RE: [ActiveDir] Querying for all users
Doug, I haven't done that with adfind, but here's some links for how you could use it using wshshell: http://www.windowsitpro.com/WindowsScripting/Article/ArticleID/25285/25285.html That links to an example: LISTING 1: Code to Capture a Command-Line Tools OutputSet objShell = CreateObject("WScript.Shell")Set objScriptExec = objShell.Exec("ipconfig /all")strIpConfig = objScriptExec.StdOut.ReadAllWScript.Echo strIpConfig But not sure that's going to give you what you want in ASP or other, you'd have to try it out and see. Also, being that it's adfind, you're likely crawling larger datasets and would need to adjust accordingly. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stelley, DouglasSent: Tuesday, March 01, 2005 7:47 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Querying for all users I use queries like this for dozens of programs and scripts, but two of these are new to me. When I need to find/exclude a disabled account Ill use (!userAccountControl:1.2.840.113556.1.4.803:=2). I tried briefly the (useraccountcontrol:AND:=2), or the (!(useraccountcontrol:AND:=2)) I wasnt able to include/exclude disabled users. Is that unique to Adfind?The query I used to test for that was ((objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)) brought up all users regardless of 512/514 Id love to be able to harness the powers of adfind in some of my existing scripts and ASP pages. Is there a link with perhaps an example or two of utilizing your program within a VB/VBS/ASP? Also, using (samaccounttype=805306368), is there a listing of the possible samaccount types? Regards, Doug Stelley O monstrous world! Take note, take note, o world, To be direct and honest is not safe! -William Shakespeare. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Monday, February 28, 2005 6:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users A couple of different ways adfind -bit -b dc=domain,dc=com -f "(objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2))" adfind -bit -b dc=domain,dc=com -f "(objectcategory=person)(samaccountname=*)(!(useraccountcontrol:AND:=2))" adfind -bit -b dc=domain,dc=com -f "(samaccounttype=805306368)(!(useraccountcontrol:AND:=2))" The tricky part is your requirement of being ENABLED. The only way to do that is to make sure the disabled flag is not set in the useraccountcontrol. That will seriously slow down the query. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex Fontana Sent: Monday, February 28, 2005 5:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Querying for all users Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name. Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048s and 262656s.damn them. So, is there an ldap query that will give me all enabled active directory user accounts? Most likely its so simple I would never have even thought about it. TIA Alex. Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] Querying for all users
It isn't such a huge burden if you have a script that gathers the info and writes it to a centralized location. In fact, it would probably be the least burdensome method unless you have already implemented some monitoring agent for each DC that scrapes event logs and you can just tell it to scrape some more. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saleem, Mohamed YunusSent: Monday, February 28, 2005 11:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Querying for all users Hi All Is there a way that I can know which users have logon to which DC. On individual client pc if I type set command I will know the logon server. But this is huge burden. If there a command in AD that can tell me which users have logon to which DCthis will help me to isolate user logon delays and authentication. Thanks Have a Wonderful Day Mohamed Yunus Saleem System Network Specialist - IT Dept.Royal Commission for Jubail Project. Jubail Industrial City. ): +966-3-3414213 *: [EMAIL PROTECTED] ": www.rcjubail.gov.sa
RE: [ActiveDir] Querying for all users
Yes the ":AND:=" and ":OR:=" are shortcuts in adfind (coupled with the -bit) operator to insert the appropriate OIDs into the filter for you. I found I preferred to just search for stuff versus having to memorize or lookup the OIDs all the time. I don't have any links showing how to do it from vb/vbs/asp. I don't use it from any of them. I domy scripting from perl. Using it from perl is extremely easy @output=`adfind parameters`; As for parsing the output, look at the perl script that comes in the zip file. A lot of the output is formatted the way it is so I can easily yank it out of perl. You can pretty quickly do a search on samaccounttype. A good start though is to look at your own directory and see the values. Another spot to look is MSDN, one spot on MSDN is http://msdn.microsoft.com/library/default.asp?url=""> joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stelley, DouglasSent: Tuesday, March 01, 2005 7:47 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Querying for all users I use queries like this for dozens of programs and scripts, but two of these are new to me. When I need to find/exclude a disabled account Ill use (!userAccountControl:1.2.840.113556.1.4.803:=2). I tried briefly the (useraccountcontrol:AND:=2), or the (!