RE: [ActiveDir] finding computer objects

[joe]

((samaccounttype=805306369)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))

You would have no choice but to use a bitwise filter since 
the enabled status is included as bit 1 (value 2) in the userAccountControl 
attribute.

Basically if you look at a typical disabled computer 
userAccountControl you will see a value of of 4130 or 4098. 


I will take 4130 as the example. In binary it looks 
like

100100010

Each one of those bits is a status flag, most of which are 
described here

http://msdn.microsoft.com/library/default.asp?url="">

You will note that the following bits are 
lit

1 = 0x1000 = 4096which is 
Workstation trust account

10 = 0x20 = 32 which is Password not 
required

10 = 0x02 = 2 which is disabled

When you do a bitwise AND operation, you are filtering for 
the flags that you want to match on. So if you want to find all disabled 
accounts you need to look at bit 1 (value 2) so you will filter with the binary 
value of 10which is decimal2. That would look like 
this


 
100100010
AND 00010

 
00010

A positive non-zero value coming back means it is TRUE in 
terms of a query. If it comes back zero that means FALSE.

So to find disabled whatevers you use 

useraccountcontrol:1.2.840.113556.1.4.803:=2

If the result of that is a value other than 0 the query 
resolves to TRUE and the object is returned.

If the result of that is a value of 0 then the query 
resolve to FALSE and the object is not returned.

If you want to find enabled objects, unfortunately you have 
to do a logical NOT of the value returned by the bitwise AND. 


Now keep in mind that the logical NOT as well as the 
bitwise filters muck with the ability to use an Index. A NOT completely 
disallows use of the Index so you have to walk through the entire set of 
possible objects and check the userAccountControl value and return anything that 
doesn't have 2 set on it, this would include objects that don't even have the 
userAccountControl attribute. The bitwise filters will let the index be used, 
but only for determining how many objects have userAccountControl set, it then 
has to walk through all of them doing the bitwise operation. 


So that means when you use NOT or bitwise on an attribute 
that is indexed, you want to try and find another indexed attribute to help 
knock down the resultset size that it has to run the bitwise op against. That is 
always the case though, you want to try and use the most specific indexes for 
the objects you are looking for. Generally whichever index has the fewest 
objects in it will be the one used to get the initial set of objects to work 
with in a simple query. I have seen cases where this wasn't always the case and 
I chalk it up to the QP making some other decisions based on the actual 
query.


So to break down the query I applied 
above

((samaccounttype=805306369)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))

You are looking for any 
objects with samAccountType of 805306369 (computer objects) and have a 
useraccountvalue with bit 1 set. 

Note I could also have 
used 


((objectcategory=computer)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))


I used samAccountType to 
show that there is more than one way to do it. I figure at least one person who 
might not have read this post due to its length may see that initial query and 
go WTF is that...


 
joe




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, October 14, 2005 8:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer 
objects

so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks

p.s- since you responded to this one after my stupid salary query and this 
actually is one of those questions which has nothing to do with my current job, 
but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and 
when, even after reading robbie allen's brief explanation in the AD 
Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again
On 10/14/05, joe 
[EMAIL PROTECTED] 
wrote: 

  Just a 
  small expansion. Checking for 4096 with a BITWISE filter (which is used 
  here)will not filter out disabled accounts. 
  
  
  
  
  From: [EMAIL PROTECTED] [mailto: 
  [EMAIL PROTECTED]] On Behalf Of Kamlesh 
  ParmarSent: Friday, October 14, 2005 12:58 PMTo: ActiveDir@mail.activedir.orgSubject: Re: 
  [ActiveDir] finding computer objects
  
  You might want to know,checking for 4096 in 
  useraccountcontrol will include disabled accounts also.. As bit 2 is 
  set for account disabled, and and you are not checking its absence. 
  ( 
  http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just 
  extract useraccountcontrol in your dsquery output along with name, and check 
  the status of a

RE: [ActiveDir] finding computer objects

[joe]

Yes, the -samdc switch is useful for doing this.

Also play with -stats+ and -stats+only to see how the resultsize of the
query changes to find the most efficient way to do it. Note that in some
cases, the most efficient for one forest may not necessarily be the same for
another. It can vary based on the dataset.

   joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Friday, October 14, 2005 8:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding computer objects

Tom-

I'll certainly not try to explain it while joe's around :-)

but here's a KB that helped me when I was trying to grasp this. That and
using adfind to look at the resultant values of objects that I knew the
flags for already...

