RE: [ActiveDir] finding computer objects

[joe]

Because you will never have the case of 
userAccountControl=2 so that query will never be true. 
 
userAccountControl is a bit flag, not an absolute 
value.
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, October 14, 2005 10:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer 
objects

if you're not comparing it to any other bit in userAccountControl, i don't 
understand why you need the bitwise filter.
why can't you just have userAccountControl=2 then and just use "!", to find 
a disabled or enabled acouunt?
Thats where my confusion comes in.
 
Thanks 
On 10/14/05, Almeida 
Pinto, Jorge de <[EMAIL PROTECTED]> 
wrote: 
LDAP 
  filter for disabled user 
  accounts"(&(objectCategory=person)(objectClass=user)(UserAccountControl: 
  1.2.840.113556.1.4.803:=2))"LDAP filter for enabled user 
  accounts"(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"Cheers,JorgeFrom: 
  [EMAIL PROTECTED] 
  on behalf of Free, BobSent: Sat 10/15/2005 2:35 AMTo: ActiveDir@mail.activedir.orgSubject: 
  RE: [ActiveDir] finding computer objectsTom-I'll 
  certainly not try to explain it while joe's around :-)but here's a KB 
  that helped me when I was trying to grasp this. That and using adfind to 
  look at the resultant values of objects that I knew theflags for 
  already...How to use the UserAccountControl flags to manipulate user 
  accountproperties:http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144From: 
  [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Tom KernSent: Friday, October 14, 2005 5:20 PMTo: ActiveDir@mail.activedir.org 
  Subject: Re: [ActiveDir] finding computer objectsso how 
  can i get just normal comp accounts which are NOT disabled?would you not 
  use a bitwise filter for those types of queries.thanksp.s - since 
  you responded to this one after my stupid salary query andthis actually is 
  one of those questions which has nothing to do with mycurrent job, but for 
  my own curiosty, i thought i'd pursue it.i've never really understood the 
  proper way to use bitwise filters and when, even after reading robbie 
  allen's brief explanation in the ADCookbook.i really did try to look 
  this one up.can you explain it to me in the context of this 
  query?thanks againOn 10/14/05, joe < [EMAIL PROTECTED]> 
  wrote:   Just a small expansion. 
  Checking for 4096 with a BITWISE filter(which is used here) will not 
  filter out disabled 
  accounts.   
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] 
  [EMAIL PROTECTED]> 
  ] On Behalf Of KamleshParmar   Sent: 
  Friday, October 14, 2005 12:58 PM   To: 
  ActiveDir@mail.activedir.org   
  Subject: Re: [ActiveDir] finding computer 
  objects   
  You might want to know,   checking 
  for 4096 in useraccountcontrol will include disabledaccounts 
  also..   As bit 2 is set for account 
  disabled, and and you are notchecking its 
  absence.(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 
  <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> 
  )   Just extract useraccountcontrol 
  in your dsquery output along with name, and check the status of accounts 
  whose useraccountcontrol isset to 4098 ( 4096 + 2), you will find that 
  those are disabled accounts.(which I think, you didn't 
  want)   If I misunderstood your 
  requirement, please ignore this mail.. 
     
  --   
  Kamlesh   On 10/14/05, Tom Kern 
  <[EMAIL PROTECTED]> 
  wrote:   
  Thanks.   
  I used 
  dsquery   
  dsquery *  dc=mydomain,dc=com -limit 0 -attr name 
  -scope 
  subtree -filter"(&(objectcategory=computer)(operatingSystem=windows 
  server2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"   
  Thanks 
  again.   
  sorry to bug you. i should've posted i figured it out. 
     
  On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] 
  >wrote:   
  Why not use CSVDE.EXE, while joe gives us theadfind with -CSV switch and 
  custom delimeter, in next few 
  days.   
  csvde -f output.txt 
  -r"(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows 
  Server 2003))" -l cn,description 
     
