LDAP- how to find all users EXCEPT (?)

[bran2235]

Hi guys.. just learning LDAP here...

I want to do an LDAP query to find all users except several users... IS this possible?

If not, then how do I use LDAP to find ALL Users, then I can select all users and exclude the others manually...?

Basically, I need to change almost all user accounts to "reset pw at next logon"... but there are several accounts I don't want to touch...


Many Thanks!
Brandon

 

[bran2235]

By The Way... I'm using ADUC to do a 'custom search'...

 

[djtech2k]

This should be easy. Are you familiar with LDAP filters?

For example, this is a common LDAP filter to find all user objects:

(&(objectClass=user)(objectCategory=person))

That says show all objects that have an objectclass of user AND objectcategory of person. The "&" if for "AND", and you can use the "|" as an "OR". Also, to do a "NOT", you could do something like this:

(&(objectClass=user)(objectCategory=person)(!sAMAccountname=msmith))

That query should show all users that do not have a username of msmith. So you could use that type filter and just add more users with the "!" in front of it. The "!" means "NOT" in an LDAP filter.

Does that help?

 

[djtech2k]

BTW, I would create this in ADUC and save it as a saved query so you can always go back to it.

 

[bran2235]

Ok- thanks...
I really want to find all users who have the following:
1) Their acocunt is expired; and/or
2) Their account is set so that their "password never expires"

Is this possible?

 

[djtech2k]

This would get you a list of users that "will not expire".

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))

Now, you want accounts that are expired? Do you mean accounts that are locked or accounts that are disabled?

 

[bran2235]

Thanks DJ!
I mean accounts that are disabled..
How would I save this LDAP query in ADUC?

 

[djtech2k]

(&(objectCategory=person)(objectClass=user)(|(userAccountControl:1.2.840.113556.1.4.803:=65536)(userAccountControl:1.2.840.113556.1.4.803:=2)))

I think that will work. I think that will show you all users that are either disabled OR are non-expiring.


To save it in AD, go into SAVED QUERIES, right-click and select NEW > Query. Go into Define Query o0nce its crated. Choose Custom search from the drop-down and click the advanced tab. Paste in the filter I gave you and save it. Now all you should have to do is click on the query name and it should work each time.

 

[bran2235]

GREAT! Thank you!!!
One more.. is there a way to pipe these queries to a notepad or xls?

Thank you so much!!
Brandon

 

[djtech2k]

Well, that cannot be done within the query, but when you are displaying your results you can click the button the toolbar to "EXPORT". You can also customize what fields you see in the choose columns section.

 

[bran2235]

OK- just noticed something... I had created 3 LDAP querries in the "Saved Queries" section.. I closed ADUC and opened it back up and now they are gone! is this normal?

Thank you for all your help!!!
Brandon

 

[djtech2k]

I think there is something there where you have to click on another item before you close ADUC. Otherwise, I think it does not save correctly or something. I remember something like that from a long time ago.

 

[bran2235]

Ok, man, I'm trying to learn the LDAP syntax and it is really killn' me!

Can you give me the string I would need to find all disabled accounts?

Thanks, again-
Brandon

 

[djtech2k]

All disabled user accounts:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

BTW, here is good write-up on the useraccountcontrol values and what they mean:

http://support.microsoft.com/kb/305144