Title: Writing LDAP queries: Filters, Common Attributes, and Samples by: Paul S. Chapman edited: 2/28/2005
================================================= CONVENTIONS AND DEFINITIONS =================================================
()
Parenthesis encapsulate filters and separate them into sections
{}
Braces (or curly brackets) encapsulate my notes about the contents of the filter
CAPITAL LETTERS
Plain English title
mIxEd cAsE
Attribute name in AD
Bit Value
Decimal value of a binary number (ie. 001000010 bin=34 dec). If you want to examine multiple bit values, simply add them up (ie. 2+65536=65538). Use the "Bitwise AND" or "Bitwise OR" filters for searches based on these values.
Attribute
Attributes are the properties of an Object in AD.
Value
Values are data related to the attributes with which they are associated. They may be "present" or "not present" (blank). Data may be in plain text, hex, numeric, or other formats.
Class
Objects in AD are categorized into Classes. This document only discusses 3 classes: Users, Computers, and Groups.
Integer8 Date
The value represents the number of 100-nanosecond intervals since 12:00 AM January 1, 1601.
At the bottom of this document you can find the text of a VBScript that will convert normal dates to Integer8 dates so that you can use them in searches. Simply cut and paste the VB into a text file with a .vbs extension and use it from a command prompt.
NOTE: Remember, the lower this number is the further back in time it is. Use <= for "on or before" queries.
================================================= WHERE TO GET INFORMATION =================================================
Microsoft's MSDN website
Google
ADSI Edit
**USE EXTREME CAUTION WHEN USING THIS UTILITY. DO NOT MANUALLY CHANGE ANY VALUES WHILE USING THIS UTILITY.**
This utility allows you to see the actual attribute names and the values they use so that you can perform searches. This utility is included with the Windows 2000 Server or Windows Server 2003 support pack.
================================================= FILTERS ================================================= ******BASE FILTERS****** WILDCARD...........................* PRESENCE...........................(attribute=*) EQUALITY...........................(attribute=value) PARTIAL MATCH......................(attribute={partial value}*) PARTIAL MATCH......................(attribute=*{partial value}) PARTIAL MATCH......................(attribute=*{partial value}*) PARTIAL MATCH......................(attribute=*{partial value 1}*{partial value 2}*) GREATER THAN or EQUAL..............(attribute>=value) LESS THAN or EQUAL.................(attribute<=value) APPROXIMATELY EQUAL................(attribute~=value)
******BOOLEAN FILTERS****** AND................................(&(filter1)(filter2)) AND................................(&(filter1)(filter2)(filter3)) OR.................................(|(filter1)(filter2)) OR.................................(|(filter1)(filter2)(filter3)) NOT................................(!(filter1)) BITWISE AND........................(attribute:1.2.840.113556.1.4.803:={bitvalue in decimal}) BITWISE OR.........................(attribute:1.2.840.113556.1.4.804:={bitvalue in decimal})
******SPECIAL CHARACTERS IN "VALUE" FIELDS****** (..................................\28 )..................................\29 *..................................\2A \..................................\5C
******CORRELARY FILTERs****** NOT PRESENT (BLANK FIELD)..........(!(attribute=*))
================================================= COMMON OBJECT CLASSES AND ATTRIBUTES =================================================
******USER ACCOUNT****** CLASS..............................objectCategory=person AND objectClass=user
ACCOUNT DISABLED...................userAccountControl={contains bit value of 2} PASSWORD NOT REQUIRED..............userAccountControl={contains bit value of 32} PASSWORD NEVER EXPIRES.............userAccountControl={contains bit value of 65536} SMARTCARD REQUIRED.................userAccountControl={contains bit value of 262144} ACCOUNT TRUSTED FOR DELEGATION.....userAccountControl={contains bit value of 524288} ACCOUNT CANNOT BE DELEGATED........userAccountControl={contains bit value of 1048576} USE DES ENCRYPTION.................userAccountControl={contains bit value of 2097152} DON'T REQUIRE KERBEROS PRE-AUTH....userAccountControl={contains bit value of 4194304} PREVIOUS PASSWORD CHANGE...........pwdLastSet {Integer8 Date, use .vbs to convert conventional dates, use "<=" for all dates before or ">=" for all dates after} LAST LOGON.........................lastLogon {Integer8 Date as above, value of 0 or blank means NEVER} REQUIRE P/W CHANGE AT NEXT LOGON...pwdLastSet {Value of 0, any other value is previous p/w change date} GROUP MEMBERSHIP...................memberOf {Specify exact DN of group, no wildcards allowed} EXCHANGE USER......................msExchHomeServerName {wildcard, or complete or partial servername} EXCHANGE USER (OPTIONAL)...........homeMDB {wildcard, or complete or partial database name} DESCRIPTION........................description {wildcard, or complete or partial text} FIRST NAME.........................givenName {wildcard, or complete or partial text} LAST NAME..........................sn {wildcard, or complete or partial text} EMPLOYEE TYPE......................employeeType {wildcard, or complete or partial text} EMPLOYEE NUMBER....................employeeID {wildcard, or complete or partial text} DEPARTMENT NUMBER..................department {wildcard, or complete or partial text} LOGON NAME.........................sAMAccountName {wildcard, or complete or partial text} USER PRINCIPAL NAME (UPN)..........userPrincipalName {wildcard, or complete or partial text}
