Discussion in 'Active Directory' started by Primera, Jun 26, 2005.

  1. Primera

    Primera Guest

    I would like to be able to filter an ADO search by the numerous options in
    userAccountControl. Is there a way to filter out the bits that are turned on
    or off for this setting in a vbscript? For example, if I wanted to find all
    users with the 'account disabled' bit and 'password never expires' bit turned
    on. Thanks.
    Primera, Jun 26, 2005
    1. Advertisements

  2. Primera

    Al Mulnick Guest

    I've not seen it where you can query that via LDAP directly. Typically,
    because it's a blob, you would have to read it first and then take action.
    Similar to

    However, I would likely rather use iadsuser objects vs. this type of method,
    but either should do what you want.

    I haven't looked to see what's available in .NET 2.0 yet, so maybe a more
    elegant way exists there.
    Was there something in particular you were trying to accomplish with the
    data? Or is this just general reporting?

    Al Mulnick, Jun 26, 2005
    1. Advertisements

  3. Primera

    Primera Guest

    I am trying to search through all of the user accounts and computer accounts
    and identify which flags are set on them so that I can identify the 'normal'
    accounts and any that have flags set making them 'abnormal'. By 'abnormal' I
    mean those that are disabled, have no password expiration, or other flag
    unusual to our standard.

    Thanks in advance.
    Primera, Jun 26, 2005
  4. Primera

    Al Mulnick Guest

    In that case, I think you would want to search for all objects of that
    class, retrieve the useraccount control, and evaluate against that.
    Those links should be helpful for that. If not, let us know and hopefully
    we can point you in the right direction.

    Al Mulnick, Jun 26, 2005
  5. This page from the MSDN documentation shows essentially how to do that by
    using the bitwise comparison flag filter option:

    The example shows doing what you are trying to do for groupType on group
    objects, but the exact same logic may be used to do bitwise filtering on
    userAccountControl. For example, to find disabled accounts, you could do:


    Just remember that userAccountControl doesn't actually tell you everything
    it looks like it should in AD. Specifically, the lockout and "user cannot
    change password" flags are not meaningful in AD. However, you can easily
    search for disabled accounts and other similar things this way.

    Since this is just an AD LDAP feature, you can use this with any API that
    uses LDAP filters including VB and scripting languages with ADO, any version
    of .NET with the DirectorySearcher class, raw LDAP API or JNDI.


    Joe K.
    Joe Kaplan \(MVP - ADSI\), Jun 26, 2005
  6. Hi,

    For tips on searching with ADO:

    From that page:

    To return all users with "Password Never Expires" set:
    "(&(objectCategory=person)(objectClass=user)" _
    & "(userAccountControl:1.2.840.113556.1.4.803:=65536))"

    To return all users with disabled accounts:
    "(&(objectCategory=person)(objectClass=user)" _
    & "(userAccountControl:1.2.840.113556.1.4.803:=2))"
    Richard Mueller [MVP], Jun 26, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.