locked
LDAP Query for all active users RRS feed

  • Pergunta

  • I need a query within ADUC that will give me a list of all my active users and will NOT list any disabled accounts, computer accounts, or anything other than User accounts that have an active sign on.  Please advise. 
    segunda-feira, 9 de janeiro de 2012 21:48

Respostas

  • If you have the AD modules, you can use Get-ADUser with the -LDAPFilter clause. You don't need the clauses to restrict the query to users. For example:

    Get-ADUser -SearchBase "ou=West,dc=MyDomain,dc=com" -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"

    Or, you can use dsquery * at the command prompt of a DC with the same LDAP query. For example:

    dsquery * "ou=West,dc=MyDomain,dc=com" -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

    Does this help?


    Richard Mueller - MVP Directory Services
    • Sugerido como Resposta ClarksonAdmin terça-feira, 10 de janeiro de 2012 18:05
    • Marcado como Resposta Yan Li_ quarta-feira, 11 de janeiro de 2012 03:27
    terça-feira, 10 de janeiro de 2012 17:36

Todas as Respostas

  • Hello,

     

    You can use this LDAP filter:

    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))

     

    More example:

    Active Directory: LDAP Syntax Filters (Richard Mueller - MVP)

     

    Regards

    segunda-feira, 9 de janeiro de 2012 22:05
  • Thanks for the query and the link.  I had tried using  (objectCategory=person)(!userAccountControl:1.2.840.113556.1.4.803:=2) But it was returning over 1000 objects, which included non-user objects.  Wasn't sure how to remove everything except users.  I'll have to go through that link and try to figure some of this out. 
    terça-feira, 10 de janeiro de 2012 14:02
  • Hello,

    you have not use the objectClass "(objectClass=user)" as mentioned or did you modified it?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    terça-feira, 10 de janeiro de 2012 14:05
  • What do you mean by “active sign other than User accounts that have an active sign on”

    You can get all enabled users by using above LDAP syntax. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    terça-feira, 10 de janeiro de 2012 15:25
  • The filter (objectCategory=person) returns both user and contact objects. Since contact objects do not have a userAccountControl attribute, the clause (!userAccountControl:1.2.840.113556.1.4.803:=2) will always be True for contacts. As noted, to restrict the query to just user objects, add the clause (objectClass=user).

     


    Richard Mueller - MVP Directory Services
    terça-feira, 10 de janeiro de 2012 16:15
  • Is there a powershell command that can be ran instead?  I'd like to find active users in a particular OU.  Any thoughts?
    terça-feira, 10 de janeiro de 2012 16:55
  • If you have the AD modules, you can use Get-ADUser with the -LDAPFilter clause. You don't need the clauses to restrict the query to users. For example:

    Get-ADUser -SearchBase "ou=West,dc=MyDomain,dc=com" -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"

    Or, you can use dsquery * at the command prompt of a DC with the same LDAP query. For example:

    dsquery * "ou=West,dc=MyDomain,dc=com" -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

    Does this help?


    Richard Mueller - MVP Directory Services
    • Sugerido como Resposta ClarksonAdmin terça-feira, 10 de janeiro de 2012 18:05
    • Marcado como Resposta Yan Li_ quarta-feira, 11 de janeiro de 2012 03:27
    terça-feira, 10 de janeiro de 2012 17:36
  • This worked perfectly... thank you for your help!
    terça-feira, 10 de janeiro de 2012 18:05
  • Here is the PowerShell way to do this which can be way more flexible when needed.

    $sb='CN=Computers,dc=TestNet,dc=local'
    $targetPath='ou=testou,dc=TestNet,dc=local'
    
    Get-ADcomputer -SearchBase $sb -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=2)' |
         Move-ADObject -TargetPath $targetPath -whatif


    ¯\_(ツ)_/¯

    sábado, 20 de setembro de 2014 15:21
  • I used the dsquery and needed to use "-Limit 1000" option because I had more than 100 responses. If you just need a quick count you can just pipe it to find /c "=" to get an count. You need to subtract one due to the first line not being an active user, it is just a header with the query criteria.

    Thanks for the help.

     David Tersigni

    quarta-feira, 2 de março de 2016 03:12
  • Use -Limit 0 with dsquery, and there is no limit.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    quarta-feira, 2 de março de 2016 04:39
  • (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
    quinta-feira, 22 de fevereiro de 2018 19:47
  • Hi, the query string you provided

    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
    was not recognized as a valid query string by the Advanced query filter in the interactive ADUC filter dialog.



    sexta-feira, 10 de abril de 2020 14:14
  • Hi, the query string you provided

    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
    was not recognized as a valid query string by the Advanced query filter in the interactive ADUC filter dialog.



    Please don't reopen old topics.  The filter works fine in ADUC and is used commonly.


    \_(ツ)_/

    sexta-feira, 10 de abril de 2020 14:33