RE: [ActiveDir] finding computer objects
Because you will never have the case of userAccountControl=2 so that query will never be true. userAccountControl is a bit flag, not an absolute value. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, October 14, 2005 10:26 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects if you're not comparing it to any other bit in userAccountControl, i don't understand why you need the bitwise filter. why can't you just have userAccountControl=2 then and just use "!", to find a disabled or enabled acouunt? Thats where my confusion comes in. Thanks On 10/14/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: LDAP filter for disabled user accounts"(&(objectCategory=person)(objectClass=user)(UserAccountControl: 1.2.840.113556.1.4.803:=2))"LDAP filter for enabled user accounts"(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"Cheers,JorgeFrom: [EMAIL PROTECTED] on behalf of Free, BobSent: Sat 10/15/2005 2:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] finding computer objectsTom-I'll certainly not try to explain it while joe's around :-)but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew theflags for already...How to use the UserAccountControl flags to manipulate user accountproperties:http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, October 14, 2005 5:20 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objectsso how can i get just normal comp accounts which are NOT disabled?would you not use a bitwise filter for those types of queries.thanksp.s - since you responded to this one after my stupid salary query andthis actually is one of those questions which has nothing to do with mycurrent job, but for my own curiosty, i thought i'd pursue it.i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the ADCookbook.i really did try to look this one up.can you explain it to me in the context of this query?thanks againOn 10/14/05, joe < [EMAIL PROTECTED]> wrote: Just a small expansion. Checking for 4096 with a BITWISE filter(which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]> ] On Behalf Of KamleshParmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabledaccounts also.. As bit 2 is set for account disabled, and and you are notchecking its absence.(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol isset to 4098 ( 4096 + 2), you will find that those are disabled accounts.(which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter"(&(objectcategory=computer)(operatingSystem=windows server2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] >wrote: Why not use CSVDE.EXE, while joe gives us theadfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r"(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,description only gripe is can't change the delimeter, and DNis always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED] >wrote: -- ~~~ "Fortune and Love be
RE: [ActiveDir] finding computer objects
Yes, the -samdc switch is useful for doing this. Also play with -stats+ and -stats+only to see how the resultsize of the query changes to find the most efficient way to do it. Note that in some cases, the most efficient for one forest may not necessarily be the same for another. It can vary based on the dataset. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, October 14, 2005 8:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] finding computer objects Tom- I'll certainly not try to explain it while joe's around :-) but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew the flags for already... How to use the UserAccountControl flags to manipulate user account properties: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, October 14, 2005 5:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe <[EMAIL PROTECTED]> wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Kamlesh Parmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803: =2)(operatingSystem=Windows Server 2003))" -l cn,description only gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote: -- ~~~ "Fortune and Love befriend the bold" ~~~ -- ~~~ "Fortune and Love befriend the bold" ~~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] finding computer objects
(&(samaccounttype=805306369)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))) You would have no choice but to use a bitwise filter since the enabled status is included as bit 1 (value 2) in the userAccountControl attribute. Basically if you look at a typical disabled computer userAccountControl you will see a value of of 4130 or 4098. I will take 4130 as the example. In binary it looks like 100100010 Each one of those bits is a status flag, most of which are described here http://msdn.microsoft.com/library/default.asp?url=""> You will note that the following bits are lit 1 = 0x1000 = 4096 which is Workstation trust account 10 = 0x20 = 32 which is Password not required 10 = 0x02 = 2 which is disabled When you do a bitwise AND operation, you are filtering for the flags that you want to match on. So if you want to find all disabled accounts you need to look at bit 1 (value 2) so you will filter with the binary value of 10 which is decimal 2. That would look like this 100100010 AND 00010 00010 A positive non-zero value coming back means it is TRUE in terms of a query. If it comes back zero that means FALSE. So to find disabled whatevers you use useraccountcontrol:1.2.840.113556.1.4.803:=2 If the result of that is a value other than 0 the query resolves to TRUE and the object is returned. If the result of that is a value of 0 then the query resolve to FALSE and the object is not returned. If you want to find enabled objects, unfortunately you have to do a logical NOT of the value returned by the bitwise AND. Now keep in mind that the logical NOT as well as the bitwise filters muck with the ability to use an Index. A NOT completely disallows use of the Index so you have to walk through the entire set of possible objects and check the userAccountControl value and return anything that doesn't have 2 set on it, this would include objects that don't even have the userAccountControl attribute. The bitwise filters will let the index be used, but only for determining how many objects have userAccountControl set, it then has to walk through all of them doing the bitwise operation. So that means when you use NOT or bitwise on an attribute that is indexed, you want to try and find another indexed attribute to help knock down the resultset size that it has to run the bitwise op against. That is always the case though, you want to try and use the most specific indexes for the objects you are looking for. Generally whichever index has the fewest objects in it will be the one used to get the initial set of objects to work with in a simple query. I have seen cases where this wasn't always the case and I chalk it up to the QP making some other decisions based on the actual query. So to break down the query I applied above (&(samaccounttype=805306369)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))) You are looking for any objects with samAccountType of 805306369 (computer objects) and have a useraccountvalue with bit 1 set. Note I could also have used (&(objectcategory=computer)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))) I used samAccountType to show that there is more than one way to do it. I figure at least one person who might not have read this post due to its length may see that initial query and go WTF is that... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Friday, October 14, 2005 8:20 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe <[EMAIL PROTECTED]> wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, October 14, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects You might want to know,checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-