How to use the UserAccountControl flags to manipulate user account
properties:
 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, October 14, 2005 5:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects


so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks
 
p.s- since you responded to this one after my stupid salary query and this
actually is one of those questions which has nothing to do with my current
job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and when,
even after reading robbie allen's brief explanation in the AD Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again

 
On 10/14/05, joe [EMAIL PROTECTED] wrote: 

Just a small expansion. Checking for 4096 with a BITWISE filter
(which is used here) will not filter out disabled accounts. 
 
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of Kamlesh Parmar
Sent: Friday, October 14, 2005 12:58 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects

 
You might want to know,

checking for 4096 in useraccountcontrol will include disabled
accounts also..  
As bit 2 is set for account disabled, and and you are not checking
its absence. 
 (
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 )

Just extract useraccountcontrol in your dsquery output along with
name, and check the status of accounts whose useraccountcontrol is set to
4098 ( 4096 + 2), you will find that those are disabled accounts.
(which I think, you didn't want) 

If I misunderstood your requirement, please ignore this mail..

--
Kamlesh


On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: 

Thanks.
I used dsquery
 
dsquery *  dc=mydomain,dc=com -limit 0 -attr name
 -scope subtree -filter
((objectcategory=computer)(operatingSystem=windows server
2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))
 
Thanks again.
sorry to bug you. i should've posted i figured it out.
 


 
On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] 
wrote: 

Why not use CSVDE.EXE, while joe gives us the adfind
with -CSV switch and custom delimeter, in next few days. 

csvde -f output.txt -r
((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:
=2)(operatingSystem=Windows Server 2003)) -l cn,description

only gripe is can't change the delimeter, and DN is
always included in the result. 



On 10/14/05, Kern, Tom [EMAIL PROTECTED]
wrote: 




-- 
~~~
Fortune and Love befriend the bold 
~~~






-- 
~~~
Fortune and Love befriend the bold
~~~




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] finding computer objects

[joe]

Because you will never have the case of 
userAccountControl=2 so that query will never be true. 

userAccountControl is a bit flag, not an absolute 
value.

 joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tom 
KernSent: Friday, October 14, 2005 10:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer 
objects

if you're not comparing it to any other bit in userAccountControl, i don't 
understand why you need the bitwise filter.
why can't you just have userAccountControl=2 then and just use "!", to find 
a disabled or enabled acouunt?
Thats where my confusion comes in.

Thanks
On 10/14/05, Almeida 
Pinto, Jorge de [EMAIL PROTECTED] 
wrote: 
LDAP 
  filter for disabled user 
  accounts"((objectCategory=person)(objectClass=user)(UserAccountControl: 
  1.2.840.113556.1.4.803:=2))"LDAP filter for enabled user 
  accounts"((objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"Cheers,JorgeFrom: 
  [EMAIL PROTECTED] 
  on behalf of Free, BobSent: Sat 10/15/2005 2:35 AMTo: ActiveDir@mail.activedir.orgSubject: 
  RE: [ActiveDir] finding computer objectsTom-I'll 
  certainly not try to explain it while joe's around :-)but here's a KB 
  that helped me when I was trying to grasp this. That and using adfind to 
  look at the resultant values of objects that I knew theflags for 
  already...How to use the UserAccountControl flags to manipulate user 
  accountproperties:http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144From: 
  [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Tom KernSent: Friday, October 14, 2005 5:20 PMTo: ActiveDir@mail.activedir.org 
  Subject: Re: [ActiveDir] finding computer objectsso how 
  can i get just normal comp accounts which are NOT disabled?would you not 
  use a bitwise filter for those types of queries.thanksp.s - since 
  you responded to this one after my stupid salary query andthis actually is 
  one of those questions which has nothing to do with mycurrent job, but for 
  my own curiosty, i thought i'd pursue it.i've never really understood the 
  proper way to use bitwise filters and when, even after reading robbie 
  allen's brief explanation in the ADCookbook.i really did try to look 
  this one up.can you explain it to me in the context of this 
  query?thanks againOn 10/14/05, joe  [EMAIL PROTECTED] 
  wrote: Just a small expansion. 
  Checking for 4096 with a BITWISE filter(which is used here) will not 
  filter out disabled 
  accounts. 
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] 
  mailto:[EMAIL PROTECTED] 
  ] On Behalf Of KamleshParmar Sent: 
  Friday, October 14, 2005 12:58 PM To: 
  ActiveDir@mail.activedir.org 
  Subject: Re: [ActiveDir] finding computer 
  objects 
  You might want to know, checking 
  for 4096 in useraccountcontrol will include disabledaccounts 
  also.. As bit 2 is set for account 
  disabled, and and you are notchecking its 
  absence.(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 
  http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 
  ) Just extract useraccountcontrol 
  in your dsquery output along with name, and check the status of accounts 
  whose useraccountcontrol isset to 4098 ( 4096 + 2), you will find that 
  those are disabled accounts.(which I think, you didn't 
  want) If I misunderstood your 
  requirement, please ignore this mail.. 
   