  only gripe is can't change the delimeter, and DNis always included in the 
  result.   
  On 10/14/05, Kern, Tom <[EMAIL PROTECTED] 
  >wrote:   
  --   
  ~~~   
  "Fortune and Love be

RE: [ActiveDir] finding computer objects

[joe]

Yes, the -samdc switch is useful for doing this.

Also play with -stats+ and -stats+only to see how the resultsize of the
query changes to find the most efficient way to do it. Note that in some
cases, the most efficient for one forest may not necessarily be the same for
another. It can vary based on the dataset.

   joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Friday, October 14, 2005 8:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding computer objects

Tom-

I'll certainly not try to explain it while joe's around :-)

but here's a KB that helped me when I was trying to grasp this. That and
using adfind to look at the resultant values of objects that I knew the
flags for already...

How to use the UserAccountControl flags to manipulate user account
properties:
 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, October 14, 2005 5:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects


so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks
 
p.s- since you responded to this one after my stupid salary query and this
actually is one of those questions which has nothing to do with my current
job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and when,
even after reading robbie allen's brief explanation in the AD Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again

 
On 10/14/05, joe <[EMAIL PROTECTED]> wrote: 

Just a small expansion. Checking for 4096 with a BITWISE filter
(which is used here) will not filter out disabled accounts. 
 
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ] On Behalf Of Kamlesh Parmar
Sent: Friday, October 14, 2005 12:58 PM
To: ActiveDir@mail.activedir.org
    Subject: Re: [ActiveDir] finding computer objects

 
You might want to know,

checking for 4096 in useraccountcontrol will include disabled
accounts also..  
As bit 2 is set for account disabled, and and you are not checking
its absence. 
 (
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> )

Just extract useraccountcontrol in your dsquery output along with
name, and check the status of accounts whose useraccountcontrol is set to
4098 ( 4096 + 2), you will find that those are disabled accounts.
(which I think, you didn't want) 

If I misunderstood your requirement, please ignore this mail..

--
Kamlesh


On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: 

Thanks.
I used dsquery
 
dsquery *  dc=mydomain,dc=com -limit 0 -attr name
 -scope subtree -filter
"(&(objectcategory=computer)(operatingSystem=windows server
2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"
 
Thanks again.
sorry to bug you. i should've posted i figured it out.
 


 
On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] >
wrote: 

Why not use CSVDE.EXE, while joe gives us the adfind
with -CSV switch and custom delimeter, in next few days. 

csvde -f output.txt -r
"(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:
=2)(operatingSystem=Windows Server 2003))" -l cn,description

only gripe is can't change the delimeter, and DN is
always included in the result. 



On 10/14/05, Kern, Tom <[EMAIL PROTECTED]>
wrote: 




-- 
~~~
"Fortune and Love befriend the bold" 
~~~






-- 
~~~
"Fortune and Love befriend the bold"
~~~




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] finding computer objects

[joe]

(&(samaccounttype=805306369)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))
 
You would have no choice but to use a bitwise filter since 
the enabled status is included as bit 1 (value 2) in the userAccountControl 
attribute.
 
Basically if you look at a typical disabled computer 
userAccountControl you will see a value of of 4130 or 4098. 

 
I will take 4130 as the example. In binary it looks 
like
 
100100010
 
Each one of those bits is a status flag, most of which are 
described here
 
http://msdn.microsoft.com/library/default.asp?url="">
 
You will note that the following bits are 
lit
 
1 = 0x1000 = 4096  which is 
Workstation trust account
 
10 = 0x20 = 32 which is Password not 
required
 
10 = 0x02 = 2 which is disabled
 
When you do a bitwise AND operation, you are filtering for 
the flags that you want to match on. So if you want to find all disabled 
accounts you need to look at bit 1 (value 2) so you will filter with the binary 
value of 10 which is decimal 2. That would look like 
this
 

   
100100010
AND 00010
   
    
00010
 
A positive non-zero value coming back means it is TRUE in 
terms of a query. If it comes back zero that means FALSE.
 
So to find disabled whatevers you use 
 
useraccountcontrol:1.2.840.113556.1.4.803:=2
 
If the result of that is a value other than 0 the query 
resolves to TRUE and the object is returned.
 
If the result of that is a value of 0 then the query 
resolve to FALSE and the object is not returned.
 
If you want to find enabled objects, unfortunately you have 
to do a logical NOT of the value returned by the bitwise AND. 

 
Now keep in mind that the logical NOT as well as the 
bitwise filters muck with the ability to use an Index. A NOT completely 
disallows use of the Index so you have to walk through the entire set of 
possible objects and check the userAccountControl value and return anything that 
doesn't have 2 set on it, this would include objects that don't even have the 
userAccountControl attribute. The bitwise filters will let the index be used, 