Re: [ActiveDir] finding computer objects
As Brian, said, useraccountcontrol is a bitmap, where individual bit mean something instead of whole value. ( whole value becomes sum of all the bit set) so when, looking for specific function, we can't compare directly with whole value, we have to use bitwise operators, to find the exact bit is set or not. [1] by the way, The query I gave (!useraccountcontrol:AND:2), will give you all the account which are NOT disabled, this would work for workstation OS. (as it will give you all normal workstation accounts) but in the case of windows 2000/3 server, it will give domain controller accounts also. So, to exclude domain controller accounts, we will have to explicitely check for presence of 4096 (normal workstation acocunt) and absence of 2 (disabled account) which can't be combined in single value like (4096 -2) [2], so our filter becomes "(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (UserAccountControl:1.2.840.113556.1.4.803:=4096)" [1] Just in case you wanted to decode the existing useraccountcontrol values, http://www.jsifaq.com/SUBQ/tip8000/rh8071.htm or use -samid switch of adfind. adfind -default -f "&(objectcategory=computer)(name=2k3dc01)" useraccountcontrol -samdc or if have registered the acctinfo.dll, you can decode the value in "addition account info" tabsheet of account properties. ( http://thelazyadmin.net/index.php?/archives/170-View-Additional-Account-Info-with-Acctinfo.dll.html) [2], it is always addition, say you wanted to find normal workstation account AND disabled, you could use 4096 + 2 = 4098 for query On 10/15/05, Tom Kern <[EMAIL PROTECTED]> wrote: so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe <[EMAIL PROTECTED]> wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, October 14, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects You might want to know,checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail..--Kamlesh On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote: -- ~~~"Fortune and Love befriend the bold" ~~~-- ~~~"Fortune and Love befriend the bold"~~~ -- ~~~"Fortune and Love befriend the bold"~~~
RE: [ActiveDir] finding computer objects
Useraccountcontrol is a bitmask. You can have a disabled account which also has a non expiring password. This is no longer just “2”. It’s 1002 – 2 or 1000. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, October 14, 2005 10:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects if you're not comparing it to any other bit in userAccountControl, i don't understand why you need the bitwise filter. why can't you just have userAccountControl=2 then and just use "!", to find a disabled or enabled acouunt? Thats where my confusion comes in. Thanks On 10/14/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: LDAP filter for disabled user accounts "(&(objectCategory=person)(objectClass=user)(UserAccountControl: 1.2.840.113556.1.4.803:=2))" LDAP filter for enabled user accounts "(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))" Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Free, Bob Sent: Sat 10/15/2005 2:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] finding computer objects Tom- I'll certainly not try to explain it while joe's around :-) but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew the flags for already... How to use the UserAccountControl flags to manipulate user account properties: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Friday, October 14, 2005 5:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s - since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe < [EMAIL PROTECTED]> wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] [EMAIL PROTECTED]> ] On Behalf Of Kamlesh Parmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803: =2)(operatingSystem=Windows Server 2003))" -l cn,description only gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED] > wrote: -- ~~~ "Fortune and
Re: [ActiveDir] finding computer objects
if you're not comparing it to any other bit in userAccountControl, i don't understand why you need the bitwise filter. why can't you just have userAccountControl=2 then and just use "!", to find a disabled or enabled acouunt? Thats where my confusion comes in. Thanks On 10/14/05, Almeida Pinto, Jorge de <[EMAIL PROTECTED]> wrote: LDAP filter for disabled user accounts"(&(objectCategory=person)(objectClass=user)(UserAccountControl: 1.2.840.113556.1.4.803:=2))"LDAP filter for enabled user accounts"(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"Cheers,Jorge From: [EMAIL PROTECTED] on behalf of Free, BobSent: Sat 10/15/2005 2:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] finding computer objectsTom-I'll certainly not try to explain it while joe's around :-)but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew theflags for already...How to use the UserAccountControl flags to manipulate user accountproperties: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, October 14, 2005 5:20 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objectsso how can i get just normal comp accounts which are NOT disabled?would you not use a bitwise filter for those types of queries.thanksp.s - since you responded to this one after my stupid salary query andthis actually is one of those questions which has nothing to do with mycurrent job, but for my own curiosty, i thought i'd pursue it.i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the ADCookbook.i really did try to look this one up.can you explain it to me in the context of this query?thanks againOn 10/14/05, joe < [EMAIL PROTECTED]> wrote: Just a small expansion. Checking for 4096 with a BITWISE filter(which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] [EMAIL PROTECTED]> ] On Behalf Of KamleshParmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are notchecking its absence.(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol isset to 4098 ( 4096 + 2), you will find that those are disabled accounts.(which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter"(&(objectcategory=computer)(operatingSystem=windows server2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] >wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r"(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,description only gripe is can't change the delimeter, and DNis always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED] >wrote: -- ~~~ "Fortune and Love befriend the bold" ~~~ -- ~~~ "Fortune and Love befriend the bold" ~~~List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used
