On 7/19/06, joe <[EMAIL PROTECTED]> wrote:
Nope no wishlist on the site, people can submit through email or newsgroup post or just asking me... I added this one with four question marks after it meaning Iam not sure if I fully agree with the value but respect Michael's opinion and think it will require the new overall flexible output framework I have been working on and can't be a quick addon to what is there now.You can SORT OF do it now if you know that all fields you specify will be populated. The CSV option allows you to specify a default value for attributes that have no value, so something like this for instance would work greatadfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)" -csv DISABLED samaccountname statusG:\Virtuals>adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)" -csv DISABLED samaccountname status
"dn","samaccountname","status"
"CN=Guest,CN=Users,DC=test,DC=loc","Guest","DISABLED"
"CN=krbtgt,CN=Users,DC=test,DC=loc","krbtgt","DISABLED"That works because any object that matched would have a sAMAccountname and there is no attribute called status so it would always be null and so would always be populated with the string specified with the CSV switch.It could work with the previous query as well if you knew for sure that first and last name were always populated otherwise you would start seeing DISABLED popping up in a those fields if they weren't populated.joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Al MulnickSent: Wednesday, July 19, 2006 9:37 PM
To: ActiveDir@mail.activedir.org
Subject: Re: OT: adfind feature request (was RE: [ActiveDir] User extraction)
Ah. I think joe has a wishlist on his site. Have you tried posting it there?In the meantime, you might consider just putting something in the stream and piping it to the file in between the types. Not as clean, but... You could also write a script wrapper that calls this and appends it for you. FWIW.Al
On 7/19/06, Michael B. Smith < [EMAIL PROTECTED]> wrote:'Cuz then I can follow it with the second request, appended into the proper file, and get the non-disabled accounts. To wit:if exists output.txt del output.txtadfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)" -csv -nodn givenname sn text:disabled >>output.txt
adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2))" -csv -nodn givenname sn text:enabled >> output.txtAm I lazy? Heck yes. But that feature would save me several manual steps.
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Al Mulnick
Sent: Wednesday, July 19, 2006 7:36 PMSubject: Re: OT: adfind feature request (was RE: [ActiveDir] User extraction)
Just for my benefit, if you use that query all the records returned are disabled accounts, so what would be the point of adding that text via the tool? What's the benefit?
On 7/18/06, Michael B. Smith < [EMAIL PROTECTED]> wrote:Feature request: give me a way, in the attribute list, to specify
arbitrary text for output. E.g., in this case for disabled:
adfind -default -bit -f
"&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)"
-csv -nodn givenname sn text:disabled
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of joe
Sent: Tuesday, July 18, 2006 8:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User extraction
No that is what bitwise filters are all about, so you can focus in on
just
the disabled bit which happens to be bit 1 which is value 2. So to find
all
disabled users in a domain you do something like
adfind -default -bit -f
"&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)"
-dn
That will dump the DN of every disabled user, if you have a large domain
with lots of objects that aren't users, especially say contacts, add -t
0 to
disable the timeout for the query.
To answer the original question though and get just first name and last
name
you need to strip out the -dn from the command and specify those
attributes'
ldapdisplayname values in the command and add in -nodn and -csv so it
doesn't output the DN and puts it all in csv format... So something like
adfind -default -bit -f
"&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)"
-csv
-nodn givenname sn
And to get the enabled report
adfind -default -bit -f
"&(objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2)
)"
-csv -nodn givenname sn
Under ADAM (and theoretically under Longhorn AD) there is a new
constructed
attribute called msDS-UserAccountDisabled which will display the current
disabled status of a user and note that userAccountControl IS NOT there.
So
on ADAM if you wanted to dump all user accounts in an instance including
a
field that would show TRUE if the account was disabled you could do
something like
adfind -h adamserver:port -b -pr -f
"&(objectcategory=person)(objectclass=user)" -csv -nodn givenname sn
msDS-UserAccountDisabled
The sad thing in ADAM though is that there is no easy way to query only
for
disabled accounts... You have no choice but to enumerate all of them.
Some
of you may think, so what, that shouldn't take long... Consider an ADAM
instance with several million users... Ditto for locked and expired
accounts. One step forward, 3 steps back...
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of Mike Newell
Sent: Tuesday, July 18, 2006 8:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User extraction
Cool. Wouldn't he need to run the bitwise query for every possible value
to make sure he gets all the accounts in the domain? Like account
disabled and password set to never expire?
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]] On Behalf Of Brett Shirley
Sent: Tuesday, July 18, 2006 2:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User extraction
You could also use the bit wise query operators to make a list of just
disabled and just enabled accounts, then merge the two w/ the appopriate
column ...
-B
On Tue, 18 Jul 2006, Mike Newell wrote:
> Hey,
>
> There's no isDisabled attribute that I know of. You could run the
adfind
> command below and use the userAccountControl attribute to determine if
> the account is disabled or not.
>
>
>
> adfind -b dc=yourdomain,dc=com -nodn -f "(&(objectCategory=person)(o
>
> bjectClass=user))" givenName SN userAccountControl >> filename.txt
>
>
>
> You can do some stuff in Excel if you need a report that says
disabled.
> 512 is normal, 514 is disabled, etc. Check here for the details on the
> values for the userAccountControl attribute.
>
>
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;305144
>
>
>
> ________________________________
>
> From: [EMAIL PROTECTED]
> [mailto: [EMAIL PROTECTED]] On Behalf Of Harding,
Devon
> Sent: Tuesday, July 18, 2006 11:41 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] User extraction
>
>
>
> What is the adfind syntax that will extract all users in a domain to a
> text file and contains the following field?
>
>
>
> LastName, FirstName isDisabled
>
>
>
> -Devon
>
>
------------------------------------------------------------------------
> ---
> This message (including any attachments) is intended only for the use
of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential,
> and exempt from disclosure under applicable law or may constitute as
> attorney work product. If you are not the intended recipient, you are
> hereby notified that any use, dissemination, distribution, or copying
of
> this communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i)
> destroy this message if a facsimile or (ii) delete this message
> immediately if this is an electronic communication.
> Thank you.
>
>
>
> This message and any attachments (the "Message") may contain
confidential, proprietary and/or privileged information and are only for
their intended recipient(s). If you are not the intended recipient, you
should notify the sender and delete the Message. E-mail transmissions
cannot be guaranteed to be secure or error-free. This Message is
provided for information purposes and should not be construed as a
solicitation or offer to buy or sell any securities or financial
instruments, or to provide investment advice in any jurisdiction where
the sender is not properly licensed or permitted to do so. This Message
is subject to additional conditions and restrictions. Please read them
here: http://legal.dimensional.com/email/
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
This message and any attachments (the "Message") may contain
confidential,
proprietary and/or privileged information and are only for their
intended
recipient(s). If you are not the intended recipient, you should notify
the
sender and delete the Message. E-mail transmissions cannot be guaranteed
to
be secure or error-free. This Message is provided for information
purposes
and should not be construed as a solicitation or offer to buy or sell
any
securities or financial instruments, or to provide investment advice in
any
jurisdiction where the sender is not properly licensed or permitted to
do
so. This Message is subject to additional conditions and restrictions.
Please read them here: http://legal.dimensional.com/email/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