  -- 
  Kamlesh On 10/14/05, Tom Kern 
  [EMAIL PROTECTED] 
  wrote: 
  Thanks. 
  I used 
  dsquery 
  dsquery *dc=mydomain,dc=com -limit 0 -attr name 
  -scope 
  subtree -filter"((objectcategory=computer)(operatingSystem=windows 
  server2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))" 
  Thanks 
  again. 
  sorry to bug you. i should've posted i figured it out. 
   
  On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] 
  wrote: 
  Why not use CSVDE.EXE, while joe gives us theadfind with -CSV switch and 
  custom delimeter, in next few 
  days. 
  csvde -f output.txt 
  -r"((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows 
  Server 2003))" -l cn,description 
   
  only gripe is can't change the delimeter, and DNis always included in the 
  result. 
  On 10/14/05, Kern, Tom [EMAIL PROTECTED] 
  wrote: 
  -- 
  ~~~ 
  "Fortune and Love befriend the 
  bold" 
  ~~~ 
   
  -- 
  ~~~ "Fortune 
  and Love befriend the bold" 
  ~~~List info : http://www.activedir.org/List.aspxList 
  FAQ: http://www.activedir.org/ListFAQ.aspxList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/This 
  e-mail and any attachment is for authorised use by the intended recipient(s) 
  only. It may contain proprietary material, confi

Re: [ActiveDir] finding computer objects

[Kamlesh Parmar]

As Brian, said, useraccountcontrol is a bitmap, where individual bit mean something instead of whole value. ( whole value becomessum of all the bit set)

so when, looking forspecific function, we can't compare directly with whole value, we have to use bitwise operators, to find the exact bit is set or not. [1]

by the way,

The query I gave(!useraccountcontrol:AND:2), will give you all the account which are NOT disabled, this would work for workstation OS. (as it will give you all normal workstation accounts)

but in the case of windows 2000/3 server, it will give domain controller accounts also.

So,to exclude domain controller accounts, we will have toexplicitely check for presence of 4096 (normal workstation acocunt) and absence of 2 (disabled account)

which can't be combined in single value like (4096 -2) [2], 

so our filter becomes (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (UserAccountControl:1.2.840.113556.1.4.803:=4096)

[1]
Just in case you wanted to decode the existing useraccountcontrol values,
http://www.jsifaq.com/SUBQ/tip8000/rh8071.htm

or use -samid switch of adfind. 
adfind -default -f (objectcategory=computer)(name=2k3dc01) useraccountcontrol -samdc
or if have registered the acctinfo.dll, you can decode the value in addition account info tabsheet ofaccount properties. (
http://thelazyadmin.net/index.php?/archives/170-View-Additional-Account-Info-with-Acctinfo.dll.html)

[2], it is always addition, say you wanted to find normal workstation accountAND disabled, you could use 4096 + 2 = 4098 for query


On 10/15/05, Tom Kern [EMAIL PROTECTED] wrote:

so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks

p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again

On 10/14/05, joe [EMAIL PROTECTED] wrote:
 

Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here)will not filter out disabled accounts. 





From: [EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, October 14, 2005 12:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects

You might want to know,checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. (
 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want) 
If I misunderstood your requirement, please ignore this mail..--Kamlesh
On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: 


Thanks.
I used dsquery

dsquery * dc=mydomain,dc=com -limit 0 -attr name-scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))

Thanks again.
sorry to bug you. i should've posted i figured it out.


On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] 
 wrote: 
Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. 
csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003)) -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. 

On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: 

-- ~~~Fortune and Love befriend the bold 
~~~-- ~~~Fortune and Love befriend the bold~~~
-- ~~~Fortune and Love befriend the bold~~~

Re: [ActiveDir] finding computer objects

[Tom Kern]

Thanks.
I used dsquery

dsquery * dc=mydomain,dc=com -limit 0 -attr name-scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))

Thanks again.
sorry to bug you. i should've posted i figured it out.


On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote:
Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days.
csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003)) -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result.

On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote:
 
-- ~~~Fortune and Love befriend the bold
~~~

Re: [ActiveDir] finding computer objects

[Kamlesh Parmar]

You might want to know,

checking for 4096 in useraccountcontrol will include disabled accounts also.. 
As bit 2 is set for account disabled, and and you are not checking its absence. 
(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)

Just extract useraccountcontrol in your dsquery output along with name,
and check the status of accounts whose useraccountcontrol is set to
4098 ( 4096 + 2), you will find that those are disabled accounts.
(which I think, you didn't want)

If I misunderstood your requirement, please ignore this mail..

--
KamleshOn 10/14/05, Tom Kern [EMAIL PROTECTED] wrote:
Thanks.
I used dsquery

dsquery * dc=mydomain,dc=com -limit 0 -attr name-scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))

Thanks again.
sorry to bug you. i should've posted i figured it out.


On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED]
 wrote:
Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days.
csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003)) -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result.

On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote:
 
-- ~~~Fortune and Love befriend the bold
~~~

-- ~~~Fortune and Love befriend the bold~~~

RE: [ActiveDir] finding computer objects

[joe]

Just a small expansion. Checking for 4096 with a BITWISE 
filter (which is used here)will not filter out disabled accounts. 





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh 
ParmarSent: Friday, October 14, 2005 12:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer 
objects
You might want to know,checking for 4096 in 
useraccountcontrol will include disabled accounts also.. As bit 2 is 
set for account disabled, and and you are not checking its absence. 
(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just 
extract useraccountcontrol in your dsquery output along with name, and check the 
status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will 
find that those are disabled accounts. (which I think, you didn't 
want)If I misunderstood your requirement, please ignore this 
mail..--Kamlesh
On 10/14/05, Tom Kern 
[EMAIL PROTECTED] wrote:

  Thanks.
  I used dsquery
  
  dsquery * dc=mydomain,dc=com -limit 0 -attr name-scope 
  subtree -filter "((objectcategory=computer)(operatingSystem=windows 
  server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"
  
  Thanks again.
  sorry to bug you. i should've posted i figured it out.
  
  
  On 10/14/05, Kamlesh 
  Parmar [EMAIL PROTECTED]  
  wrote: 
  Why 
not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom 
delimeter, in next few days. csvde -f output.txt -r 
"((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows 
Server 2003))" -l cn,descriptiononly gripe is can't change the 
delimeter, and DN is always included in the result. 
On 10/14/05, Kern, 
Tom [EMAIL PROTECTED] 
wrote: 
-- ~~~"Fortune and Love 
befriend the bold" 
~~~-- ~~~"Fortune and Love befriend 
the bold"~~~

Re: [ActiveDir] finding computer objects

[Tom Kern]

so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks

p.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again
On 10/14/05, joe [EMAIL PROTECTED] wrote:

Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here)will not filter out disabled accounts. 





From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Friday, October 14, 2005 12:58 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] finding computer objects

You might want to know,checking for 4096 in useraccountcontrol will include disabled accounts also.. As bit 2 is set for account disabled, and and you are not checking its absence. (
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want)
If I misunderstood your requirement, please ignore this mail..--Kamlesh
On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote:
 

Thanks.
I used dsquery

dsquery * dc=mydomain,dc=com -limit 0 -attr name-scope subtree -filter ((objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))

Thanks again.
sorry to bug you. i should've posted i figured it out.


On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] 
 wrote: 
Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days. 
csvde -f output.txt -r ((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003)) -l cn,descriptiononly gripe is can't change the delimeter, and DN is always included in the result. 

