The equals operator is looking for an exact match. As userAccountControl is a bitwise attribute (each bit represents an option) then in many cases it won't be 65536. Using the logical AND matching rule (1.2.840.113556.1.4.803) means that it checks the bit in question, regardless of what other bits are set.
As for how you use the AND matching rule, you actually write it as <identifier>:<matching rule>:=<value> e.g. (&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)) More info. here: -- http://msdn2.microsoft.com/en-us/library/aa746475.aspx --Paul ----- Original Message ----- From: Yann To: ActiveDir@mail.activedir.org Sent: Monday, October 09, 2006 6:24 PM Subject: RE : RE: [ActiveDir] finding users that password never expire. Yes ! thanks, that works so well !! :o) But many questions i have.. What is the difference between the query "userAccountControl=65536" and "(userAccountControl:1.2.840.113556.1.4.803:=65536)" ? Why couldn(t i find any results with my first query ? And how do you construct the ":1.2.840.113556.1.4.803:" part of the ldap query ?? Thanks for your answer :) Yann "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> a écrit : to search for accounts that HAVE the option "DONT_EXPIRE_PASSWORD" enabled ADFIND -bit -default -f "(&(objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))" and to use it with a saved query use as the LDAP filter: (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)) with joe's ADFIND you can just specify AND or OR without the need to know the OID OR is by the way: 1.2.840.113556.1.4.804 for the other values see: MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account Properties jorge -------------------------------------------------------------------------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, October 09, 2006 17:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding users that password never expire. Hello all, I had to do dump in AD all users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT & DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flag such as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann -------------------------------------------------------------------------- Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. ------------------------------------------------------------------------------ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses.
