LDAP filter for disabled user accounts "(&(objectCategory=person)(objectClass=user)(UserAccountControl:1.2.840.113556.1.4.803:=2))" LDAP filter for enabled user accounts "(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))" Cheers, Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of Free, Bob Sent: Sat 10/15/2005 2:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] finding computer objects Tom- I'll certainly not try to explain it while joe's around :-) but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew the flags for already... How to use the UserAccountControl flags to manipulate user account properties: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, October 14, 2005 5:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe <[EMAIL PROTECTED]> wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. ________________________________ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Kamlesh Parmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803: =2)(operatingSystem=Windows Server 2003))" -l cn,description only gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote: -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Fortune and Love befriend the bold" ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Fortune and Love befriend the bold" ~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/