but only for determining how many objects have userAccountControl set, it then 
has to walk through all of them doing the bitwise operation. 

 
So that means when you use NOT or bitwise on an attribute 
that is indexed, you want to try and find another indexed attribute to help 
knock down the resultset size that it has to run the bitwise op against. That is 
always the case though, you want to try and use the most specific indexes for 
the objects you are looking for. Generally whichever index has the fewest 
objects in it will be the one used to get the initial set of objects to work 
with in a simple query. I have seen cases where this wasn't always the case and 
I chalk it up to the QP making some other decisions based on the actual 
query.
 
 
So to break down the query I applied 
above
 
(&(samaccounttype=805306369)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))
 
You are looking for any 
objects with samAccountType of 805306369 (computer objects) and have a 
useraccountvalue with bit 1 set. 
 
Note I could also have 
used 
 

(&(objectcategory=computer)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))
 
 
I used samAccountType to 
show that there is more than one way to do it. I figure at least one person who 
might not have read this post due to its length may see that initial query and 
go WTF is that...
 
 
   
joe
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, October 14, 2005 8:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer 
objects

so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks
 
p.s- since you responded to this one after my stupid salary query and this 
actually is one of those questions which has nothing to do with my current job, 
but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and 
when, even after reading robbie allen's brief explanation in the AD 
Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again 
On 10/14/05, joe 
<[EMAIL PROTECTED]> 
wrote: 

  Just a 
  small expansion. Checking for 4096 with a BITWISE filter (which is used 
  here) will not filter out disabled accounts. 
   
   
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Kamlesh 
  ParmarSent: Friday, October 14, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] finding computer objects 
  
  You might want to know,checking for 4096 in 
  useraccountcontrol will include disabled accounts also..  As bit 2 is 
  set for account disabled, and and you are not checking its absence. 
   ( 
  http://support.microsoft.com/default.aspx?scid=kb;en-

Re: [ActiveDir] finding computer objects

[Kamlesh Parmar]

As Brian, said, useraccountcontrol is a bitmap, where individual bit mean something instead of whole value. ( whole value becomes sum of all the bit set)
 
so when, looking for specific function, we can't compare directly with whole value, we have to use bitwise operators, to find the exact bit is set or not. [1]
 
by the way,
 
The query I gave (!useraccountcontrol:AND:2), will give you all the account which are NOT disabled, this would work for workstation OS. (as it will give you all normal workstation accounts)
 
but in the case of windows 2000/3 server, it will give domain controller accounts also.
 
So, to exclude domain controller accounts, we will have to explicitely check for presence of 4096 (normal workstation acocunt) and absence of 2 (disabled account)
 
which can't be combined in single value like (4096 -2) [2], 
 
so our filter becomes "(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (UserAccountControl:1.2.840.113556.1.4.803:=4096)" 
 
[1]
Just in case you wanted to decode the existing useraccountcontrol values,
http://www.jsifaq.com/SUBQ/tip8000/rh8071.htm
 
or use -samid switch of adfind. 
adfind -default -f "&(objectcategory=computer)(name=2k3dc01)" useraccountcontrol -samdc 
or if have registered the acctinfo.dll, you can decode the value in "addition account info" tabsheet of account properties. (
http://thelazyadmin.net/index.php?/archives/170-View-Additional-Account-Info-with-Acctinfo.dll.html)
 
[2], it is always addition, say you wanted to find normal workstation account AND disabled, you could use 4096 + 2 = 4098 for query
 
 
On 10/15/05, Tom Kern <[EMAIL PROTECTED]> wrote:

so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks
 
p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again 

On 10/14/05, joe <[EMAIL PROTECTED]> wrote:
 

Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. 

 
 


From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, October 14, 2005 12:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects 

You might want to know,checking for 4096 in useraccountcontrol will include disabled accounts also..  As bit 2 is set for account disabled, and and you are not checking its absence.  (
 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) 
If I misunderstood your requirement, please ignore this mail..--Kamlesh
On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: 


Thanks.
I used dsquery
 
dsquery *  dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter  "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"
 
Thanks again.
sorry to bug you. i should've posted i figured it out.
 
 
On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] 
> wrote: 
Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. 
csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. 

On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote: 

-- ~~~"Fortune and Love befriend the bold" 
~~~-- ~~~"Fortune and Love befriend the bold"~~~
-- ~~~"Fortune and Love befriend the bold"~~~