On 10/14/05, Kern, Tom [EMAIL PROTECTED] wrote: 

-- ~~~Fortune and Love befriend the bold 
~~~-- ~~~Fortune and Love befriend the bold~~~

RE: [ActiveDir] finding computer objects

[Free, Bob]

Tom-

I'll certainly not try to explain it while joe's around :-)

but here's a KB that helped me when I was trying to grasp this. That and
using adfind to look at the resultant values of objects that I knew the
flags for already...

How to use the UserAccountControl flags to manipulate user account
properties:
 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, October 14, 2005 5:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects


so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks
 
p.s- since you responded to this one after my stupid salary query and
this actually is one of those questions which has nothing to do with my
current job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and
when, even after reading robbie allen's brief explanation in the AD
Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again

 
On 10/14/05, joe [EMAIL PROTECTED] wrote: 

Just a small expansion. Checking for 4096 with a BITWISE filter
(which is used here) will not filter out disabled accounts. 
 
 



From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of Kamlesh
Parmar
Sent: Friday, October 14, 2005 12:58 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects

 
You might want to know,

checking for 4096 in useraccountcontrol will include disabled
accounts also..  
As bit 2 is set for account disabled, and and you are not
checking its absence. 
 (
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 )

Just extract useraccountcontrol in your dsquery output along
with name, and check the status of accounts whose useraccountcontrol is
set to 4098 ( 4096 + 2), you will find that those are disabled accounts.
(which I think, you didn't want) 

If I misunderstood your requirement, please ignore this mail..

--
Kamlesh


On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: 

Thanks.
I used dsquery
 
dsquery *  dc=mydomain,dc=com -limit 0 -attr name
 -scope subtree -filter
((objectcategory=computer)(operatingSystem=windows server
2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))
 
Thanks again.
sorry to bug you. i should've posted i figured it out.
 


 
On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] 
wrote: 

Why not use CSVDE.EXE, while joe gives us the
adfind with -CSV switch and custom delimeter, in next few days. 

csvde -f output.txt -r
((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:
=2)(operatingSystem=Windows Server 2003)) -l cn,description

only gripe is can't change the delimeter, and DN
is always included in the result. 



On 10/14/05, Kern, Tom [EMAIL PROTECTED]
wrote: 




-- 
~~~
Fortune and Love befriend the bold 
~~~






-- 
~~~
Fortune and Love befriend the bold
~~~




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] finding computer objects

[Almeida Pinto, Jorge de]

LDAP filter for disabled user accounts
((objectCategory=person)(objectClass=user)(UserAccountControl:1.2.840.113556.1.4.803:=2))
 
LDAP filter for enabled user accounts
((objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
 
Cheers,
Jorge



From: [EMAIL PROTECTED] on behalf of Free, Bob
Sent: Sat 10/15/2005 2:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding computer objects



Tom-

I'll certainly not try to explain it while joe's around :-)

but here's a KB that helped me when I was trying to grasp this. That and
using adfind to look at the resultant values of objects that I knew the
flags for already...

How to use the UserAccountControl flags to manipulate user account
properties:
 http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, October 14, 2005 5:20 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects


so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks

p.s- since you responded to this one after my stupid salary query and
this actually is one of those questions which has nothing to do with my
current job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and
when, even after reading robbie allen's brief explanation in the AD
Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again


On 10/14/05, joe [EMAIL PROTECTED] wrote:

Just a small expansion. Checking for 4096 with a BITWISE filter
(which is used here) will not filter out disabled accounts.





From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of Kamlesh
Parmar
Sent: Friday, October 14, 2005 12:58 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objects
   

You might want to know,
   
checking for 4096 in useraccountcontrol will include disabled
accounts also.. 
As bit 2 is set for account disabled, and and you are not
checking its absence.
 (
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 )
   
Just extract useraccountcontrol in your dsquery output along
with name, and check the status of accounts whose useraccountcontrol is
set to 4098 ( 4096 + 2), you will find that those are disabled accounts.
(which I think, you didn't want)
   
If I misunderstood your requirement, please ignore this mail..
   
--
Kamlesh
   
   
On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote:

Thanks.
I used dsquery

dsquery *  dc=mydomain,dc=com -limit 0 -attr name
 -scope subtree -filter
((objectcategory=computer)(operatingSystem=windows server
2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))

Thanks again.
sorry to bug you. i should've posted i figured it out.




On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] 
wrote:

Why not use CSVDE.EXE, while joe gives us the
adfind with -CSV switch and custom delimeter, in next few days.
   
csvde -f output.txt -r
((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:
=2)(operatingSystem=Windows Server 2003)) -l cn,description
   
only gripe is can't change the delimeter, and DN
is always included in the result.
   
   
   
On 10/14/05, Kern, Tom [EMAIL PROTECTED]
wrote:




--
~~~
Fortune and Love befriend the bold
~~~
   





--
~~~
Fortune and Love befriend the bold
~~~
   



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete

Re: [ActiveDir] finding computer objects

[Tom Kern]

if you're not comparing it to any other bit in userAccountControl, i don't understand why you need the bitwise filter.
why can't you just have userAccountControl=2 then and just use !, to find a disabled or enabled acouunt?
Thats where my confusion comes in.

Thanks
On 10/14/05, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote:
LDAP filter for disabled user accounts((objectCategory=person)(objectClass=user)(UserAccountControl:
1.2.840.113556.1.4.803:=2))LDAP filter for enabled user accounts((objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))Cheers,Jorge
