none
LDAP Query for all active users

    Question

  • I need a query within ADUC that will give me a list of all my active users and will NOT list any disabled accounts, computer accounts, or anything other than User accounts that have an active sign on.  Please advise. 
    Monday, January 09, 2012 9:48 PM

Answers

  • If you have the AD modules, you can use Get-ADUser with the -LDAPFilter clause. You don't need the clauses to restrict the query to users. For example:

    Get-ADUser -SearchBase "ou=West,dc=MyDomain,dc=com" -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"

    Or, you can use dsquery * at the command prompt of a DC with the same LDAP query. For example:

    dsquery * "ou=West,dc=MyDomain,dc=com" -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

    Does this help?


    Richard Mueller - MVP Directory Services
    Tuesday, January 10, 2012 5:36 PM

All replies

  • Hello,

     

    You can use this LDAP filter:

    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))

     

    More example:

    Active Directory: LDAP Syntax Filters (Richard Mueller - MVP)

     

    Regards

    Monday, January 09, 2012 10:05 PM
  • Thanks for the query and the link.  I had tried using  (objectCategory=person)(!userAccountControl:1.2.840.113556.1.4.803:=2) But it was returning over 1000 objects, which included non-user objects.  Wasn't sure how to remove everything except users.  I'll have to go through that link and try to figure some of this out. 
    Tuesday, January 10, 2012 2:02 PM
  • Hello,

    you have not use the objectClass "(objectClass=user)" as mentioned or did you modified it?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Tuesday, January 10, 2012 2:05 PM
  • What do you mean by “active sign other than User accounts that have an active sign on”

    You can get all enabled users by using above LDAP syntax. 


    Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+| Houston, TX
    Blogs - http://blogs.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.
    Tuesday, January 10, 2012 3:25 PM
  • The filter (objectCategory=person) returns both user and contact objects. Since contact objects do not have a userAccountControl attribute, the clause (!userAccountControl:1.2.840.113556.1.4.803:=2) will always be True for contacts. As noted, to restrict the query to just user objects, add the clause (objectClass=user).

     


    Richard Mueller - MVP Directory Services
    Tuesday, January 10, 2012 4:15 PM
  • Is there a powershell command that can be ran instead?  I'd like to find active users in a particular OU.  Any thoughts?
    Tuesday, January 10, 2012 4:55 PM
  • If you have the AD modules, you can use Get-ADUser with the -LDAPFilter clause. You don't need the clauses to restrict the query to users. For example:

    Get-ADUser -SearchBase "ou=West,dc=MyDomain,dc=com" -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"

    Or, you can use dsquery * at the command prompt of a DC with the same LDAP query. For example:

    dsquery * "ou=West,dc=MyDomain,dc=com" -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))"

    Does this help?


    Richard Mueller - MVP Directory Services
    Tuesday, January 10, 2012 5:36 PM
  • This worked perfectly... thank you for your help!
    Tuesday, January 10, 2012 6:05 PM