Well, that isn't going to do quite what you want.
For example, if you have a disabled user who also has "password never expires" set, instead of userAccountControl being 514, it will be 66050. I just happened to write a blog post about a related matter earlier today. Wrappage: <http://theessentialexchange.com/blogs/michael/archive/2008/12/11/useraccoun tcontrol-manipulation.aspx> You can take that same technique and do something like the below in PowerShell. Redirect that into a file, sort it in Excel, and exclude the OU you don't want. Save it and hand it to your dept mate. Now, there is a way to do bit-wise searches in adfind. Now that I've told you a different way to do it, you can do what you want in adfind this way: Adfind -default -bit -f userAccountControl:AND:2 -excldn ou=someou,dc=example,dc=com -list -csv -nocsvheader givenName sn sAMAccountName PowerShell $ADS_UF_ACCOUNTDISABLE = 0x02 $objDomain = New-Object System.DirectoryServices.DirectoryEntry() $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objSearcher.SearchRoot = $objDomain $objSearcher.Filter = "(&(objectCategory=person)(objectClass=user))" $results = $objSearcher.FindAll() foreach ($result in $results) { $user = [adsi]$result.Path $value = $user.userAccountControl.Item(0) if (($value -band $ADS_UF_ACCOUNTDISABLE) -ne 0) { ("`t" + $user.givenName.item(0) + " " + $user.sn.item(0) + " " + $user.sAMAccountName.item(0) + " " + $result.Path) } } Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php From: michael.le...@pha.phila.gov [mailto:michael.le...@pha.phila.gov] Sent: Thursday, December 11, 2008 3:39 PM To: NT System Admin Issues Subject: ADFIND filter question Sorry for the slightly OT question, but joeware.net seems to be under construction, so I can't get to the forums. Here's what I wanna do ... list all disabled users, in all OUs, *except* one particular OU. And contructing LDAP style filters is far from my strong suit. And I will then feed this over to my dept mate, who will use the extracted file as input to clean up our Notes server. adfind -b "DC=company,DC=com" -list -csv -nocsvheader -f (userAccountControl="514") givenName sn sAMAccountName I know that a value of "514" means disabled; what I don't know is how to construct a compund expression to say (userAccountControl="514" AND OU != "name-of-OU"). Pointers? And how do you specify just the OU portion of the dn, anyway, for use in filters or return values? Thanks -- Michael Leone Network Administrator, ISM Philadelphia Housing Authority 2500 Jackson St Philadelphia, PA 19145 Tel: 215-684-4180 Cell: 215-252-0143 <mailto:michael.le...@pha.phila.gov> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~