locked
LDAP Query for all active users RRS feed

  • 问题

  • I need a query within ADUC that will give me a list of all my active users and will NOT list any disabled accounts, computer accounts, or anything other than User accounts that have an active sign on.  Please advise. 
    2012年1月9日 21:48

答案

  • If you have the AD modules, you can use Get-ADUser with the -LDAPFilter clause. You don't need the clauses to restrict the query to users. For example:

    Get-ADUser -SearchBase "ou=West,dc=MyDomain,dc=com" -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"

    Or, you can use dsquery * at the command prompt of a DC with the same LDAP query. For example:

    dsquery * "ou=West,dc=MyDomain,dc=com" -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

    Does this help?


    Richard Mueller - MVP Directory Services
    • 已建议为答案 ClarksonAdmin 2012年1月10日 18:05
    • 已标记为答案 Yan Li_ 2012年1月11日 3:27
    2012年1月10日 17:36

全部回复

  • Hello,

     

    You can use this LDAP filter:

    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))

     

    More example:

    Active Directory: LDAP Syntax Filters (Richard Mueller - MVP)

     

    Regards

    2012年1月9日 22:05
  • Thanks for the query and the link.  I had tried using  (objectCategory=person)(!userAccountControl:1.2.840.113556.1.4.803:=2) But it was returning over 1000 objects, which included non-user objects.  Wasn't sure how to remove everything except users.  I'll have to go through that link and try to figure some of this out. 
    2012年1月10日 14:02
  • Hello,

    you have not use the objectClass "(objectClass=user)" as mentioned or did you modified it?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    2012年1月10日 14:05
  • What do you mean by “active sign other than User accounts that have an active sign on”

    You can get all enabled users by using above LDAP syntax. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    2012年1月10日 15:25
  • The filter (objectCategory=person) returns both user and contact objects. Since contact objects do not have a userAccountControl attribute, the clause (!userAccountControl:1.2.840.113556.1.4.803:=2) will always be True for contacts. As noted, to restrict the query to just user objects, add the clause (objectClass=user).

     


    Richard Mueller - MVP Directory Services
    2012年1月10日 16:15
  • Is there a powershell command that can be ran instead?  I'd like to find active users in a particular OU.  Any thoughts?
    2012年1月10日 16:55
  • If you have the AD modules, you can use Get-ADUser with the -LDAPFilter clause. You don't need the clauses to restrict the query to users. For example:

    Get-ADUser -SearchBase "ou=West,dc=MyDomain,dc=com" -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"

    Or, you can use dsquery * at the command prompt of a DC with the same LDAP query. For example:

    dsquery * "ou=West,dc=MyDomain,dc=com" -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

    Does this help?


    Richard Mueller - MVP Directory Services
    • 已建议为答案 ClarksonAdmin 2012年1月10日 18:05
    • 已标记为答案 Yan Li_ 2012年1月11日 3:27
    2012年1月10日 17:36
  • This worked perfectly... thank you for your help!
    2012年1月10日 18:05
  • Here is the PowerShell way to do this which can be way more flexible when needed.

    $sb='CN=Computers,dc=TestNet,dc=local'
    $targetPath='ou=testou,dc=TestNet,dc=local'
    
    Get-ADcomputer -SearchBase $sb -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=2)' |
         Move-ADObject -TargetPath $targetPath -whatif


    ¯\_(ツ)_/¯

    2014年9月20日 15:21
  • I used the dsquery and needed to use "-Limit 1000" option because I had more than 100 responses. If you just need a quick count you can just pipe it to find /c "=" to get an count. You need to subtract one due to the first line not being an active user, it is just a header with the query criteria.

    Thanks for the help.

     David Tersigni

    2016年3月2日 3:12
  • Use -Limit 0 with dsquery, and there is no limit.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    2016年3月2日 4:39
  • (&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
    2018年2月22日 19:47
  • Hi, the query string you provided

    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
    was not recognized as a valid query string by the Advanced query filter in the interactive ADUC filter dialog.



    2020年4月10日 14:14
  • Hi, the query string you provided

    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
    was not recognized as a valid query string by the Advanced query filter in the interactive ADUC filter dialog.



    Please don't reopen old topics.  The filter works fine in ADUC and is used commonly.


    \_(ツ)_/

    2020年4月10日 14:33