Home > Microsoft > LDAP Custom Queries

LDAP Custom Queries

In order to configure and use server query do the following.

Go to Active Directory Users and Computers:

Right click the Saved Queries folder and select New, Query.

Enter an appropriate Name and Description.

Make sure the query root is set to the domain level you want the query to pertain to.

Select the Include subcontainers check box if you want the query to search all subcontainers.

Click Define Query.

In the Find dialog box, click the Find drop-down arrow and select Custom Search.

On the Advanced tab, enter your LDAP query string into the Enter LDAP query box.

Click OK twice.

Active Directory Saved Queries Templates

Find Groups that contains the word admin

(objectcategory=group)(samaccountname=*admin*)

Find users who have admin in description field

(objectcategory=person)(description=*admin*)

Find all Universal Groups

(groupType:1.2.840.113556.1.4.803:=8)

Empty Groups with No Members

(objectCategory=group)(!member=*)

Finds all groups defined as a Global Group, a Domain Local Group, or a Universal Group

(groupType:1.2.840.113556.1.4.804:=14)

Find all User with the name Bob

(objectcategory=person)(samaccountname=*Bob*)

Find user accounts with passwords set to never expire

(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

Find all users that never log in to domain

(&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))

Find user accounts with no log on script

(objectcategory=person)(!scriptPath=*)

Find user accounts with no profile path

(objectcategory=person)(!profilepath=*)

Finds non disabled accounts that must change their password at next logon

(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Finds all disabled accounts in active directory

(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Finds all locked out accounts

(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

Finds Domain Local Groups

(groupType:1.2.840.113556.1.4.803:=4)

Finds all Users with Email Address set

(objectcategory=person)(mail=*)

Finds all Users with no Email Address

(objectcategory=person)(!mail=*)

Find all Users, Groups or Contacts where Company or Description is Contractors

(|(objectcategory=user)(objectcategory=group)(objectcategory=contact))(|(description=North*)(company=Contractors*))

Find all Users with Mobile numbers 712 or 155

(objectcategory=user)(|(mobile=712*)(mobile=155*))

Find all Users with Dial-In permissions

(objectCategory=user)(msNPAllowDialin=TRUE)

Find All printers with Color printing capability

Note: server name must be changed

(&(&(&(uncName=*Servername*)(objectCategory=printQueue)(printColor=TRUE))))

Find Users Mailboxes Overriding Exchange Size Limit Policies

(&(&(&objectCategory=user)(mDBUseDefaults=FALSE)))

Find all Users that need to change password on next login.

(&(objectCategory=user)(pwdLastSet=0))

Find all Users that are almost Locked-Out

Notice the “>=” that means “Greater than or equal to”.

(objectCategory=user)(badPwdCount>=2)

Find all Computers that do not have a Description

(objectCategory=computer)(!description=*)

Find all users with Hidden Mailboxes

(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))

Find all Windows 2000 SP4 computers

(&(&(&(objectCategory=Computer)(operatingSystem=Windows 2000 Professional)(operatingSystemServicePack=Service Pack 4))))

Find all Windows XP SP2 computers

(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))))))))

Find all Windows XP SP3 computers

(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

Find all Vista SP1 computers

(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1)))))

Find All Workstations

(sAMAccountType=805306369)

Find all 2003 Servers Non-DCs

(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))

Find all 2003 Servers – DCs

(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

Find all Server 2008

(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))

——————————————————————————

#Find All Workstations

(sAMAccountType=805306369)

#Find all 2003 Servers Non-DCs

(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))

#Find all 2003 Servers – DCs

(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

#Find all Server 2008

(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))

#Find all Windows 2000 SP4 computers

(&(&(&(objectCategory=Computer)(operatingSystem=Windows 2000 Professional)(operatingSystemServicePack=Service Pack 4))))

#Find all Windows XP SP2 computers

(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))))))))

#Find all Windows XP SP3 computers

(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

#Find all Vista SP1 computers

(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1)))))

(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows 7*)(operatingSystemServicePack=Service Pack 1)))))

(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2008*))))

(&(&(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows 7*))))))

#Modify Password Never Expires Flag for all Users

dsquery user OU=OU-Name,DC=Microsoft,DC=Com | dsmod user -pwdneverexpires no

#Password Never Expires Flag Users

(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

Advertisements
Categories: Microsoft
  1. July 1, 2013 at 12:05 PM

    Well done, thanks for the researched study. You really helped me understand this topic a great deal better.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: