Re: RE: [ActiveDir] finding users that password never expire.
The equals operator is looking for an exact match. As userAccountControl is a bitwise attribute (each bit represents an option) then in many cases it won't be 65536. Using the logical AND matching rule (1.2.840.113556.1.4.803) means that it checks the bit in question, regardless of what other bits are set. As for how you use the AND matching rule, you actually write it as identifier:matching rule:=value e.g. ((objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)) More info. here: -- http://msdn2.microsoft.com/en-us/library/aa746475.aspx --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Monday, October 09, 2006 6:24 PM Subject: RE : RE: [ActiveDir] finding users that password never expire. Yes ! thanks, that works so well !! :o) But many questions i have.. What is the difference between the query userAccountControl=65536 and (userAccountControl:1.2.840.113556.1.4.803:=65536) ? Why couldn(t i find any results with my first query ? And how do you construct the :1.2.840.113556.1.4.803: part of the ldap query ?? Thanks for your answer :) Yann Almeida Pinto, Jorge de [EMAIL PROTECTED] a écrit : to search for accounts that HAVE the option DONT_EXPIRE_PASSWORD enabled ADFIND -bit -default -f ((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536)) and to use it with a saved query use as the LDAP filter: ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)) with joe's ADFIND you can just specify AND or OR without the need to know the OID OR is by the way: 1.2.840.113556.1.4.804 for the other values see: MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account Properties jorge -- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, October 09, 2006 17:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding users that password never expire. Hello all, I had to do dump in AD all users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flag such as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann -- Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. -- Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses.
RE : RE: [ActiveDir] finding users that password never expire.
Yes ! thanks, that works so well !! :o)But many questions i have.. What is the difference between the query "userAccountControl=65536" and "(userAccountControl:1.2.840.113556.1.4.803:=65536)" ? Why couldn(t i find any results with my first query ? And how do you construct the ":1.2.840.113556.1.4.803:" part of the ldap query ??Thanks for your answer :)Yann "Almeida Pinto, Jorge de" [EMAIL PROTECTED] a écrit:to search for accounts that HAVE the option "DONT_EXPIRE_PASSWORD" enabled ADFIND -bit -default -f "((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536))"and to use it with a saved query use as the LDAP filter: ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))with joe's ADFIND you can just specify AND or OR without the need to know the OID OR is by the way: 1.2.840.113556.1.4.804for the other values see: MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account PropertiesjorgeFrom: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of YannSent: Monday, October 09, 2006 17:44To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] finding users that password never expire.Hello all,I had to dodump in ADall users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flagsuch as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :(So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ?Thanks,Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses.
RE : Re: [ActiveDir] finding users that password never expire.
Thanks Paul.That works great :)YannPaul Williams [EMAIL PROTECTED] a écrit: Perform an AND query.In ADFIND, this looks like this:adfind -default -bit -f "(objectCategory=person)(userAccountControl:AND:=65536)" cn If you want to use ADUC, or something else, you'll need to use this:((objectCategory=person)(useraccountcontrol:1.2.840.113556.1.4.803:=65536)) --Paul - Original Message - From: Yann To: ActiveDir@mail.activedir.org Sent: Monday, October 09, 2006 4:43 PM Subject: [ActiveDir] finding users that password never expire.Hello all,I had to dodump in ADall users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flagsuch as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :(So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ?Thanks,Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici. Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire.
RE: RE : RE: [ActiveDir] finding users that password never expire.
userAccountControl=65536 check if all enabled options/bits (unique combination) represent a total of 65536 userAccountControl:1.2.840.113556.1.4.803:=65536 check if only the option/bit represented by 65536 is enabled Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Yann Sent: Mon 2006-10-09 20:24 To: ActiveDir@mail.activedir.org Subject: RE : RE: [ActiveDir] finding users that password never expire. Yes ! thanks, that works so well !! :o) But many questions i have.. What is the difference between the query userAccountControl=65536 and (userAccountControl:1.2.840.113556.1.4.803:=65536) ? Why couldn(t i find any results with my first query ? And how do you construct the :1.2.840.113556.1.4.803: part of the ldap query ?? Thanks for your answer :) Yann Almeida Pinto, Jorge de [EMAIL PROTECTED] a écrit : to search for accounts that HAVE the option DONT_EXPIRE_PASSWORD enabled ADFIND -bit -default -f ((objectCategory=person)(objectClass=user)(userAccountControl:AND:=65536)) and to use it with a saved query use as the LDAP filter: ((objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)) with joe's ADFIND you can just specify AND or OR without the need to know the OID OR is by the way: 1.2.840.113556.1.4.804 for the other values see: MS-KBQ305144_How to Use the UserAccountControl Flags to Manipulate User Account Properties jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Monday, October 09, 2006 17:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding users that password never expire. Hello all, I had to do dump in AD all users whose password never expires. I used the saved queries with this custom ldap query : useraccountcontrol=66048 which corresponds to NORMAL_ACCOUNT DONT_EXPIRE_PASSWORD properties flag. BUT i found that this search was not complete, because some users have other properties flag such as UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD or UF_ACCOUNTDISABLE | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD | UF_NOT_DELEGATED ... :( So the question is: How to search for user accounts that have at least the DONT_EXPIRE_PASSWORD property flag set to their useraccountcontrol ? Is there a way to do it with a custom ldap query ? Thanks, Yann Découvrez un nouveau moyen de poser toutes vos questions quel que soit le sujet ! Yahoo! Questions/Réponses pour partager vos connaissances, vos opinions et vos expériences. Cliquez ici http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com . This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Demandez à ceux qui savent sur Yahoo! Questions/Réponses http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com . winmail.dat
