Need help creating LDAP query
Hello,
Could somebody help me creating following LDAP query:
- Include accounts logged on to domain since last 3 months
- Include enabled user accounts
- Include accounts which have Password Never expires flag set
- Exclude all user, whose description starts with abc or bca letters
October 22nd, 2010 6:40am
The following will do all except exclude your ABC* and BCA* accounts, I believe you will need to write a script to do that, or move them outside your search scope (domainroot).
dsquery user domainroot -inactive 12 | dsget user -samid -pwdneverexpires
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2010 8:36am
Instead of a script, you could use dsquery * and the -filter option. The trick is to get all the filter clauses. The following example assumes that all of your conditions must be met (so the clauses are combined with the AND operator, which is "&") and
your domain is at Windows Server 2003 functional level so the lastLogonTimeStamp attribute is available:
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=129242484000000000)(!userAccountControl:1.2.840.113556.1.4.8703:=2)(userAccountControl:1.2.840.113556.1.4.803:=65536)(!description=abc*)(!description=bca*))"
To get the Integer8 value for lastLogonTimeStamp that corresponds to a date 3 months in the past I used the following VBScript program to convert the date 7/22/2010 (July 22, 2010). The value is in my time zone, so your value may differ slightly:
http://www.rlmueller.net/Programs/DateToInteger8.txt
Or, if you want to script this, you could have a VBScript program retrieve the current date/time and convert for you, then use ADO to query AD. For help on this (and also examples of filter clauses like the ones I used in the dsquery command) see this
link:
http://www.rlmueller.net/ADOSearchTips.htm
Richard MuellerMVP ADSI
October 22nd, 2010 12:31pm
Richard, I don't think you checked the password exipiration flag?...
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2010 12:38pm
The "password never expires" bit of userAccountControl has bit mask &H10000 (in hex), which is 65536 decimal. The following clause is true only if this bit is set:
(userAccountControl:1.2.840.113556.1.4.803:=65536)
At least I believe that still works.
Richard MuellerMVP ADSI
October 22nd, 2010 12:47pm