Though you might not notice it from day-to-day uses, Active Directory isn’t a single piece of software but rather an amalgam of several services: LDAP and DNS being the most obvious. As such, it’s sometimes easier to delve into the inner workings a bit than to use the GUIs Microsoft provides; for example, to run complex queries on users. One issue with searching this way is that, rather have multiple boolean fields for various user attributes (think anything that’s a checkbox on an ADUC properties window), the designers opted for a single bitmask field (userAccountControl) where each bit represents a specific attribute, including whether a user is disabled. This makes it a little more difficult to search using tools like LDP using simple equality statements. Of course, there’s a way around that, but it’s not quite obvious:
(&(your original query)(!(userAccountControl:1.2.840.1135126.96.36.1993:2))
For example, if you are search for users with a login script of “login.bat”, the base filter would be
To exclude disabled users from that query:
So what’s actually going on here? LDAP provides several comparison operators beyond the obvious equality “=”. These operators are specified by OIDs with 1.2.840.1135188.8.131.522 being the OID for bitmask AND. Of course, the userAccountControl field describes a lot of attributes beyond disabled/enabled; MS has provided a handy guide to them in KB 305144.