OS NAME............................operatingSystem {ie. Windows 2000 Professional, use "PARTIAL" filter} OS SERVICE PACK....................operatingSystemServicePack {ie. Service Pack 4, use "PARTIAL" filter} OS VERSION.........................operatingSystemVersion {ie. 5.0 (2195), use "PARTIAL" filter} DOMAIN CONTROLLER..................userAccountControl={contains bit value of 8192} ACCOUNT TRUSTED FOR DELEGATION.....userAccountControl={contains bit value of 524288} DESCRIPTION........................description {wildcard, or complete or partial text}
DESCRIPTION........................description {wildcard, or complete or partial text} NAME...............................CN {wildcard, or complete or partial text} SECURITY GROUP.....................groupType {contains bit value of 2147483648} GLOBAL GROUP.......................groupType {contains bit value of 2} DOMAIN LOCAL GROUP.................groupType {contains bit value of 4} UNIVERSAL GROUP....................groupType {contains bit value of 8}
Password set on or before 8/9/2004 (Specify Integer8 Date, Use VB script to determine)
(pwdLastSet<=127365120000000000)
Change Password at next logon flag
(pwdLastSet=0)
Account has never logged on
(|(lastLogon=0)(!(lastLogon=*)))
================================================= SAMPLE FULL QUERIES (NOTE: If you cut and paste from this document, remove any extra carriage returns) =================================================
[Object is an Enabled User Account] and [Has an Exchange mailbox] and [Not members of the All Mail Users D/L]
(&(&(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(|(homeMDB=*)(msExchHomeServerName=*)))(!(memberOf=CN=your group name,OU=your ou,DC=yourdomain,DC=tld)))
[Object is a User Account] and [P/W never expires flag is not set and not disabled] and [P/W changed on or before 8/9/04] and [Password change flag is not set]
[Object is an Enabled User Account] and [P/W changed on or before 8/9/04] or [Password change flag is set and Last Logon is never] or [Last Logon is >90 days]
================================================= DATE TO INTEGER8 VBSCRIPT ================================================= Simply copy and paste the following text into a file called DateToInteger8.vbs and execute from a command prompt.
CODE
' DateToInteger8.vbs ' VBScript program demonstrating how to convert a datetime value to ' the corresponding Integer8 (64-bit) value. The Integer8 value is the ' number of 100-nanosecond intervals since 12:00 AM January 1, 1601, ' in Coordinated Universal Time (UTC). The conversion is only accurate ' to the nearest second, so the Integer8 value will always end in at ' least 7 zeros. ' ' ---------------------------------------------------------------------- ' Copyright (c) 2004 Richard L. Mueller ' Hilltop Lab web site - http://www.rlmueller.net ' Version 1.0 - June 11, 2004 ' ' You have a royalty-free right to use, modify, reproduce, and ' distribute this script file in any way you find useful, provided that ' you agree that the copyright owner above has no warranty, obligations, ' or liability for such use.
Option Explicit
Dim dtmDateValue, dtmAdjusted, lngSeconds, str64Bit Dim objShell, lngBiasKey, lngBias, k
If Wscript.Arguments.Count <> 1 Then Wscript.Echo "Required argument <DateTime> missing" Wscript.Echo "For example:" Wscript.Echo "" Wscript.Echo "cscript DateToInteger8.vbs ""2/5/2004 4:58:58 PM""" Wscript.Echo "" Wscript.Echo "If the date/time value has spaces, enclose in quotes" Wscript.Quit End If
dtmDateValue = CDate(Wscript.Arguments(0))
' Obtain local Time Zone bias from machine registry. Set objShell = CreateObject("Wscript.Shell") lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _ & "TimeZoneInformation\ActiveTimeBias") If UCase(TypeName(lngBiasKey)) = "LONG" Then lngBias = lngBiasKey ElseIf UCase(TypeName(lngBiasKey)) = "VARIANT()" Then lngBias = 0 For k = 0 To UBound(lngBiasKey) lngBias = lngBias + (lngBiasKey(k) * 256^k) Next End If
' Convert datetime value to UTC. dtmAdjusted = DateAdd("n", lngBias, dtmDateValue)
' Find number of seconds since 1/1/1601. lngSeconds = DateDiff("s", #1/1/1601#, dtmAdjusted)
' Convert the number of seconds to a string ' and convert to 100-nanosecond intervals. str64Bit = CStr(lngSeconds) & "0000000" Wscript.Echo "Integer8 value: " & str64Bit
Talk To Other Members