Need help creating LDAP query
Hello, Could somebody help me creating following LDAP query: - Include accounts logged on to domain since last 3 months - Include enabled user accounts - Include accounts which have Password Never expires flag set - Exclude all user, whose description starts with abc or bca letters
October 22nd, 2010 6:40am

The following will do all except exclude your ABC* and BCA* accounts, I believe you will need to write a script to do that, or move them outside your search scope (domainroot). dsquery user domainroot -inactive 12 | dsget user -samid -pwdneverexpires
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2010 8:36am

Instead of a script, you could use dsquery * and the -filter option. The trick is to get all the filter clauses. The following example assumes that all of your conditions must be met (so the clauses are combined with the AND operator, which is "&") and your domain is at Windows Server 2003 functional level so the lastLogonTimeStamp attribute is available: dsquery * -filter "(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=129242484000000000)(!userAccountControl:1.2.840.113556.1.4.8703:=2)(userAccountControl:1.2.840.113556.1.4.803:=65536)(!description=abc*)(!description=bca*))" To get the Integer8 value for lastLogonTimeStamp that corresponds to a date 3 months in the past I used the following VBScript program to convert the date 7/22/2010 (July 22, 2010). The value is in my time zone, so your value may differ slightly: http://www.rlmueller.net/Programs/DateToInteger8.txt Or, if you want to script this, you could have a VBScript program retrieve the current date/time and convert for you, then use ADO to query AD. For help on this (and also examples of filter clauses like the ones I used in the dsquery command) see this link: http://www.rlmueller.net/ADOSearchTips.htm Richard MuellerMVP ADSI
October 22nd, 2010 12:31pm

Richard, I don't think you checked the password exipiration flag?...
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2010 12:38pm

The "password never expires" bit of userAccountControl has bit mask &H10000 (in hex), which is 65536 decimal. The following clause is true only if this bit is set: (userAccountControl:1.2.840.113556.1.4.803:=65536) At least I believe that still works. Richard MuellerMVP ADSI
October 22nd, 2010 12:47pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics