Because you will never have the case of
userAccountControl=2 so that query will never be true.
userAccountControl is a bit flag, not an absolute
value.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, October 14, 2005 10:26 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects
if you're not comparing it to any other bit in userAccountControl, i don't
understand why you need the bitwise filter.
why can't you just have userAccountControl=2 then and just use "!", to find
a disabled or enabled acouunt?
Thats where my confusion comes in.
Thanks
On 10/14/05, Almeida
Pinto, Jorge de <[EMAIL PROTECTED]>
wrote:
LDAP filter for disabled user accounts
"(&(objectCategory=person)(objectClass=user)(UserAccountControl: 1.2.840.113556.1.4.803:=2))"
LDAP filter for enabled user accounts
"(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
Cheers,
Jorge
________________________________
From: [EMAIL PROTECTED] on behalf of Free, Bob
Sent: Sat 10/15/2005 2:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding computer objects
Tom-
I'll certainly not try to explain it while joe's around :-)
but here's a KB that helped me when I was trying to grasp this. That and
using adfind to look at the resultant values of objects that I knew the
flags for already...
How to use the UserAccountControl flags to manipulate user account
properties:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern
Sent: Friday, October 14, 2005 5:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects
so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks
p.s - since you responded to this one after my stupid salary query and
this actually is one of those questions which has nothing to do with my
current job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and
when, even after reading robbie allen's brief explanation in the AD
Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again
On 10/14/05, joe < [EMAIL PROTECTED]> wrote:
Just a small expansion. Checking for 4096 with a BITWISE filter
(which is used here) will not filter out disabled accounts.
________________________________
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ] On Behalf Of Kamlesh
Parmar
Sent: Friday, October 14, 2005 12:58 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects
You might want to know,
checking for 4096 in useraccountcontrol will include disabled
accounts also..
As bit 2 is set for account disabled, and and you are not
checking its absence.
(
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> )
Just extract useraccountcontrol in your dsquery output along
with name, and check the status of accounts whose useraccountcontrol is
set to 4098 ( 4096 + 2), you will find that those are disabled accounts.
(which I think, you didn't want)
If I misunderstood your requirement, please ignore this mail..
--
Kamlesh
On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote:
Thanks.
I used dsquery
dsquery * dc=mydomain,dc=com -limit 0 -attr name
-scope subtree -filter
"(&(objectcategory=computer)(operatingSystem=windows server
2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"
Thanks again.
sorry to bug you. i should've posted i figured it out.
On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] >
wrote:
Why not use CSVDE.EXE, while joe gives us the
adfind with -CSV switch and custom delimeter, in next few days.
csvde -f output.txt -r
"(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:
=2)(operatingSystem=Windows Server 2003))" -l cn,description
only gripe is can't change the delimeter, and DN
is always included in the result.
On 10/14/05, Kern, Tom <[EMAIL PROTECTED] >
wrote:
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