(useraccountcontrol:AND:=2)) I wasnt able to include/exclude disabled users. Is that unique to Adfind?The query I used to test for that was ((objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)) brought up all users regardless of 512/514 Id love to be able to harness the powers of adfind in some of my existing scripts and ASP pages. Is there a link with perhaps an example or two of utilizing your program within a VB/VBS/ASP? Also, using (samaccounttype=805306368), is there a listing of the possible samaccount types? Regards, Doug Stelley O monstrous world! Take note, take note, o world, To be direct and honest is not safe! -William Shakespeare. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Monday, February 28, 2005 6:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users A couple of different ways adfind -bit -b dc=domain,dc=com -f "(objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2))" adfind -bit -b dc=domain,dc=com -f "(objectcategory=person)(samaccountname=*)(!(useraccountcontrol:AND:=2))" adfind -bit -b dc=domain,dc=com -f "(samaccounttype=805306368)(!(useraccountcontrol:AND:=2))" The tricky part is your requirement of being ENABLED. The only way to do that is to make sure the disabled flag is not set in the useraccountcontrol. That will seriously slow down the query. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex Fontana Sent: Monday, February 28, 2005 5:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Querying for all users Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name. Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048s and 262656s.damn them. So, is there an ldap query that will give me all enabled active directory user accounts? Most likely its so simple I would never have even thought about it. TIA Alex. Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
RE: [ActiveDir] Querying for all users
Thanks for the reply. I had gone to the msdn site but unfortunately left more confused than before, no surprise with msdn. No, what I was looking for basically was a listing of the different types. Dont know offhand if it could be handy, but anything I can use to find the right accounts with the least effort is always handy. Thanks for explaining the shortcuts, that explained a lot. Thanks to Al for the quick listing, I believe I can get what I need from that. Now to research ADFIND/ADMOD to see how it can make my life bearable. I normally program in TCL/TK, but recently started in with vbs/asp/hta, and will need to delve into.net soon; I dont want to learn Perl unless I have to. Im already inserting the wrong code into the wrong program as it is. Im so glad I stumbled into this listserv, an awesome amount of talent here. I was already a big fan of Joeware if only for the examples there, but to actually speak with the real Joe, Christ thats real cool. Regards, Doug Stelley A knowledgeable fool is a greater fool than an ignorant fool. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Tuesday, March 01, 2005 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users Yes the :AND:= and :OR:= are shortcuts in adfind (coupled with the -bit) operator to insert the appropriate OIDs into the filter for you. I found I preferred to just search for stuff versus having to memorize or lookup the OIDs all the time. I don't have any links showing how to do it from vb/vbs/asp. I don't use it from any of them. I domy scripting from perl. Using it from perl is extremely easy @output=`adfind parameters`; As for parsing the output, look at the perl script that comes in the zip file. A lot of the output is formatted the way it is so I can easily yank it out of perl. You can pretty quickly do a search on samaccounttype. A good start though is to look at your own directory and see the values. Another spot to look is MSDN, one spot on MSDN is http://msdn.microsoft.com/library/default.asp?url=""> joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stelley, Douglas Sent: Tuesday, March 01, 2005 7:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users I use queries like this for dozens of programs and scripts, but two of these are new to me. When I need to find/exclude a disabled account Ill use (!userAccountControl:1.2.840.113556.1.4.803:=2). I tried briefly the (useraccountcontrol:AND:=2), or the (!(useraccountcontrol:AND:=2)) I wasnt able to include/exclude disabled users. Is that unique to Adfind?The query I used to test for that was ((objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)) brought up all users regardless of 512/514 Id love to be able to harness the powers of adfind in some of my existing scripts and ASP pages. Is there a link with perhaps an example or two of utilizing your program within a VB/VBS/ASP? Also, using (samaccounttype=805306368), is there a listing of the possible samaccount types? Regards, Doug Stelley O monstrous world! Take note, take note, o world, To be direct and honest is not safe! -William Shakespeare. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Monday, February 28, 2005 6:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users A couple of different ways adfind -bit -b dc=domain,dc=com -f (objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2)) adfind -bit -b dc=domain,dc=com -f (objectcategory=person)(samaccountname=*)(!