Just a small expansion. Checking for 4096 with a BITWISE
filter (which is used here) will not filter out disabled accounts.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Friday, October 14, 2005 12:58 PM
To: [email protected]
Subject: Re: [ActiveDir] finding computer objects
checking for 4096 in useraccountcontrol will include disabled accounts also..
As bit 2 is set for account disabled, and and you are not checking its absence.
(http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)
Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want)
If I misunderstood your requirement, please ignore this mail..
--
Kamlesh
On 10/14/05, Tom Kern
<[EMAIL PROTECTED]> wrote:
Thanks.I used dsquerydsquery * dc=mydomain,dc=com -limit 0 -attr name
-scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"Thanks again.sorry to bug you. i should've posted i figured it out.
On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote:Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days.
csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,description
only gripe is can't change the delimeter, and DN is always included in the result.
On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote:
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
