to search for accounts that HAVE the option "DONT_EXPIRE_PASSWORD" enabled
ADFIND -bit -default -f "(&(objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))"
and to use it with a saved query use as the LDAP filter:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
with joe's ADFIND you can just specify AND or OR without the need to know the OID
OR is by the way: 1.2.840.113556.1.4.804
for the other values see:
MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account Properties
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Monday, October 09, 2006 17:44
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding users that password never expire.Hello all,I had to do dump in AD all users whose password never expires.I used the saved queries with this custom ldap query :useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT & DONT_EXPIRE_PASSWORD properties flag.BUT i found that this search was not complete, because some users have other properties flag such asUF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :(So the question is:How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?Is there a way to do it with a custom ldap query ?Thanks,Yann
Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
