Thanks Dean - from your answer and that of Mr. Welch, it was a quick trip to Google to find MS KB article 269181 that explains this in detail (in case anybody else is interested). The part about there being two controls available (bitwise AND and bitwise OR) will be helpful for other things I might want to do. Thanks again. Dave
-----Original Message----- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 4:35 PM To: AD mailing list (send) Subject: RE: [ActiveDir] LDAP search filter for enabled accounts ? Non-disabled user accounts (excluding system security principals such as trust accounts) - (&(objectcategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(! userAccountControl=2080)) Disabled user accounts (excluding system security principals such as trust accounts) - (&(objectcategory=person)((userAccountControl:1.2.840.113556.1.4.803:=2))(!u serAccountControl=2080)) The 1.2.840.113556.1.4.803 control indicates a bitwise operation. A summary of the bit triggers known to me is outlined below - 1 ADS_UF_SCRIPT = 0x1 2 ADS_UF_ACCOUNTDISABLE = 0x2 4 = 0x4 8 ADS_UF_HOMEDIR_REQUIRED = 0x8 16 ADS_UF_LOCKOUT = 0x10 32 ADS_UF_PASSWD_NOTREQD = 0x20 64 ADS_UF_PASSWD_CANT_CHANGE = 0x40 128 ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x80 256 ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0x100 512 ADS_UF_NORMAL_ACCOUNT = 0x200 1024 = 0x400 2048 ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 0x800 4096 ADS_UF_WORKSTATION_TRUST_ACCOUNT = 0x1000 8192 ADS_UF_SERVER_TRUST_ACCOUNT = 0x2000 16384 = 0x4000 32768 = 0x8000 65536 ADS_UF_DONT_EXPIRE_PASSWD = 0x10000 131072 ADS_UF_MNS_LOGON_ACCOUNT = 0x20000 262144 ADS_UF_SMARTCARD_REQUIRED = 0x40000 524288 ADS_UF_TRUSTED_FOR_DELEGATION = 0x80000 1048576 ADS_UF_NOT_DELEGATED = 0x100000 HTH Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David A Sent: Friday, August 15, 2003 2:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP search filter for enabled accounts ? Is there anything I can use in a LDAP search filter to include only accounts that are enabled ? For example, a filter like (&(objectclass=user)(objectcategory=person)(physicalDeliveryOfficeName=MSPJ) ) will find all user objects whose office is in building MSPJ - I'd like to add an argument that limits this to user objects that meet that condition that are enabled. Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/