RE: [ActiveDir] finding computer objects

[Brian Desmond]

Useraccountcontrol is a bitmask. You can have a disabled account which
also has a non expiring password. This is no longer just “2”. It’s
1002 – 2 or 1000. :) 

 



Thanks,
Brian
Desmond

[EMAIL PROTECTED]

 

c -
312.731.3132

 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, October 14, 2005
10:26 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding
computer objects



 



if you're not comparing it to any other bit in userAccountControl, i
don't understand why you need the bitwise filter.





why can't you just have userAccountControl=2 then and just use
"!", to find a disabled or enabled acouunt?





Thats where my confusion comes in.





 





Thanks

 





On 10/14/05, Almeida
Pinto, Jorge de <[EMAIL PROTECTED]>
wrote: 

LDAP filter for disabled user accounts
"(&(objectCategory=person)(objectClass=user)(UserAccountControl:
1.2.840.113556.1.4.803:=2))"

LDAP filter for enabled user accounts
"(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"

Cheers,
Jorge



From: [EMAIL PROTECTED]
on behalf of Free, Bob
Sent: Sat 10/15/2005 2:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding computer objects



Tom-

I'll certainly not try to explain it while joe's around :-)

but here's a KB that helped me when I was trying to grasp this. That and 
using adfind to look at the resultant values of objects that I knew the
flags for already...

How to use the UserAccountControl flags to manipulate user account
properties:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Friday, October 14, 2005 5:20 PM
To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] finding computer objects


so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks

p.s - since you responded to this one after my stupid salary query and
this actually is one of those questions which has nothing to do with my
current job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and 
when, even after reading robbie allen's brief explanation in the AD
Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again


On 10/14/05, joe < [EMAIL PROTECTED]>
wrote:

   Just a small expansion. Checking for 4096
with a BITWISE filter
(which is used here) will not filter out disabled accounts.





   From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]

[EMAIL PROTECTED]>
] On Behalf Of Kamlesh
Parmar
   Sent: Friday, October 14, 2005 12:58 PM
   To: ActiveDir@mail.activedir.org
   Subject: Re: [ActiveDir] finding computer
objects


  
You might want to know,

   checking for 4096 in useraccountcontrol
will include disabled
accounts also..
   As bit 2 is set for account disabled, and
and you are not
checking its absence.
(
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144

<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144>
)

   Just extract useraccountcontrol in your
dsquery output along 
with name, and check the status of accounts whose useraccountcontrol is
set to 4098 ( 4096 + 2), you will find that those are disabled accounts.
(which I think, you didn't want)

   If I misunderstood your requirement,
please ignore this mail.. 

   --
   Kamlesh


   On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote:

  
Thanks.
  
I used dsquery

  
dsquery *  dc=mydomain,dc=com -limit 0 -attr name 
-scope
subtree -filter
"(&(objectcategory=computer)(operatingSystem=windows server
2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"

  
Thanks again.
  
sorry to bug you. i should've posted i figured it out. 




  
On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED]
>
wrote:

  
Why not use CSVDE.EXE, while joe gives us the
adfind with -CSV switch and custom delimeter, in next few days.

  
csvde -f output.txt -r
"(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:
=2)(operatingSystem=Windows Server 2003))" -l cn,description 

  
only gripe is can't change the delimeter, and DN
is always included in the result.



  
On 10/14/05, Kern, Tom <[EMAIL PROTECTED]
>
wrote:




