>>userAccountControl=65536 check if all enabled options/bits (unique combination) represent a total of 65536 >>userAccountControl:1.2.840.113556.1.4.803:=65536 check if only the option/bit represented by 65536 is enabled Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address>
________________________________
From: [EMAIL PROTECTED] on behalf of Yann
Sent: Mon 2006-10-09 20:24
To: ActiveDir@mail.activedir.org
Subject: RE : RE: [ActiveDir] finding users that password never expire.
Yes ! thanks, that works so well !! :o)
But many questions i have..
What is the difference between the query "userAccountControl=65536" and
"(userAccountControl:1.2.840.113556.1.4.803:=65536)" ?
Why couldn(t i find any results with my first query ?
And how do you construct the ":1.2.840.113556.1.4.803:" part of the ldap query
??
Thanks for your answer :)
Yann
"Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> a écrit :
to search for accounts that HAVE the option "DONT_EXPIRE_PASSWORD"
enabled
ADFIND -bit -default -f
"(&(objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))"
and to use it with a saved query use as the LDAP filter:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
with joe's ADFIND you can just specify AND or OR without the need to
know the OID
OR is by the way: 1.2.840.113556.1.4.804
for the other values see:
MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User
Account Properties
jorge
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Yann
Sent: Monday, October 09, 2006 17:44
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] finding users that password never expire.
Hello all,
I had to do dump in AD all users whose password never expires.
I used the saved queries with this custom ldap query :
useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT &
DONT_EXPIRE_PASSWORD properties flag.
BUT i found that this search was not complete, because some
users have other properties flag such as
UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD
or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD |
UF_NOT_DELEGATED ... :(
So the question is:
How to search for user accounts that have at least the
DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ?
Is there a way to do it with a custom ldap query ?
Thanks,
Yann
________________________________
Découvrez un nouveau moyen de poser toutes vos questions quel
que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances,
vos opinions et vos expériences. Cliquez ici
<http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com> .
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
________________________________
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions !
Demandez à ceux qui savent sur Yahoo! Questions/Réponses
<http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com> .
<<winmail.dat>>
