RE: [ActiveDir] Querying for all users

[Stelley, Douglas]

Thanks for the reply. I had gone to the msdn site but unfortunately left more confused than before, no surprise with msdn. No, what I was looking for basically was a listing of the different types. Don’t know offhand if it could be handy, but anything I can use to find the right accounts with the least effort is always handy. Thanks for explaining the shortcuts, that explained a lot. Thanks to Al for the quick listing, I believe I can get what I need from that. Now to research ADFIND/ADMOD to see how it can make my life bearable. I normally program in TCL/TK, but recently started in with vbs/asp/hta, and will need to delve into.net soon; I don’t want to learn Perl unless I have to. I’m already inserting the wrong code into the wrong program as it is. I’m so glad I stumbled into this listserv, an awesome amount of talent here. I was already a big fan of Joeware if only for the examples there, but to actually speak with the real “Joe”, Christ that’s real cool.   Regards, Doug Stelley A knowledgeable fool is a greater fool than an ignorant fool.      _____   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Tuesday, March 01, 2005 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users   Yes the ":AND:=" and ":OR:=" are shortcuts in adfind (coupled with the -bit) operator to insert the appropriate OIDs into the filter for you. I found I preferred to just search for stuff versus having to memorize or lookup the OIDs all the time.   I don't have any links showing how to do it from vb/vbs/asp. I don't use it from any of them. I do my scripting from perl. Using it from perl is extremely easy   @output=`adfind parameters`;   As for parsing the output, look at the perl script that comes in the zip file. A lot of the output is formatted the way it is so I can easily yank it out of perl.   You can pretty quickly do a search on samaccounttype. A good start though is to look at your own directory and see the values. Another spot to look is MSDN, one spot on MSDN is   http://msdn.microsoft.com/library/default.asp?url="">     joe       _____   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Stelley, Douglas Sent: Tuesday, March 01, 2005 7:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users I use queries like this for dozens of programs and scripts, but two of these are new to me. When I need to find/exclude a disabled account I’ll use (!userAccountControl:1.2.840.113556.1.4.803:=2). I tried briefly the (useraccountcontrol:AND:=2), or the (!(useraccountcontrol:AND:=2)) I wasn’t able to include/exclude disabled users. Is that unique to Adfind?The query I used to test for that was (&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)) brought up all users regardless of 512/514  I’d love to be able to harness the powers of adfind in some of my existing scripts and ASP pages. Is there a link with perhaps an example or two of utilizing your program within a VB/VBS/ASP? Also, using (samaccounttype=805306368), is there a listing of the possible samaccount types? Regards, Doug Stelley O monstrous world! Take note, take note, o world, To be direct and honest is not safe! -William Shakespeare.   _____   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of joe Sent: Monday, February 28, 2005 6:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Querying for all users   A couple of different ways   adfind -bit -b dc=domain,dc=com -f "&(objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2))"   adfind -bit -b dc=domain,dc=com -f "&(objectcategory=person)(samaccountname=*)(!(useraccountcontrol:AND:=2))"   adfind -bit -b dc=domain,dc=com -f "&(samaccounttype=805306368)(!(useraccountcontrol:AND:=2))"   The tricky part is your requirement of being ENABLED. The only way to do that is to make sure the disabled flag is not set in the useraccountcontrol. That will seriously slow down the query.       _____   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex Fontana Sent: Monday, February 28, 2005 5:48 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Querying for all users Is there any attribute that is unique to real user accounts only (mail enabled and non-mail enabled)?  We tried teaming up objectclass=user and givenname=*, but of course not all users have to have a given name.  Then tried teaming up the objectclass with useraccountcontrol=5*, then we found out about the 66048’s and 262656’s….damn them.  So, is there an ldap query that will give me all enabled active directory user accounts?  Most likely it’s so simple I would never have even thought about it. TIA Alex.   Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you. Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.