LDAP Filters

[AndyMac]

Hi,

I'm trying to implement a View filter in AD to only show the expired &
disabled user accounts but I'm having a few problems doing this. There
doesn't seem to be an easy "point & click" way to do this in the MMC so I'm
looking at custom LDAP queries.

I've found that - (userAccountControl:1.2.840.113556.1.4.803:=2) - filters
out all but the disabled accounts which gets me halfway there. I've no idea
what the settings for this should be for expired accounts (note: I've seen
settings for expired passwords, but it's expired accounts I'm interested
in).

Does anyone know which query I should be using? Alternatively, does anyone
know a better way to do this?

Thanks,

AndyMac.

 

[Jimmy Andersson [MVP]]

If you're using MMC 2.0 you only have to check a checkbox to search for
disabled accounts.
Create a new query in the Saved Queries section, when you click the 'Define
Query...' button you'll see it.

Regards,
/Jimmy

 

[AndyMac]

Thanks, I hadn't noticed that.

That gives me an easy way to find the disabled accounts but this doesn't
show up any of the expired accounts. Any ideas on how I could do that?

AndyMac.

 

[Jimmy Andersson [MVP]]

On top of my head, I don't have a DC to double-check it since I'm on
vacation, the attribute that holds this value (if you mean the Account
Expires date in ADUC) is named accountExpires and the syntax is probably a
Large Integer/Variable which makes it kind of hard to check in a regular
LDAP query. I haven't tried it though, but will try to find time and do it
when I get back to work by the end of next week.

But there is also a chance that I completely off, and the attribute name is
something completely different...
If it is, then I'm sure someone will correct me.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

Thanks, I hadn't noticed that.

That gives me an easy way to find the disabled accounts but this doesn't
show up any of the expired accounts. Any ideas on how I could do that?

AndyMac.

 

[AndyMac]

No, you're spot on. It's an Int8 with a value which is a number of seconds
since 1st Jan 1970 (iirc). You're right about this, it's going to be hard
to check this in an LDAP query, so for the moment I'm looking at finding a
query that will return accounts that have been set with an expiry date -
regardless of when that date is. This makes things much simpler. I've
implemented this query:

(&(&(objectCategory=person) (objectClass=user) (accountExpires>=1)))

Based on the assumption that an accountExpires=0 entry means that the
account is configured to never expire. I've run this on one of our OUs
along with the reverse:

(&(&(objectCategory=person) (objectClass=user) (accountExpires<=0)))

This looks great! The first query showed all the accounts that had expiry
dates set, the second query showed all the accounts without expiry dates
set. I checked these accounts manually and everything looks perfect!

Then, I run both these queries on a second OU and it all begins to go
downhill. For some reason, accounts that do not have an expiry date set are
appearing under the first query. I've no idea why. Maybe is my value (0)
that's incorrect?

AndyMac.

On top of my head, I don't have a DC to double-check it since I'm on
vacation, the attribute that holds this value (if you mean the Account
Expires date in ADUC) is named accountExpires and the syntax is probably a
Large Integer/Variable which makes it kind of hard to check in a regular
LDAP query. I haven't tried it though, but will try to find time and do it
when I get back to work by the end of next week.

But there is also a chance that I completely off, and the attribute name is
something completely different...
If it is, then I'm sure someone will correct me.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

 

[Jimmy Andersson [MVP]]

Well, it's hard to tell without testing first. I'll test this in my lab when
I get back to work (May 21st), keep me updated since I'm at an internet café
and can't flag this conversation for later posting.

Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

 

[Joe Richards [MVP]]

Hold on... Couple of points....

1. The value isn't number of seconds since 1/1/1970, that is a misprint
whereever it was read, it is actually the number of 100 nanosecond intervals
since 1/1/1601. If you found documentation with the 1970 date on it somewhere on
the MS Site, please give me a URL so I can chase it and have it corrected.

2. Are you looking for actual account expiration or password expiration? These
are two entirely different beasts to handle.


joe

 

[Joe Richards [MVP]]

Jimmy what in the world are you doing responding to posts if you are on
vacation. Go take a break you crazy swede.

joe )

 

[Jimmy Andersson [MVP]]

Hey come on, you know me Joe
I'm soooooo incredible bored..... (and no b**rs around). I found an internet
café that allowed me to install OE, but now I found an old W98 (that
actually boot) to play with at my friends house!

Regards,
/Jimmy the Swede
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------

 

[Joe Richards [MVP]]

You are crazy dude.

 

[AndyMac]

1. The value isn't number of seconds since 1/1/1970, that is a misprint

whereever it was read, it is actually the number of 100 nanosecond intervals
since 1/1/1601. If you found documentation with the 1970 date on it somewhere on
the MS Site, please give me a URL so I can chase it and have it corrected.

I can't remember where I read that, I'll let you know if it comes back to
me. There's always the chance I'm getting it mixed up with something else
entirely...

2. Are you looking for actual account expiration or password expiration? These
are two entirely different beasts to handle.

Account expiration.

AndyMac.

 

[Joe Richards [MVP]]

Ok cool, for acc exp you are on the right track. You might want to look at
Robbie Allen's AD Cookbook for some scripts on how to calculate the actual int8
value you could search for.

joe