>>userAccountControl=65536 check if all enabled options/bits (unique combination) represent a total of 65536 >>userAccountControl:1.2.840.113556.1.4.803:=65536 check if only the option/bit represented by 65536 is enabled Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : <see sender address>
________________________________ From: [EMAIL PROTECTED] on behalf of Yann Sent: Mon 2006-10-09 20:24 To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] finding users that password never expire. Yes ! thanks, that works so well !! :o) But many questions i have.. What is the difference between the query "userAccountControl=65536" and "(userAccountControl:1.2.840.113556.1.4.803:=65536)" ? Why couldn(t i find any results with my first query ? And how do you construct the ":1.2.840.113556.1.4.803:" part of the ldap query ?? Thanks for your answer :) Yann "Almeida Pinto, Jorge de" <[EMAIL PROTECTED]> a écrit : to search for accounts that HAVE the option "DONT_EXPIRE_PASSWORD" enabled ADFIND -bit -default -f "(&(objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))" and to use it with a saved query use as the LDAP filter: (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)) with joe's ADFIND you can just specify AND or OR without the need to know the OID OR is by the way: 1.2.840.113556.1.4.804 for the other values see: MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account Properties jorge ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, October 09, 2006 17:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding users that password never expire. Hello all, I had to do dump in AD all users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT & DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flag such as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann ________________________________ Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici <http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com> . This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. ________________________________ Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses <http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com> .
<<winmail.dat>>