From: [EMAIL PROTECTED] on behalf of Free, BobSent: Sat 10/15/2005 2:35 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] finding computer objectsTom-I'll certainly not try to explain it while joe's around :-)but here's a KB that helped me when I was trying to grasp this. That and
using adfind to look at the resultant values of objects that I knew theflags for already...How to use the UserAccountControl flags to manipulate user accountproperties:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, October 14, 2005 5:20 PMTo: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding computer objectsso how can i get just normal comp accounts which are NOT disabled?would you not use a bitwise filter for those types of queries.thanksp.s
- since you responded to this one after my stupid salary query andthis actually is one of those questions which has nothing to do with mycurrent job, but for my own curiosty, i thought i'd pursue it.i've never really understood the proper way to use bitwise filters and
when, even after reading robbie allen's brief explanation in the ADCookbook.i really did try to look this one up.can you explain it to me in the context of this query?thanks againOn 10/14/05, joe 
[EMAIL PROTECTED] wrote: Just a small expansion. Checking for 4096 with a BITWISE filter(which is used here) will not filter out disabled accounts.
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] ] On Behalf Of KamleshParmar Sent: Friday, October 14, 2005 12:58 PM To: 
ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] finding computer objects You might want to know, checking for 4096 in useraccountcontrol will include disabled
accounts also.. As bit 2 is set for account disabled, and and you are notchecking its absence.(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144 ) Just extract useraccountcontrol in your dsquery output along
with name, and check the status of accounts whose useraccountcontrol isset to 4098 ( 4096 + 2), you will find that those are disabled accounts.(which I think, you didn't want) If I misunderstood your requirement, please ignore this mail..
 -- Kamlesh On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote: Thanks. I used dsquery dsquery *dc=mydomain,dc=com -limit 0 -attr name
-scope subtree -filter((objectcategory=computer)(operatingSystem=windows server2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096)) Thanks again. sorry to bug you. i should've posted i figured it out.
 On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Why not use CSVDE.EXE, while joe gives us the
adfind with -CSV switch and custom delimeter, in next few days. csvde -f output.txt -r((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003)) -l cn,description
 only gripe is can't change the delimeter, and DNis always included in the result. On 10/14/05, Kern, Tom [EMAIL PROTECTED]
wrote: -- ~~~ Fortune and Love befriend the bold ~~~
 -- ~~~ Fortune and Love befriend the bold ~~~List info : 
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] finding computer objects

[Brian Desmond]

Useraccountcontrol is a bitmask. You can have a disabled account which
also has a non expiring password. This is no longer just 2. Its
1002  2 or 1000. :) 





Thanks,
Brian
Desmond

[EMAIL PROTECTED]



c -
312.731.3132















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, October 14, 2005
10:26 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] finding
computer objects







if you're not comparing it to any other bit in userAccountControl, i
don't understand why you need the bitwise filter.





why can't you just have userAccountControl=2 then and just use
!, to find a disabled or enabled acouunt?





Thats where my confusion comes in.











Thanks







On 10/14/05, Almeida
Pinto, Jorge de [EMAIL PROTECTED]
wrote: 

LDAP filter for disabled user accounts
((objectCategory=person)(objectClass=user)(UserAccountControl:
1.2.840.113556.1.4.803:=2))

LDAP filter for enabled user accounts
((objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Cheers,
Jorge



From: [EMAIL PROTECTED]
on behalf of Free, Bob
Sent: Sat 10/15/2005 2:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] finding computer objects



Tom-

I'll certainly not try to explain it while joe's around :-)

but here's a KB that helped me when I was trying to grasp this. That and 
using adfind to look at the resultant values of objects that I knew the
flags for already...

How to use the UserAccountControl flags to manipulate user account
properties:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Tom Kern
Sent: Friday, October 14, 2005 5:20 PM
To: ActiveDir@mail.activedir.org 
Subject: Re: [ActiveDir] finding computer objects


so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks

p.s - since you responded to this one after my stupid salary query and
this actually is one of those questions which has nothing to do with my
current job, but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and 
when, even after reading robbie allen's brief explanation in the AD
Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again


On 10/14/05, joe  [EMAIL PROTECTED]
wrote:

 Just a small expansion. Checking for 4096
with a BITWISE filter
(which is used here) will not filter out disabled accounts.





 From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]

mailto:[EMAIL PROTECTED]
] On Behalf Of Kamlesh
Parmar
 Sent: Friday, October 14, 2005 12:58 PM
 To: ActiveDir@mail.activedir.org
 Subject: Re: [ActiveDir] finding computer
objects



You might want to know,

 checking for 4096 in useraccountcontrol
will include disabled
accounts also..
 As bit 2 is set for account disabled, and
and you are not
checking its absence.
(
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144
)

 Just extract useraccountcontrol in your
dsquery output along 
with name, and check the status of accounts whose useraccountcontrol is
set to 4098 ( 4096 + 2), you will find that those are disabled accounts.
(which I think, you didn't want)

 If I misunderstood your requirement,
please ignore this mail.. 

 --
 Kamlesh


 On 10/14/05, Tom Kern [EMAIL PROTECTED] wrote:


Thanks.

I used dsquery


dsquery *dc=mydomain,dc=com -limit 0 -attr name 
-scope
subtree -filter
((objectcategory=computer)(operatingSystem=windows server
2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))


Thanks again.

sorry to bug you. i should've posted i figured it out. 





On 10/14/05, Kamlesh Parmar [EMAIL PROTECTED]

wrote:


Why not use CSVDE.EXE, while joe gives us the
adfind with -CSV switch and custom delimeter, in next few days.


csvde -f output.txt -r
((objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:
=2)(operatingSystem=Windows Server 2003)) -l cn,description 


only gripe is can't change the delimeter, and DN
is always included in the result.




On 10/14/05, Kern, Tom [EMAIL PROTECTED]

wrote:





--

