!!! Overview
These are [Example] user related [LDAP SearchFilters] which show [LDAP Query Examples] that can be used to find information specific to Users within the Active Directory Domain.
More [LDAP Query Examples] and more [AD Specific LDAP Query Examples|LDAP Query Examples for AD]
[{TableOfContents}]
!! [ObjectClass vs ObjectCategory]
!! All users
{{{
(&(objectCategory=person)(objectClass=user))
or
(sAMAccountType=805306368)
}}}
!! All contacts
{{{
(objectClass=contact)
}}}
!! All users and contacts:
{{{
(objectClass=user)
}}}
!! All users with logon since Dec 31 2008
{{{
(&(&(objectCategory=person)(objectClass=user))(lastLogonTimestamp<=128752108510000000))
}}}
!! All users with the account configuration [DONT_EXPIRE_PASSWORD]
{{{
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
}}}
For information on why this works see how to use [Filtering for Bit Fields] and the [Extensible Match] Rule [1.2.840.113556.1.4.803].
!! All [Administratively Disabled] users (ie [ACCOUNTDISABLE (2)|ACCOUNTDISABLE])
{{{
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
}}}
For information on why this works see how to use [Filtering for Bit Fields] and the [Extensible Match] Rule [1.2.840.113556.1.4.803].
!! All [expired|accountExpires] user accounts
{{{
(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807))
}}}
!! All Users where [PASSWD_NOTREQD (32)|PASSWD_NOTREQD]
%%prettify
{{{
(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))
}}} /%
For information on why this works see how to use [Filtering for Bit Fields] and the [Extensible Match] Rule [1.2.840.113556.1.4.804].
!! All Groups a User is a member of including __[Nested Groups]__
This [Extensible Match] Rule is often referred to as [LDAP_MATCHING_RULE_IN_CHAIN]
As an example, to find all the groups that "CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET" is a member of, set the base to the groups container DN; for example (OU=groupsOU,DC=MyDomain,DC=NET) and the scope to subtree, and use the following filter.
{{{
(member:1.2.840.113556.1.4.1941:=(CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET))
}}}
Where CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET is the user's FDN and the [Extensible Match] Rule [1.2.840.113556.1.4.1941].
!! Anomaly: [DirectReports] but no [Manager]
It is a little strange to have a entry which has [DirectReports] but lacks a manager. Could be this is the top person in the [Organizational Entity] or something is amiss.
{{{ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 1000 "(&(objectCategory=person)(objectClass=user)(directReports=*)(!(manager=*)))" "objectClass"}}}
!!! Exchange Specific Queries
!!All hidden Exchange mail recipients:
{{{
(msExchHideFromAddressLists=TRUE)
}}}
!! All hidden Exchange mail recipients (without public folder objects):
{{{
(&(msExchHideFromAddressLists=TRUE)(!objectClass=publicFolder))
}}}
!! All mail recipients with fax address:
{{{
(proxyAddresses=FAX:*)
}}}
!!All users with mailboxes on Exchange server 'KUNGUR':
{{{
(msExchangeHomeserverName=/o=MAILOrg/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=KUNGUR)
}}}
!! Query All users that report to a department manager or their subordinates.
{{{
(manager:1.2.840.113556.1.4.1941:=CN=Jim,OU=Managed,OU=Accounts,DC=willeke,DC=com)
}}}
Where CN=Jim,OU=Managed,OU=Accounts,DC=willeke,DC=com is the department manager And return the attribute "mail" as an [Example], to send them an email.
For information on why this works see how to use [Microsoft Active Directory Extensible Match Rules] and the [Extensible Match] Rule [1.2.840.113556.1.4.1941].
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]