Two quick items.
First the query can be simplified a little, there is an
unneeded level with the & operand in there. You only need
something of the format (&(something)(something)). It isn't a big deal, the
engine will strip it out when it optimizes the query but it does make it look
more foreboding/complex that it needs to be.
Second, __in general__ when you are going after users
you actually want to change (objectCategory=user) to
(objectCategory=person(objectclass=user) or sAMAccountType=805306368.
The user class is not an objectcategory, it is only an
objectclass. When you specify (objectCategory=user) the system looks up the
defaultObjectCategory of user and finds person. So (objectCategory=user) becomes
(objectCategory=person) which means depending on the rest of the query it will
be looking at all user and contact objects. If you have no contact objects, this
works itself out, however if you have lots of contacts, you will feel the pinch
in perf as the query looks over objects it doesn't need to.
With
this query, it is tough (at least for me as I understand things) to tell
if just using objectcategory=person will work out ok there or not...
The reason being is that userAccountControl is also indexed and, it is possible,
depending on the rough estimate of the number of objects with a
useraccountcontrol value versus the rough estimate of the number of objects with
person as the objectcategory that the useraccountcontrol
index will be used as the main index for the query. You can tell for sure
in a given situation by using the STATS control to see what AD really
did.
You
could also use samaccounttype=805306368. That tends to be more efficient than
using the previously mentioned pairing as it is then a single indexed attribute
value to look at.
As
an example of what can happen based on my joe.com test
forest.
(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))
had to look over 7214 objects and used idx_userAccountControl.
(&(objectCategory=person)(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))
had the same results.
(&(samaccounttype=805306368)(userAccountControl:1.2.840.113556.1.4.803:=262144))
had to look over 7168 objects and used idx_sAMAccountType.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurzdorfer Michael TSgt 107CF/SCBN
Sent: Thursday, May 04, 2006 7:16 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Query AD for Smartcard enforced users
(&(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=262144))) will do the trick
//SIGNED//
Michael
Kurzdorfer, TSgt, NYANG
Network Administrator
107CF/SCBN Niagara Falls
ANGB
Comm 716.236.3064 DSN 238.3064
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carter
Sent: Thursday, May 04, 2006 4:08 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Query AD for Smartcard enforced users
I would like to find a way to extract all the users who have 'Smart card is
required for interactive logon' ticked within their account.
I have looked at LDIFDE and CSVDE but I can't see how I can get retrieve
this list
thanks
James
Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2ยข/min with Yahoo! Messenger with Voice.
