Yeah, I remember reading about that technique in Robbie Allen's Active Directory Cookbook. Very handy.
But my question was about why my search below fails when I include: (!useraccountcontrol:1.2.840.113556.1.4.803:=2) in my search filter. That should be a bit mask for the useraccountcontrol property. It should perform an AND with the bit mask 10. If the 2 bit is set, the account should be disabled. I have not-ed the statement, so I should find all accounts that are not disabled. This works in LDP.exe, but not in my perl script. AG > -----Original Message----- > From: Vladimir Levijev [mailto:[EMAIL PROTECTED] > Sent: Friday, April 01, 2005 9:16 AM > To: perl-ldap@perl.org > Cc: Giuoco, Aaron > Subject: Re: Search for all user accounts not disabled > > > On Friday 01 April 2005 18:02, Giuoco, Aaron wrote: > > Hi, > > > I am trying to find all user accounts in a Windows 2000 > Active Directory > > that are not disabled using the Net::LDAP module. This is > the code I'm > > using for my search: > > > > my $base = 'OU=Domain Users,DC=mydomain,DC=com'; > > my $filter = > > > '(&(objectclass=user)(objectCategory=person)(!useraccountcontr > ol:1.2.840.11 > >3556.1.4.803:=2))'; my @attrs = ['cn','mail','telephoneNumber']; > > my $scope = 'sub'; > > my $searchRes = $ldap->search( > > base => $base, > > filter => $filter, > > scope => $scope, > > attrs => @attrs > > ); > > > > I worked out the filter using LDP.exe, so I'm fairly > certain it works and > > is correct. It returns all of the active users when run in > LDP. However, > > this search returns no results when I run the perl script. > If I remove the > > useraccountcontrol section from my filter and run the > script, it will > > return all users (enabled and disabled). I am confused as > to why the filter > > would work through LDP and not in my perl script. Any > guidance is greatly > > appreciated. > > What I have been using to enable/disable the accounts in AD > with perl_ldap is > setting next values to the userAccountControl attribute: > > 512 (enabled) > 514 (disabled) > > The example to disable account might look like: > > $ldap->modify( "cn=foo,OU=bar,dc=example,dc=dom", > replace => { userAccountControl => 514 } ); > > Cheers, > > -- > [EMAIL PROTECTED] > >
