Command AD Queries

Locked Out Users - Displays all the user accounts that are locked out

(&(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)))))

Dial In Access - Displays all the user accounts with Dial In Access

(&(&(&(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE)))))

Disabled User Accounts - Displays all the user accounts that are currently disabled

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Non Expiring Accounts - Displays all the user accounts that are set to not expire

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))

Active Accounts - Displays all the users account that are active

(&(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)))

Hidden Mailboxes - Displays all accounts with hidden Mailboxes

(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))

Windows XP Computers - Displays all computers running Windows XP

(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

Vista Machines – Displays all computers running Windows Vista

(&(&(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows Vista*)))))))

Vista Machines – SP1

(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1)))))

All Computers - Displays all computers

(sAMAccountType=805306369)

Windows Server 2000 - Displays all computers running Windows Server 2000 (not including DC’s)

(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows 2000 Professional))))))

Windows Server 2003 - Displays all computers running Windows Server 2003 (not including DC's)

(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

Windows Server 2008 - Displays all computers running Windows Server 2008 (not including DC's)

(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))

All Windows Server Domain Controllers - Displays all computers that are Domain Controllers

(&(&(&(sAMAccountType=805306369)(useraccountcontrol:1.2.840.113556.1.4.804:=67117056))))

Find all users whose email address contains …

(objectClass=user)(mail=*@afl.maori.nz)

http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm

Basic LDAP Syntax

• = (EQUAL TO)

This LDAP argument means a certain attribute must be equal to a certain value to be true. For example, if you want to find all objects that have the first name of John, you would use:

Copy Code

(givenName=John)

This would return all objects that have the first name of John. Parentheses are included to emphasize the beginning and end of the LDAP statement.

• & (logical AND)

You use this syntax when you have more than one condition, and you want all conditions in the series to be true. For example, if you want to find all of the people that have the first name of John and live in Dallas, you would use:

Copy Code

(&(givenName=John)(l=Dallas))

Notice that each argument is in its own set of parentheses. The entire LDAP statement must be encompassed in a main set of parentheses. The & operator means that each argument must be true for this filter to apply to your object in question.

• ! (logical NOT)

This operator is used to exclude objects that have a certain attribute. Suppose you need to find all objects except those that have the first name of John. You would use the following statement:

Copy Code

(!givenName=John)

This statement would find all objects that do not have the first name of John. Notice that the ! operator goes directly in front of the argument and inside the argument's set of parentheses. Because there is only one argument in this statement, it is surrounded with parentheses for illustration.

• * (wildcard)

You use the wildcard operator to represent a value that could be equal to anything. One such situation might be if you wanted to find all objects that have a value for title. You would then use:

Copy Code

(title=*)

This would return all objects that have the title attribute populated with a value. Another example might be if you know an object's first name starts with Jo. Then, you could use the following to find those:

Copy Code

(givenName=Jo*)

This would apply to all objects whose first name starts with Jo.

• The following are more advanced examples of LDAP syntax:

• You need a filter to find all objects that are in Dallas or Austin, and that have the first name of John. This would be:

Copy Code

(&(givenName=John)(|(l=Dallas)(l=Austin)))

• You have received 9,548 events in the Application log, and you need to find all of the objects that are causing this logging event. In this case, you need to find all of the disabled users (msExchUserAccountControl=2) that do not have a value for msExchMasterAccountSID. This would be:

Copy Code

(&(msExchUserAccountControl=2)(!msExchMasterAccountSID=*))

• Note:

The ! operator in conjunction with the wildcard operator will look for objects where that attribute is not set to anything.