  
--
  
~~~
  
"Fortune and

Re: [ActiveDir] finding computer objects

[Tom Kern]

if you're not comparing it to any other bit in userAccountControl, i don't understand why you need the bitwise filter.
why can't you just have userAccountControl=2 then and just use "!", to find a disabled or enabled acouunt?
Thats where my confusion comes in.
 
Thanks 
On 10/14/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote:
LDAP filter for disabled user accounts"(&(objectCategory=person)(objectClass=user)(UserAccountControl:
1.2.840.113556.1.4.803:=2))"LDAP filter for enabled user accounts"(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"Cheers,Jorge
From: [EMAIL PROTECTED] on behalf of Free, BobSent: Sat 10/15/2005 2:35 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] finding computer objectsTom-I'll certainly not try to explain it while joe's around :-)but here's a KB that helped me when I was trying to grasp this. That and
using adfind to look at the resultant values of objects that I knew theflags for already...How to use the UserAccountControl flags to manipulate user accountproperties:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, October 14, 2005 5:20 PMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objectsso how can i get just normal comp accounts which are NOT disabled?would you not use a bitwise filter for those types of queries.thanksp.s
- since you responded to this one after my stupid salary query andthis actually is one of those questions which has nothing to do with mycurrent job, but for my own curiosty, i thought i'd pursue it.i've never really understood the proper way to use bitwise filters and
when, even after reading robbie allen's brief explanation in the ADCookbook.i really did try to look this one up.can you explain it to me in the context of this query?thanks againOn 10/14/05, joe <
[EMAIL PROTECTED]> wrote:   Just a small expansion. Checking for 4096 with a BITWISE filter(which is used here) will not filter out disabled accounts.
   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
[EMAIL PROTECTED]> ] On Behalf Of KamleshParmar   Sent: Friday, October 14, 2005 12:58 PM   To: 
ActiveDir@mail.activedir.org   Subject: Re: [ActiveDir] finding computer objects   You might want to know,   checking for 4096 in useraccountcontrol will include disabled
accounts also..   As bit 2 is set for account disabled, and and you are notchecking its absence.(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> )   Just extract useraccountcontrol in your dsquery output along
with name, and check the status of accounts whose useraccountcontrol isset to 4098 ( 4096 + 2), you will find that those are disabled accounts.(which I think, you didn't want)   If I misunderstood your requirement, please ignore this mail..
   --   Kamlesh   On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote:   Thanks.   I used dsquery   dsquery *  dc=mydomain,dc=com -limit 0 -attr name
-scope subtree -filter"(&(objectcategory=computer)(operatingSystem=windows server2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"   Thanks again.   sorry to bug you. i should've posted i figured it out.
   On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] >wrote:   Why not use CSVDE.EXE, while joe gives us the
adfind with -CSV switch and custom delimeter, in next few days.   csvde -f output.txt -r"(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,description
   only gripe is can't change the delimeter, and DNis always included in the result.   On 10/14/05, Kern, Tom <[EMAIL PROTECTED]
>wrote:   --   ~~~   "Fortune and Love befriend the bold"   ~~~
   --   ~~~   "Fortune and Love befriend the bold"   ~~~List info   : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used

RE: [ActiveDir] finding computer objects

[Almeida Pinto, Jorge de]

LDAP filter for disabled user accounts
"(&(objectCategory=person)(objectClass=user)(UserAccountControl:1.2.840.113556.1.4.803:=2))"
 
LDAP filter for enabled user accounts
"(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
 
Cheers,
Jorge



From: [EMAIL PROTECTED] on behalf of Free, Bob
Sent: Sat 10/15/2005 2:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding computer objects



Tom-

I'll certainly not try to explain it while joe's around :-)

but here's a KB that helped me when I was trying to grasp this. That and
using adfind to look at the resultant values of objects that I knew the
flags for already...

How to use the UserAccountControl flags to manipulate user account
properties:
 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, October 14, 2005 5:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects


so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks

p.s- since you responded to this one after my stupid salary query and
this actually is one of those questions which has nothing to do with my
current job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and
when, even after reading robbie allen's brief explanation in the AD
Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again


On 10/14/05, joe <[EMAIL PROTECTED]> wrote:

Just a small expansion. Checking for 4096 with a BITWISE filter
(which is used here) will not filter out disabled accounts.





From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ] On Behalf Of Kamlesh
Parmar
Sent: Friday, October 14, 2005 12:58 PM
    To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects
   

You might want to know,
   
checking for 4096 in useraccountcontrol will include disabled
accounts also.. 
As bit 2 is set for account disabled, and and you are not
checking its absence.
 (
