(&(samaccounttype=805306369)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))
You would have no choice but to use a bitwise filter since
the enabled status is included as bit 1 (value 2) in the userAccountControl
attribute.
Basically if you look at a typical disabled computer
userAccountControl you will see a value of of 4130 or 4098.
I will take 4130 as the example. In binary it looks
like
1000000100010
Each one of those bits is a status flag, most of which are
described here
You will note that the following bits are
lit
1000000000000 = 0x1000 = 4096 which is
Workstation trust account
100000 = 0x20 = 32 which is Password not
required
10 = 0x02 = 2 which is disabled
When you do a bitwise AND operation, you are filtering for
the flags that you want to match on. So if you want to find all disabled
accounts you need to look at bit 1 (value 2) so you will filter with the binary
value of 10 which is decimal 2. That would look like
this
1000000100010
AND 0000000000010
============
0000000000010
A positive non-zero value coming back means it is TRUE in
terms of a query. If it comes back zero that means FALSE.
So to find disabled whatevers you use
useraccountcontrol:1.2.840.113556.1.4.803:=2
If the result of that is a value other than 0 the query
resolves to TRUE and the object is returned.
If the result of that is a value of 0 then the query
resolve to FALSE and the object is not returned.
If you want to find enabled objects, unfortunately you have
to do a logical NOT of the value returned by the bitwise AND.
Now keep in mind that the logical NOT as well as the
bitwise filters muck with the ability to use an Index. A NOT completely
disallows use of the Index so you have to walk through the entire set of
possible objects and check the userAccountControl value and return anything that
doesn't have 2 set on it, this would include objects that don't even have the
userAccountControl attribute. The bitwise filters will let the index be used,
but only for determining how many objects have userAccountControl set, it then
has to walk through all of them doing the bitwise operation.
So that means when you use NOT or bitwise on an attribute
that is indexed, you want to try and find another indexed attribute to help
knock down the resultset size that it has to run the bitwise op against. That is
always the case though, you want to try and use the most specific indexes for
the objects you are looking for. Generally whichever index has the fewest
objects in it will be the one used to get the initial set of objects to work
with in a simple query. I have seen cases where this wasn't always the case and
I chalk it up to the QP making some other decisions based on the actual
query.
So to break down the query I applied
above
(&(samaccounttype=805306369)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))
You are looking for any
objects with samAccountType of 805306369 (computer objects) and have a
useraccountvalue with bit 1 set.
Note I could also have
used
(&(objectcategory=computer)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))
I used samAccountType to
show that there is more than one way to do it. I figure at least one person who
might not have read this post due to its length may see that initial query and
go WTF is that...
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Friday, October 14, 2005 8:20 PM
To: [email protected]
Subject: Re: [ActiveDir] finding computer objects
so how can i get just normal comp accounts which are NOT disabled?
would you not use a bitwise filter for those types of queries.
thanks
p.s- since you responded to this one after my stupid salary query and this
actually is one of those questions which has nothing to do with my current job,
but for my own curiosty, i thought i'd pursue it.
i've never really understood the proper way to use bitwise filters and
when, even after reading robbie allen's brief explanation in the AD
Cookbook.
i really did try to look this one up.
can you explain it to me in the context of this query?
thanks again
On 10/14/05, joe
<[EMAIL PROTECTED]>
wrote:
Just a small expansion. Checking for 4096 with a BITWISE filter (which is used here) will not filter out disabled accounts.
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar
Sent: Friday, October 14, 2005 12:58 PM
To: [email protected]
Subject: Re: [ActiveDir] finding computer objects
You might want to know,
checking for 4096 in useraccountcontrol will include disabled accounts also..
As bit 2 is set for account disabled, and and you are not checking its absence.
( http://support.microsoft.com/default.aspx?scid=kb;en-us;Q305144)
Just extract useraccountcontrol in your dsquery output along with name, and check the status of accounts whose useraccountcontrol is set to 4098 ( 4096 + 2), you will find that those are disabled accounts. (which I think, you didn't want)
If I misunderstood your requirement, please ignore this mail..
--
Kamlesh
On 10/14/05, Tom Kern <[EMAIL PROTECTED]> wrote:Thanks.I used dsquerydsquery * dc=mydomain,dc=com -limit 0 -attr name
-scope subtree -filter "(&(objectcategory=computer)(operatingSystem=windows server 2003)(useraccountcontrol:1.2.840.113556.1.4.804:=4096))"Thanks again.sorry to bug you. i should've posted i figured it out.
On 10/14/05, Kamlesh Parmar <[EMAIL PROTECTED] > wrote:Why not use CSVDE.EXE, while joe gives us the adfind with -CSV switch and custom delimeter, in next few days.
csvde -f output.txt -r "(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2)(operatingSystem=Windows Server 2003))" -l cn,description
only gripe is can't change the delimeter, and DN is always included in the result.
On 10/14/05, Kern, Tom <[EMAIL PROTECTED]> wrote:
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