~~~

Fortune and Love befriend the bold

~~~ 






 --
 ~~~
 Fortune and Love befriend the
bold
 ~~~




List info : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed

RE: [ActiveDir] finding computer objects

[Brian Desmond]

Yes you need to use a bitwise filter. You can further filter on the
operatingSystem attribute. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 
c - 312.731.3132
 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, October 13, 2005 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding computer objects

Whats the best utility to find computer objects of a certain OS type(server
as opposed to workstation) AND are NOT disabled and spit them to a csv file?
Do i have to use a bitwise filter on the userAccountControl attrib or is
there a utlitly with a more user friendly way to find non disabled accounts
computer accounts(adfind?)
 
 
Thanks alot!
[EMAIL PROTECTED]   Vry-4ibb

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] finding computer objects

[Marcus.Oh]

Maybe not a csv... but dsquery * w/ a filter will certainly supply the 
information you require.  By default, it'll generate the information in a table 
format.

:m:dsm:cci:mvp marcusoh.blogspot.com

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, October 13, 2005 4:44 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding computer objects

Whats the best utility to find computer objects of a certain OS type(server as 
opposed to workstation) AND are NOT disabled and spit them to a csv file?
Do i have to use a bitwise filter on the userAccountControl attrib or is there 
a utlitly with a more user friendly way to find non disabled accounts computer 
accounts(adfind?)
 
 
Thanks alot!
[EMAIL PROTECTED]   Vry-4ibb
[EMAIL PROTECTED]   ��V�r�y���-�÷Š¾4���i�b��b��