RE: [ActiveDir] LDAP search filter for enabled accounts ?
Jerry - Thanks ! Works like a charm. Dave -Original Message- From: Jerry Welch [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 1:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP search filter for enabled accounts ? Dave, As I understand it, the following identifies a user account that is disabled: (userAccountControl:1.2.840.113556.1.4.803:=2) That is, the account is disabled when this value is set to 2. To exclude disabled accounts you would use the following string, plus any other filters you want to apply: (!(userAccountControl:1.2.840.113556.1.4.803:=2)) Jerry Welch CPS Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David A Sent: Thursday, August 14, 2003 1:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP search filter for enabled accounts ? Is there anything I can use in a LDAP search filter to include only accounts that are enabled ? For example, a filter like ((objectclass=user)(objectcategory=person)(physicalDeliveryOfficeName=MSPJ) ) will find all user objects whose office is in building MSPJ - I'd like to add an argument that limits this to user objects that meet that condition that are enabled. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP search filter for enabled accounts ?
Dave, As I understand it, the following identifies a user account that is disabled: (userAccountControl:1.2.840.113556.1.4.803:=2) That is, the account is disabled when this value is set to 2. To exclude disabled accounts you would use the following string, plus any other filters you want to apply: (!(userAccountControl:1.2.840.113556.1.4.803:=2)) Jerry Welch CPS Systems -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David A Sent: Thursday, August 14, 2003 1:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP search filter for enabled accounts ? Is there anything I can use in a LDAP search filter to include only accounts that are enabled ? For example, a filter like ((objectclass=user)(objectcategory=person)(physicalDeliveryOfficeName=MSPJ) ) will find all user objects whose office is in building MSPJ - I'd like to add an argument that limits this to user objects that meet that condition that are enabled. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP search filter for enabled accounts ?
Non-disabled user accounts (excluding system security principals such as trust accounts) - ((objectcategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(! userAccountControl=2080)) Disabled user accounts (excluding system security principals such as trust accounts) - ((objectcategory=person)((userAccountControl:1.2.840.113556.1.4.803:=2))(!u serAccountControl=2080)) The 1.2.840.113556.1.4.803 control indicates a bitwise operation. A summary of the bit triggers known to me is outlined below - 1 ADS_UF_SCRIPT = 0x1 2 ADS_UF_ACCOUNTDISABLE = 0x2 4 = 0x4 8 ADS_UF_HOMEDIR_REQUIRED = 0x8 16 ADS_UF_LOCKOUT = 0x10 32 ADS_UF_PASSWD_NOTREQD = 0x20 64 ADS_UF_PASSWD_CANT_CHANGE = 0x40 128 ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x80 256 ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0x100 512 ADS_UF_NORMAL_ACCOUNT = 0x200 1024 = 0x400 2048 ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 0x800 4096 ADS_UF_WORKSTATION_TRUST_ACCOUNT = 0x1000 8192 ADS_UF_SERVER_TRUST_ACCOUNT = 0x2000 16384 = 0x4000 32768 = 0x8000 65536 ADS_UF_DONT_EXPIRE_PASSWD = 0x1 131072 ADS_UF_MNS_LOGON_ACCOUNT = 0x2 262144 ADS_UF_SMARTCARD_REQUIRED = 0x4 524288 ADS_UF_TRUSTED_FOR_DELEGATION = 0x8 1048576 ADS_UF_NOT_DELEGATED = 0x10 HTH Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David A Sent: Friday, August 15, 2003 2:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP search filter for enabled accounts ? Is there anything I can use in a LDAP search filter to include only accounts that are enabled ? For example, a filter like ((objectclass=user)(objectcategory=person)(physicalDeliveryOfficeName=MSPJ) ) will find all user objects whose office is in building MSPJ - I'd like to add an argument that limits this to user objects that meet that condition that are enabled. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP search filter for enabled accounts ?
Thanks Dean - from your answer and that of Mr. Welch, it was a quick trip to Google to find MS KB article 269181 that explains this in detail (in case anybody else is interested). The part about there being two controls available (bitwise AND and bitwise OR) will be helpful for other things I might want to do. Thanks again. Dave -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Thursday, August 14, 2003 4:35 PM To: AD mailing list (send) Subject: RE: [ActiveDir] LDAP search filter for enabled accounts ? Non-disabled user accounts (excluding system security principals such as trust accounts) - ((objectcategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(! userAccountControl=2080)) Disabled user accounts (excluding system security principals such as trust accounts) - ((objectcategory=person)((userAccountControl:1.2.840.113556.1.4.803:=2))(!u serAccountControl=2080)) The 1.2.840.113556.1.4.803 control indicates a bitwise operation. A summary of the bit triggers known to me is outlined below - 1 ADS_UF_SCRIPT = 0x1 2 ADS_UF_ACCOUNTDISABLE = 0x2 4 = 0x4 8 ADS_UF_HOMEDIR_REQUIRED = 0x8 16 ADS_UF_LOCKOUT = 0x10 32 ADS_UF_PASSWD_NOTREQD = 0x20 64 ADS_UF_PASSWD_CANT_CHANGE = 0x40 128 ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0x80 256 ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0x100 512 ADS_UF_NORMAL_ACCOUNT = 0x200 1024 = 0x400 2048 ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 0x800 4096 ADS_UF_WORKSTATION_TRUST_ACCOUNT = 0x1000 8192 ADS_UF_SERVER_TRUST_ACCOUNT = 0x2000 16384 = 0x4000 32768 = 0x8000 65536 ADS_UF_DONT_EXPIRE_PASSWD = 0x1 131072 ADS_UF_MNS_LOGON_ACCOUNT = 0x2 262144 ADS_UF_SMARTCARD_REQUIRED = 0x4 524288 ADS_UF_TRUSTED_FOR_DELEGATION = 0x8 1048576 ADS_UF_NOT_DELEGATED = 0x10 HTH Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Fugleberg, David A Sent: Friday, August 15, 2003 2:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP search filter for enabled accounts ? Is there anything I can use in a LDAP search filter to include only accounts that are enabled ? For example, a filter like ((objectclass=user)(objectcategory=person)(physicalDeliveryOfficeName=MSPJ) ) will find all user objects whose office is in building MSPJ - I'd like to add an argument that limits this to user objects that meet that condition that are enabled. Dave List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/