I Need To Make A Change With My IT Support! Call (225) 706-8414

Filter out disabled users when searching Active Directory with LDP

Though you might not notice it from day-to-day uses, Active Directory isn’t a single piece of software but rather an amalgam of several services: LDAP and DNS being the most obvious.  As such, it’s sometimes easier to delve into the inner workings a bit than to use the GUIs Microsoft provides; for example, to run complex queries on users.  One issue with searching this way is that, rather have multiple boolean fields for various user attributes (think anything that’s a checkbox on an ADUC properties window), the designers opted for a single bitmask field (userAccountControl) where each bit represents a specific attribute, including whether a user is disabled.  This makes it a little more difficult to search using tools like LDP using simple equality statements.  Of course, there’s a way around that, but it’s not quite obvious:

(&(your original query)(!(userAccountControl:1.2.840.113556.1.4.803:2))

For example, if you are search for users with a login script of “login.bat”, the base filter would be


To exclude disabled users from that query:


So what’s actually going on here?  LDAP provides several comparison operators beyond the obvious equality “=”.  These operators are specified by OIDs with 1.2.840.113556.1.4.802 being the OID for bitmask AND.  Of course, the userAccountControl field describes a lot of attributes beyond disabled/enabled; MS has provided a handy guide to them in KB 305144.

Concerned About Cyber Attacks?


Want to Migrate to the Cloud?

Office 365

Ready to Experience Microsoft Office 365?

Want the latest IT news directly in your inbox? Subscribe now!