(useraccountcontrol:AND:=2)) adfind -bit -b dc=domain,dc=com -f (samaccounttype=805306368)(!(useraccountcontrol:AND:=2)) The tricky part is your requirement of being ENABLED. The only way to do that is to make sure the disabled flag is not set in the useraccountcontrol. That will seriously slow down the query. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex Fontana Sent: Monday, February 28, 2005 5:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Querying for all users Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name. Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048s and 262656s.damn them. So, is there an ldap query that will give me all enabled active directory user accounts? Most likely its so simple I would never have even thought about it. TIA Alex. Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or
RE: [ActiveDir] Querying for all users
LOL. Be careful what you say or people will start to listen to what I say. We don't want that. The thing I like about perl is that if I have a script I need to move into CGI, I have far less code I tend to change. vbscript always tends to bite me due to the different ways in which it seems to be interpreted and the general security context issues. I feel I have more and simpler control in cgi. Also if you have the perl dev kit you can easily compile perl to executables and have any binaries you need included into the exe as well. Reading the info out in MSDN can sometimes be an art. You combine the info there with the C header files to find what you need. The more time you spend there the better you get at finding things. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stelley, DouglasSent: Tuesday, March 01, 2005 10:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Querying for all users Thanks for the reply. I had gone to the msdn site but unfortunately left more confused than before, no surprise with msdn. No, what I was looking for basically was a listing of the different types. Dont know offhand if it could be handy, but anything I can use to find the right accounts with the least effort is always handy. Thanks for explaining the shortcuts, that explained a lot. Thanks to Al for the quick listing, I believe I can get what I need from that. Now to research ADFIND/ADMOD to see how it can make my life bearable. I normally program in TCL/TK, but recently started in with vbs/asp/hta, and will need to delve into.net soon; I dont want to learn Perl unless I have to. Im already inserting the wrong code into the wrong program as it is. Im so glad I stumbled into this listserv, an awesome amount of talent here. I was already a big fan of Joeware if only for the examples there, but to actually speak with the real Joe, Christ thats real cool. Regards, Doug Stelley A knowledgeable fool is a greater fool than an ignorant fool. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Tuesday, March 01, 2005 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users Yes the ":AND:=" and ":OR:=" are shortcuts in adfind (coupled with the -bit) operator to insert the appropriate OIDs into the filter for you. I found I preferred to just search for stuff versus having to memorize or lookup the OIDs all the time. I don't have any links showing how to do it from vb/vbs/asp. I don't use it from any of them. I domy scripting from perl. Using it from perl is extremely easy @output=`adfind parameters`; As for parsing the output, look at the perl script that comes in the zip file. A lot of the output is formatted the way it is so I can easily yank it out of perl. You can pretty quickly do a search on samaccounttype. A good start though is to look at your own directory and see the values. Another spot to look is MSDN, one spot on MSDN is http://msdn.microsoft.com/library/default.asp?url=""> joe_ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stelley, Douglas Sent: Tuesday, March 01, 2005 7:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users I use queries like this for dozens of programs and scripts, but two of these are new to me. When I need to find/exclude a disabled account Ill use (!userAccountControl:1.2.840.113556.1.4.803:=2). I tried briefly the (useraccountcontrol:AND:=2), or the (!(useraccountcontrol:AND:=2)) I wasnt able to include/exclude disabled users. Is that unique to Adfind?The query I used to test for that was ((objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)) brought up all users regardless of 512/514 Id love to be able to harness the powers of adfind in some of my existing scripts and ASP pages. Is there a link with perhaps an example or two of utilizing your program within a VB/VBS/ASP? Also, using (samaccounttype=805306368), is there a listing of the possible samaccount types? Regards, Doug Stelley O monstrous world! Take note, take note, o world, To be direct and honest is not safe! -William Shakespeare. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Monday, February 28, 2005 6:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users A couple of different ways adfind -bit -b dc=domain,dc=com -f "(objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2))" adfind -bit -b dc=domain,dc=com -f "(objectcategory=person)(samaccountname=*)(!(useraccountcontrol:AND:=2))" adfind -bit -b dc=domain,dc=com -f "(samaccounttype=805306368)(!(useraccountcontrol:AND:=2))" The tricky part is your requirement of being ENABLED. The only way to do that is to make sure the disabled flag is not set in t
