I Need To Make A Change With My IT Support! Call (225) 706-8414

Filter out disabled users when searching Active Directory with LDP

Though you might not notice it from day-to-day uses, Active Directory isn’t a single piece of software but rather an amalgam of several services: LDAP and DNS being the most obvious.  As such, it’s sometimes easier to delve into the inner workings a bit than to use the GUIs Microsoft provides; for example, to run complex queries on users.  One issue with searching this way is that, rather have multiple boolean fields for various user attributes (think anything that’s a checkbox on an ADUC properties window), the designers opted for a single bitmask field (userAccountControl) where each bit represents a specific attribute, including whether a user is disabled.  This makes it a little more difficult to search using tools like LDP using simple equality statements.  Of course, there’s a way around that, but it’s not quite obvious:

(&(your original query)(!(userAccountControl:1.2.840.113556.1.4.803:2))

For example, if you are search for users with a login script of “login.bat”, the base filter would be

(scriptPath=login.bat)

To exclude disabled users from that query:

(&(scriptPath=adminlogin.bat)(!(userAccountControl:1.2.840.113556.1.4.803:2))

So what’s actually going on here?  LDAP provides several comparison operators beyond the obvious equality “=”.  These operators are specified by OIDs with 1.2.840.113556.1.4.802 being the OID for bitmask AND.  Of course, the userAccountControl field describes a lot of attributes beyond disabled/enabled; MS has provided a handy guide to them in KB 305144.

Concerned About Cyber Attacks?

CLICK HERE >

Want to Migrate to the Cloud?

CLICK HERE >
Office 365

Ready to Experience Microsoft Office 365?

Want the latest IT news directly in your inbox? Subscribe now!