As you know, searching Active Directory attributes using DSQUERY commands or scripts is not difficult. You can get the values directly from the attribute. However, searching the enabled, disabled status,PasswordExpired etc can be challenging because these properties/values are not stored in its own attribute. These account properties are controlled by an attribute called userAccountControl.
what is userAccountControl ?
It is a 4 bytes (32-bit) integer that represents a bitwise enumeration of various flags that controls the behavior of an object. The attributeID (ruleOD) of this object is 1.2.840.1135126.96.36.199. The attributeID is a unique X.500 Object Identifier(OID) for identifying an attribute.
How do I search userAccountControl values in Active Directory?
It is like searching any other attribute in Active Directory. However, you need to represent the userAccountControl values in numeric. The syntax of the LDAP matching rule is
where attributename is the LDAP DisplayName -in this case it is userAccountControl, ruleOID is the attributeID for the matching rule control - in this case it is 1.2.840.1135188.8.131.52X, and value is the decimal value you want to use for search. I will explain the details using a couple of examples.
The following DSQUERY command returns all disabled user accounts in Active Directory.
dsquery * -limit 0 –filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.1135184.108.40.2063:=2))" –attr name
userAccountControl = 2 means the user account is disabled (ADS_UF_ACCOUNTDISABLE)
and the following DSQUERY command returns all users with the 'Password Never Expires' settings enabled.
dsquery * -limit 0 –filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.1135220.127.116.113:=65536))" –attr name
userAccountControl = 65536 means the user account has 'Password Never Expires' flag enabled (ADS_UF_DONT_EXPIRE_PASSWD)
So where did the attributeID (ruleOID) 1.2.840.113518.104.22.1683 come from?
- 1.2.840.113522.214.171.1243 – This is the bitwise AND operator (LDAP_MATCHING_RULE_BIT_AND). The rule is true only if all bits from the property match the value.
- 1.2.840.1135126.96.36.1994 – This is the bitwise OR operator (LDAP_MATCHING_RULE_BIT_OR). The rule is true if any bits from the property match the value.
Here is the complete structure:
How do I get the userAccountControl values?
These userAccountControl flag values are available in following MSDN articles. Make sure to use Decimal values not HEX.
Regardless of what method you use (commands or scripts) you can search Active Directory using userAccountControl flags using the above mentioned syntax.
Looking for more DSQUERY examples?
Visit my TechNet Wiki article - http://social.technet.microsoft.com/wiki/contents/articles/3537.aspx