Feature request: give me a way, in the attribute list, to specify arbitrary text for output. E.g., in this case for disabled:
adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)" -csv -nodn givenname sn text:disabled -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, July 18, 2006 8:35 PM To: [email protected] Subject: RE: [ActiveDir] User extraction No that is what bitwise filters are all about, so you can focus in on just the disabled bit which happens to be bit 1 which is value 2. So to find all disabled users in a domain you do something like adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)" -dn That will dump the DN of every disabled user, if you have a large domain with lots of objects that aren't users, especially say contacts, add -t 0 to disable the timeout for the query. To answer the original question though and get just first name and last name you need to strip out the -dn from the command and specify those attributes' ldapdisplayname values in the command and add in -nodn and -csv so it doesn't output the DN and puts it all in csv format... So something like adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2)" -csv -nodn givenname sn And to get the enabled report adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(!(useraccountcontrol:AND:=2) )" -csv -nodn givenname sn Under ADAM (and theoretically under Longhorn AD) there is a new constructed attribute called msDS-UserAccountDisabled which will display the current disabled status of a user and note that userAccountControl IS NOT there. So on ADAM if you wanted to dump all user accounts in an instance including a field that would show TRUE if the account was disabled you could do something like adfind -h adamserver:port -b -pr -f "&(objectcategory=person)(objectclass=user)" -csv -nodn givenname sn msDS-UserAccountDisabled The sad thing in ADAM though is that there is no easy way to query only for disabled accounts... You have no choice but to enumerate all of them. Some of you may think, so what, that shouldn't take long... Consider an ADAM instance with several million users... Ditto for locked and expired accounts. One step forward, 3 steps back... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell Sent: Tuesday, July 18, 2006 8:16 PM To: [email protected] Subject: RE: [ActiveDir] User extraction Cool. Wouldn't he need to run the bitwise query for every possible value to make sure he gets all the accounts in the domain? Like account disabled and password set to never expire? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, July 18, 2006 2:25 PM To: [email protected] Subject: RE: [ActiveDir] User extraction You could also use the bit wise query operators to make a list of just disabled and just enabled accounts, then merge the two w/ the appopriate column ... -B On Tue, 18 Jul 2006, Mike Newell wrote: > Hey, > > There's no isDisabled attribute that I know of. You could run the adfind > command below and use the userAccountControl attribute to determine if > the account is disabled or not. > > > > adfind -b dc=yourdomain,dc=com -nodn -f "(&(objectCategory=person)(o > > bjectClass=user))" givenName SN userAccountControl >> filename.txt > > > > You can do some stuff in Excel if you need a report that says disabled. > 512 is normal, 514 is disabled, etc. Check here for the details on the > values for the userAccountControl attribute. > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;305144 > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon > Sent: Tuesday, July 18, 2006 11:41 AM > To: [email protected] > Subject: [ActiveDir] User extraction > > > > What is the adfind syntax that will extract all users in a domain to a > text file and contains the following field? > > > > LastName, FirstName isDisabled > > > > -Devon > > ------------------------------------------------------------------------ > --- > This message (including any attachments) is intended only for the use of > the individual or entity to which it is addressed and may contain > information that is non-public, proprietary, privileged, confidential, > and exempt from disclosure under applicable law or may constitute as > attorney work product. If you are not the intended recipient, you are > hereby notified that any use, dissemination, distribution, or copying of > this communication is strictly prohibited. If you have received this > communication in error, notify us immediately by telephone and (i) > destroy this message if a facsimile or (ii) delete this message > immediately if this is an electronic communication. > Thank you. > > > > This message and any attachments (the "Message") may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This message and any attachments (the "Message") may contain confidential, proprietary and/or privileged information and are only for their intended recipient(s). If you are not the intended recipient, you should notify the sender and delete the Message. E-mail transmissions cannot be guaranteed to be secure or error-free. This Message is provided for information purposes and should not be construed as a solicitation or offer to buy or sell any securities or financial instruments, or to provide investment advice in any jurisdiction where the sender is not properly licensed or permitted to do so. This Message is subject to additional conditions and restrictions. Please read them here: http://legal.dimensional.com/email/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