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> )
   
Just extract useraccountcontrol in your dsquery output along
with name, and check the status of accounts whose useraccountcontrol is
set to 4098 ( 4096 + 2), you will find that those are disabled accounts.
(which I think, you didn't want)
   
If I misunderstood your requirement, please ignore this mail..
   
--
Kamlesh
   
   
On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote:

Thanks.
I used dsquery

dsquery *  dc=mydomain,dc=com -limit 0 -attr name
 -scope subtree -filter
"(&(objectcategory=computer)(operatingSystem=windows server
2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"

Thanks again.
sorry to bug you. i should've posted i figured it out.




On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] >
wrote:

Why not use CSVDE.EXE, while joe gives us the
adfind with -CSV switch and custom delimeter, in next few days.
   
csvde -f output.txt -r
"(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:
=2)(operatingSystem=Windows Server 2003))" -l cn,description
   
only gripe is can't change the delimeter, and DN
is always included in the result.
   
   
   
On 10/14/05, Kern, Tom <[EMAIL PROTECTED]>
wrote:




--
~~~
"Fortune and Love befriend the bold"
~~~
   





--
~~~
"Fortune and Love befriend the bold"
~~~
   



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
informat

RE: [ActiveDir] finding computer objects

[Free, Bob]

Tom-

I'll certainly not try to explain it while joe's around :-)

but here's a KB that helped me when I was trying to grasp this. That and
using adfind to look at the resultant values of objects that I knew the
flags for already...

How to use the UserAccountControl flags to manipulate user account
properties:
 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, October 14, 2005 5:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects


so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks
 
p.s- since you responded to this one after my stupid salary query and
this actually is one of those questions which has nothing to do with my
current job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and
when, even after reading robbie allen's brief explanation in the AD
Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again

 
On 10/14/05, joe <[EMAIL PROTECTED]> wrote: 

Just a small expansion. Checking for 4096 with a BITWISE filter
(which is used here) will not filter out disabled accounts. 
 
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ] On Behalf Of Kamlesh
Parmar
Sent: Friday, October 14, 2005 12:58 PM
To: ActiveDir@mail.activedir.org
    Subject: Re: [ActiveDir] finding computer objects

 
You might want to know,

checking for 4096 in useraccountcontrol will include disabled
accounts also..  
As bit 2 is set for account disabled, and and you are not
checking its absence. 
 (
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
<http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> )

Just extract useraccountcontrol in your dsquery output along
with name, and check the status of accounts whose useraccountcontrol is
set to 4098 ( 4096 + 2), you will find that those are disabled accounts.
(which I think, you didn't want) 

If I misunderstood your requirement, please ignore this mail..

--
Kamlesh


On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: 

Thanks.
I used dsquery
 
dsquery *  dc=mydomain,dc=com -limit 0 -attr name
 -scope subtree -filter
"(&(objectcategory=computer)(operatingSystem=windows server
2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"
 
Thanks again.
sorry to bug you. i should've posted i figured it out.
 


 
On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] >
wrote: 

Why not use CSVDE.EXE, while joe gives us the
adfind with -CSV switch and custom delimeter, in next few days. 

csvde -f output.txt -r
"(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:
=2)(operatingSystem=Windows Server 2003))" -l cn,description

only gripe is can't change the delimeter, and DN
is always included in the result. 



On 10/14/05, Kern, Tom <[EMAIL PROTECTED]>
wrote: 




-- 
~~~
"Fortune and Love befriend the bold" 
~~~






-- 
~~~
"Fortune and Love befriend the bold"
~~~




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] finding computer objects

[Tom Kern]

so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks
 
p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again 
On 10/14/05, joe <[EMAIL PROTECTED]> wrote:

Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. 

 
 


From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, October 14, 2005 12:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects 

You might want to know,checking for 4096 in useraccountcontrol will include disabled accounts also..  As bit 2 is set for account disabled, and and you are not checking its absence.  (
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want)
If I misunderstood your requirement, please ignore this mail..--Kamlesh
On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote:
 

Thanks.
I used dsquery
 
dsquery *  dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter  "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"
 
Thanks again.
sorry to bug you. i should've posted i figured it out.
 
 
On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] 
> wrote: 
Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. 
csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. 

On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote: 

-- ~~~"Fortune and Love befriend the bold" 
~~~-- ~~~"Fortune and Love befriend the bold"~~~