RE: [ActiveDir] finding computer objects
LDAP filter for disabled user accounts "(&(objectCategory=person)(objectClass=user)(UserAccountControl:1.2.840.113556.1.4.803:=2))" LDAP filter for enabled user accounts "(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))" Cheers, Jorge From: [EMAIL PROTECTED] on behalf of Free, Bob Sent: Sat 10/15/2005 2:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] finding computer objects Tom- I'll certainly not try to explain it while joe's around :-) but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew the flags for already... How to use the UserAccountControl flags to manipulate user account properties: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, October 14, 2005 5:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe <[EMAIL PROTECTED]> wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Kamlesh Parmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803: =2)(operatingSystem=Windows Server 2003))" -l cn,description only gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote: -- ~~~ "Fortune and Love befriend the bold" ~~~ -- ~~~ "Fortune and Love befriend the bold" ~~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential informat
RE: [ActiveDir] finding computer objects
Tom- I'll certainly not try to explain it while joe's around :-) but here's a KB that helped me when I was trying to grasp this. That and using adfind to look at the resultant values of objects that I knew the flags for already... How to use the UserAccountControl flags to manipulate user account properties: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, October 14, 2005 5:20 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe <[EMAIL PROTECTED]> wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Kamlesh Parmar Sent: Friday, October 14, 2005 12:58 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 <http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144> ) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- Kamlesh On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803: =2)(operatingSystem=Windows Server 2003))" -l cn,description only gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote: -- ~~~ "Fortune and Love befriend the bold" ~~~ -- ~~~ "Fortune and Love befriend the bold" ~~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] finding computer objects
so how can i get just normal comp accounts which are NOT disabled? would you not use a bitwise filter for those types of queries. thanks p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it. i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook. i really did try to look this one up. can you explain it to me in the context of this query? thanks again On 10/14/05, joe <[EMAIL PROTECTED]> wrote: Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, October 14, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects You might want to know,checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. ( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail..--Kamlesh On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote: -- ~~~"Fortune and Love befriend the bold" ~~~-- ~~~"Fortune and Love befriend the bold"~~~
RE: [ActiveDir] finding computer objects
Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Friday, October 14, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects You might want to know,checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want)If I misunderstood your requirement, please ignore this mail..--Kamlesh On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote: -- ~~~"Fortune and Love befriend the bold" ~~~-- ~~~"Fortune and Love befriend the bold"~~~
Re: [ActiveDir] finding computer objects
You might want to know, checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144) Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) If I misunderstood your requirement, please ignore this mail.. -- KamleshOn 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote: Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote: -- ~~~"Fortune and Love befriend the bold" ~~~ -- ~~~"Fortune and Love befriend the bold"~~~
Re: [ActiveDir] finding computer objects
Thanks. I used dsquery dsquery * dc=mydomain,dc=com -limit 0 -attr name -scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" Thanks again. sorry to bug you. i should've posted i figured it out. On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED]> wrote: Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote: -- ~~~"Fortune and Love befriend the bold" ~~~
Re: [ActiveDir] finding computer objects
Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,description only gripe is can't change the delimeter, and DN is always included in the result. On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote: -- ~~~"Fortune and Love befriend the bold"~~~
RE: [ActiveDir] finding computer objects
Maybe not a csv... but dsquery * w/ a filter will certainly supply the information you require. By default, it'll generate the information in a table format. :m:dsm:cci:mvp marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 13, 2005 4:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding computer objects Whats the best utility to find computer objects of a certain OS type(server as opposed to workstation) AND are NOT disabled and spit them to a csv file? Do i have to use a bitwise filter on the userAccountControl attrib or is there a utlitly with a more user friendly way to find non disabled accounts computer accounts(adfind?) Thanks alot! [EMAIL PROTECTED] Vry&-4ibb [EMAIL PROTECTED] ��V�r�y�&��-�÷¾4���i�b��b��
RE: [ActiveDir] finding computer objects
Yes you need to use a bitwise filter. You can further filter on the operatingSystem attribute. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, October 13, 2005 4:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding computer objects Whats the best utility to find computer objects of a certain OS type(server as opposed to workstation) AND are NOT disabled and spit them to a csv file? Do i have to use a bitwise filter on the userAccountControl attrib or is there a utlitly with a more user friendly way to find non disabled accounts computer accounts(adfind?) Thanks alot! [EMAIL PROTECTED] Vry&-4ibb List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/