I agree that ds-tools lack some possibilities, and I'd prefer MS putting your tools into their product, however in most scenarios I've been working in they are not allowed to put additional software in their domain unless it's prooved, and the use of your tools is not important enough the justify this hazzle. So I'm mainly limited to ds-tools or vbs.
Something like this should work: Dsquery user -stalepwd 90 | dsget user -dn -disabled | find "No" Gruesse - Sincerely, Ulf B. Simon-Weidner Profile & Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: Saturday, May 20, 2006 6:24 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] OldCmp question > >Hmm good point... Well except we were talking about oldcmp >instead of adfind... Fun though that the switches are so close... > >So what are the switches and the filter to use with dsquery to >get an html listing of all enabled users whose password age is >90 days or older? > > >:) > > > > >-- >O'Reilly Active Directory Third Edition - >http://www.joeware.net/win/ad3e.htm > > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. >Simon-Weidner >Sent: Saturday, May 20, 2006 2:56 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] OldCmp question > >I didn't catch it because I didn't bother enough to read the >adfind syntax. >If you'd provided a standard LDAP-Filter with DSQuery ... > >;-) > >Gruesse - Sincerely, > >Ulf B. Simon-Weidner > > Profile & Publications: >http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B48 >9-F2F1214C811 >D > Weblog: http://msmvps.org/UlfBSimonWeidner > Website: http://www.windowsserverfaq.org > > > > >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of joe >>Sent: Friday, May 19, 2006 9:41 PM >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] OldCmp question >> >>I just realized I told you how to INCLUDE disabled accounts - >you want >>NOT DISABLED accounts. So you want to NOT what I indicated, >however you >>have to add to it to avoid a false positive. >> >>-af "(&(useraccountcontrol=*)(!(useraccountcontrol:AND:=2)))" >> >> >>One thing to note with NOT filters... Well two actually... >> >>1. NOT filters are inefficient. But then so are bitwise >filters. ;o) 2. >>NOT filters can have false positives. An account could have the value >>set that you are trying to avoid but if the account trying to access >>the info doesn't have the access to see that value, it will >be still be >>returned. >>This is why the extra useraccountcontrol=* in the filter. >> >>The list is sleeping, they should have been all over me on that dork >>up. >><eg> >> >> >>Too late now Al, Dean and Deji.... Princess, don't worry I >will explain >>it to you next time I see you. ;o) >> >> >> joe >> >>------ >>I am 78% Evil Genius >> >>I am pure evil. I lie awake at night devising schemes of world >>domination, and I will not rest until all living souls bend >to my will. >> >>Take the Evil Genius Test at fuali.com >> >> >> >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of joe >>Sent: Friday, May 19, 2006 11:41 AM >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] OldCmp question >> >>Disabled accounts are marked by having bit 1 list on >userAccountControl >>(value 2) >> >>To exclude them you want -af "useraccountcontrol:AND:=2" and -bit >> >> >>I just realized I have an -onlydisabled switch, I should add a >>-onlynotdisabled I guess... >> >> >> >>-- >>O'Reilly Active Directory Third Edition - >>http://www.joeware.net/win/ad3e.htm >> >> >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, >>Russ >>Sent: Friday, May 19, 2006 11:25 AM >>To: ActiveDir@mail.activedir.org >>Subject: [ActiveDir] OldCmp question >> >>Anyone know a way to easibly filter out disabled accounts from the >>oldcmp -users report? Would one have to use some sort of bitwise >>filter from a translation of a useraccountcontrol >>66048 value or something? >> >> >>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>This e-mail is confidential, may contain proprietary information of >>Cameron and its operating Divisions and may be confidential or >>privileged. >> >>This e-mail should be read, copied, disseminated and/or used only by >>the addressee. If you have received this message in error >please delete >>it, together with any attachments, from your system. >>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >>List info : http://www.activedir.org/List.aspx >>List FAQ : http://www.activedir.org/ListFAQ.aspx >>List archive: >>http://www.mail-archive.com/activedir%40mail.activedir.org/ >> >>List info : http://www.activedir.org/List.aspx >>List FAQ : http://www.activedir.org/ListFAQ.aspx >>List archive: >>http://www.mail-archive.com/activedir%40mail.activedir.org/ > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