RE: [ActiveDir] finding computer objects

[joe]

Just a small expansion. Checking for 4096 with a BITWISE 
filter (which is used here) will not filter out disabled accounts. 

 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh 
ParmarSent: Friday, October 14, 2005 12:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer 
objects
You might want to know,checking for 4096 in 
useraccountcontrol will include disabled accounts also..  As bit 2 is 
set for account disabled, and and you are not checking its absence. 
 (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just 
extract useraccountcontrol in your dsquery output along with name, and check the 
status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will 
find that those are disabled accounts. (which I think, you didn't 
want)If I misunderstood your requirement, please ignore this 
mail..--Kamlesh
On 10/14/05, Tom Kern 
<[EMAIL PROTECTED]> wrote:

  Thanks.
  I used dsquery
   
  dsquery *  dc=mydomain,dc=com -limit 0 -attr name -scope 
  subtree -filter  "(&(objectcategory=computer)(operatingSystem=windows 
  server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"
   
  Thanks again.
  sorry to bug you. i should've posted i figured it out.
   
   
  On 10/14/05, Kamlesh 
  Parmar <[EMAIL PROTECTED] > 
  wrote: 
  Why 
not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom 
delimeter, in next few days. csvde -f output.txt -r 
"(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows 
Server 2003))" -l cn,descriptiononly gripe is can't change the 
delimeter, and DN is always included in the result. 
On 10/14/05, Kern, 
Tom <[EMAIL PROTECTED]> 
wrote: 
-- ~~~"Fortune and Love 
befriend the bold" 
~~~-- ~~~"Fortune and Love befriend 
the bold"~~~

Re: [ActiveDir] finding computer objects

[Kamlesh Parmar]

You might want to know,

checking for 4096 in useraccountcontrol will include disabled accounts also..  
As bit 2 is set for account disabled, and and you are not checking its absence. 
 (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)

Just extract useraccountcontrol in your dsquery output along with name,
and check the status of accounts whose useraccountcontrol is set to
4098 ( 4096 + 2), you will find that those are disabled accounts.
(which I think, you didn't want)

If I misunderstood your requirement, please ignore this mail..

--
KamleshOn 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote:
Thanks.
I used dsquery
 
dsquery *  dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter  "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"
 
Thanks again.
sorry to bug you. i should've posted i figured it out.
 
 
On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED]
> wrote:
Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days.
csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result.

On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote:
 
-- ~~~"Fortune and Love befriend the bold"
~~~

-- ~~~"Fortune and Love befriend the bold"~~~

Re: [ActiveDir] finding computer objects

[Tom Kern]

Thanks.
I used dsquery
 
dsquery *  dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter  "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"
 
Thanks again.
sorry to bug you. i should've posted i figured it out.
 
 
On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED]> wrote:
Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days.
csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result.

On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote:
 
-- ~~~"Fortune and Love befriend the bold"
~~~

Re: [ActiveDir] finding computer objects

[Kamlesh Parmar]

Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days.

csvde -f output.txt -r
"(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows
Server 2003))" -l cn,description

only gripe is can't change the delimeter, and DN is always included in the result.
On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote:
-- ~~~"Fortune and Love befriend the bold"~~~

RE: [ActiveDir] finding computer objects

[Marcus.Oh]

Maybe not a csv... but dsquery * w/ a filter will certainly supply the 
information you require.  By default, it'll generate the information in a table 
format.

:m:dsm:cci:mvp marcusoh.blogspot.com

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, October 13, 2005 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding computer objects

Whats the best utility to find computer objects of a certain OS type(server as 
opposed to workstation) AND are NOT disabled and spit them to a csv file?
Do i have to use a bitwise filter on the userAccountControl attrib or is there 
a utlitly with a more user friendly way to find non disabled accounts computer 
accounts(adfind?)
 
 
Thanks alot!
[EMAIL PROTECTED]   Vry&-4ibb
[EMAIL PROTECTED]   ��V�r�y�&��-�÷Š¾4���i�b��b��

RE: [ActiveDir] finding computer objects

[Brian Desmond]

Yes you need to use a bitwise filter. You can further filter on the
operatingSystem attribute. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, October 13, 2005 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding computer objects

Whats the best utility to find computer objects of a certain OS type(server
as opposed to workstation) AND are NOT disabled and spit them to a csv file?
Do i have to use a bitwise filter on the userAccountControl attrib or is
there a utlitly with a more user friendly way to find non disabled accounts
computer accounts(adfind?)
 
 
Thanks alot!
[EMAIL PROTECTED]   Vry&-4ibb

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/