RE: [ActiveDir] Querying for all users
Hi, The following should return all user accounts (DNs only) ADFIND -dn -b dc=joehome,dc=net -f (objectcategory=person)(samaccountname=*) Cheers Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 2/28/2005 11:48 PM Subject: [ActiveDir] Querying for all users Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name. Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048's and 262656'sdamn them. So, is there an ldap query that will give me all enabled active directory user accounts? Most likely it's so simple I would never have even thought about it. TIA Alex. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Querying for all users
Hi Alex, The following filter might be right for you: ((objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=512)) Yours, Sakari PS. This gives the same result as Jorge's filter, that he just sent, but mine look cooler :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Tuesday, March 01, 2005 12:48 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Querying for all users Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name. Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048s and 262656s .damn them. So, is there an ldap query that will give me all enabled active directory user accounts? Most likely its so simple I would never have even thought about it. TIA Alex.
RE: [ActiveDir] Querying for all users
Lol Dang! Always forget about the objectcategory attrib. Thanks guys! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Monday, February 28, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users Hi Alex, The following filter might be right for you: ((objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=512)) Yours, Sakari PS. This gives the same result as Jorge's filter, that he just sent, but mine look cooler :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Tuesday, March 01, 2005 12:48 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Querying for all users Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name. Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048s and 262656s.damn them. So, is there an ldap query that will give me all enabled active directory user accounts? Most likely its so simple I would never have even thought about it. TIA Alex.
RE: [ActiveDir] Querying for all users
A couple of different ways adfind -bit -b dc=domain,dc=com -f "(objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2))" adfind -bit -b dc=domain,dc=com -f "(objectcategory=person)(samaccountname=*)(!(useraccountcontrol:AND:=2))" adfind -bit -b dc=domain,dc=com -f "(samaccounttype=805306368)(!(useraccountcontrol:AND:=2))" The tricky part is your requirement of being ENABLED. The only way to do that is to make sure the disabled flag is not set in the useraccountcontrol. That will seriously slow down the query. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex FontanaSent: Monday, February 28, 2005 5:48 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Querying for all users Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)? We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name. Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048s and 262656s.damn them. So, is there an ldap query that will give me all enabled active directory user accounts? Most likely its so simple I would never have even thought about it. TIA Alex.
RE: [ActiveDir] Querying for all users
Hi All Is there a way that I can know which users have logon to which DC. On individual client pc if I type set command I will know the logon server. But this is huge burden. If there a command in AD that can tell me which users have logon to which DCthis will help me to isolate user logon delays and authentication. Thanks Have a Wonderful Day Mohamed Yunus Saleem System Network Specialist - IT Dept. Royal Commission for Jubail Project. Jubail Industrial City. ): +966-3-3414213 *: [EMAIL PROTECTED] : www.rcjubail.gov.sa
RE: [ActiveDir] Querying for all users
Yeah, enable auditing on each DC through the DDC-GPO and then suck-out the security log of each DCs. One of the free tools to do this is EventComb from MS Regards, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Saleem, Mohamed YunusSent: Tuesday, March 01, 2005 05:25To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Querying for all users Hi All Is there a way that I can know which users have logon to which DC. On individual client pc if I type set command I will know the logon server. But this is huge burden. If there a command in AD that can tell me which users have logon to which DCthis will help me to isolate user logon delays and authentication. Thanks Have a Wonderful Day Mohamed Yunus Saleem System Network Specialist - IT Dept.Royal Commission for Jubail Project. Jubail Industrial City. ): +966-3-3414213 *: [EMAIL PROTECTED] ": www.rcjubail.gov.sa This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.