The equals operator is looking for an exact match.  As userAccountControl is a 
bitwise attribute (each bit represents an option) then in many cases it won't 
be 65536.  Using the logical AND matching rule (1.2.840.113556.1.4.803) means 
that it checks the bit in question, regardless of what other bits are set.

As for how you use the AND matching rule, you actually write it as 
<identifier>:<matching rule>:=<value> 



More info. here:


  ----- Original Message ----- 
  From: Yann 
  Sent: Monday, October 09, 2006 6:24 PM
  Subject: RE : RE: [ActiveDir] finding users that password never expire.

  Yes !  thanks, that works so well !! :o)

  But many questions i have..
  What is the difference between the query "userAccountControl=65536" and 
"(userAccountControl:1.2.840.113556.1.4.803:=65536)" ? 
  Why couldn(t i find any results with my first query ?
  And how do you construct the ":1.2.840.113556.1.4.803:" part of the ldap 
query  ??

  Thanks for your answer :)


  "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> a écrit :
    to search for accounts that HAVE the option "DONT_EXPIRE_PASSWORD" enabled
    ADFIND -bit -default -f 

    and to use it with a saved query use as the LDAP filter:

    with joe's ADFIND you can just specify AND or OR without the need to know 
the OID
    OR is by the way: 1.2.840.113556.1.4.804

    for the other values see:
    MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User 
Account Properties


      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
      Sent: Monday, October 09, 2006 17:44
      Subject: [ActiveDir] finding users that password never expire.

      Hello all,

      I had to do dump in AD all users whose password never expires.
      I used the saved queries with this custom ldap query :
      useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT & 
DONT_EXPIRE_PASSWORD properties flag.
      BUT i found that this search was not complete, because some users have 
other properties flag such as 

      So the question is:
      How to search for user accounts that have at least the 
DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?
      Is there a way to do it with a custom ldap query ?



      Découvrez un nouveau moyen de poser toutes vos questions quel que soit le 
sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions 
et vos expériences. Cliquez ici. 

    This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.

  Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! 
Demandez à ceux qui savent sur Yahoo! Questions/Réponses.

Reply via email to