0x10
32  ADS_UF_PASSWD_NOTREQD = 0x20
64  ADS_UF_PASSWD_CANT_CHANGE = 0x40
128 ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x80

256  ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0x100
512  ADS_UF_NORMAL_ACCOUNT = 0x200
1024 = 0x400
2048 ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 0x800

4096  ADS_UF_WORKSTATION_TRUST_ACCOUNT = 0x1000
8192  ADS_UF_SERVER_TRUST_ACCOUNT = 0x2000
16384 = 0x4000
32768 = 0x8000

65536  ADS_UF_DONT_EXPIRE_PASSWD = 0x10000
131072 ADS_UF_MNS_LOGON_ACCOUNT = 0x20000
262144 ADS_UF_SMARTCARD_REQUIRED = 0x40000
524288 ADS_UF_TRUSTED_FOR_DELEGATION = 0x80000

1048576 ADS_UF_NOT_DELEGATED = 0x100000

HTH

Dean

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David
A
Sent: Friday, August 15, 2003 2:59 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] LDAP search filter for enabled accounts ?


Is there anything I can use in a LDAP search filter to include only accounts
that are enabled ?  For example, a filter like
(&(objectclass=user)(objectcategory=person)(physicalDeliveryOfficeName=MSPJ)
) will find all user objects whose office is in building MSPJ - I'd like to
add an argument that limits this to user objects that meet that condition
that are enabled.

Dave
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP search filter for enabled accounts ?

Reply via email to