As Brian, said, useraccountcontrol is a bitmap, where individual bit mean something instead of whole value. ( whole value becomes sum of all the bit set)
so when, looking for specific function, we can't compare directly with whole value, we have to use bitwise operators, to find the exact bit is set or not. [1]
by the way,
The query I gave (!useraccountcontrol:AND:2), will give you all the account which are NOT disabled, this would work for workstation OS. (as it will give you all normal workstation accounts)
but in the case of windows 2000/3 server, it will give domain controller accounts also.
So, to exclude domain controller accounts, we will have to explicitely check for presence of 4096 (normal workstation acocunt) and absence of 2 (disabled account)
which can't be combined in single value like (4096 -2) [2],
so our filter becomes "(!(UserAccountControl:1.2.840.113556.1.4.803:=2)) (UserAccountControl:1.2.840.113556.1.4.803:=4096)"
[1]
Just in case you wanted to decode the existing useraccountcontrol values,
or use -samid switch of adfind.
adfind -default -f "&(objectcategory=computer)(name=2k3dc01)" useraccountcontrol -samdc
or if have registered the acctinfo.dll, you can decode the value in "addition account info" tabsheet of account properties. (
http://thelazyadmin.net/index.php?/archives/170-View-Additional-Account-Info-with-Acctinfo.dll.html)
[2], it is always addition, say you wanted to find normal workstation account AND disabled, you could use 4096 + 2 = 4098 for query
On 10/15/05, Tom Kern <[EMAIL PROTECTED]> wrote:
so how can i get just normal comp accounts which are NOT disabled?would you not use a bitwise filter for those types of queries.thanksp.s- since you responded to this one after my stupid salary query and this actually is one of those questions which has nothing to do with my current job, but for my own curiosty, i thought i'd pursue it.i've never really understood the proper way to use bitwise filters and when, even after reading robbie allen's brief explanation in the AD Cookbook.i really did try to look this one up.can you explain it to me in the context of this query?thanks again
On 10/14/05, joe <[EMAIL PROTECTED]> wrote:Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts.
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar
Sent: Friday, October 14, 2005 12:58 PM
To: [email protected]
Subject: Re: [ActiveDir] finding computer objects
You might want to know,
checking for 4096 in useraccountcontrol will include disabled accounts also..
As bit 2 is set for account disabled, and and you are not checking its absence.
( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)
Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want)
If I misunderstood your requirement, please ignore this mail..
--
Kamlesh
On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote:Thanks.I used dsquerydsquery * dc=mydomain,dc=com -limit 0 -attr name
-scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"Thanks again.sorry to bug you. i should've posted i figured it out.
On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote:Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days.
csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,description
only gripe is can't change the delimeter, and DN is always included in the result.
On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote:
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
