locked
Complex dsquery question - smart card required for interactive login -- false RRS feed

  • Question

  • Hi everybody

    I have a problem. I trying to figure out a single command with dsquery (and maybe with dsget combination) to get a list of all users in my active directory domain that   DO NOT have the check box "smart card required for interactive login" (that means, check box not selected)

    Also, in the same query result, their display name, for name and last name must be listed

    How can create this script or can this be done via command line

    please help. 

    Wednesday, April 25, 2012 3:29 PM

Answers

  • This will work (one line):

    dsquery * -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=262144))" -attr displayName name sn

    In case the scroll bar obliterates the above, here is the same command (one line, so watch for line wrapping):

    dsquery * -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=262144))" -attr displayName name sn

    -----

    Note that none of the attributes you mention uniquely identify the user, so you may want to add sAMAccountName and/or distinguishedName. For more on the LDAP syntax filter I used, see this link:

    http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters-en-us.aspx


    Richard Mueller - MVP Directory Services


    • Proposed as answer by Bigteddy Wednesday, April 25, 2012 4:14 PM
    • Edited by Richard MuellerMVP Saturday, April 28, 2012 11:54 PM Fixed format for second code block
    • Marked as answer by Bill_Stewart Wednesday, May 2, 2012 12:12 AM
    Wednesday, April 25, 2012 4:03 PM

All replies

  • Hi,

    What have you tried so far, and what are the results?

    Bill

    Wednesday, April 25, 2012 3:40 PM
  • smartCard is userAccountControl bit 0x40000


    ¯\_(ツ)_/¯

    Wednesday, April 25, 2012 3:58 PM
  • This will work (one line):

    dsquery * -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=262144))" -attr displayName name sn

    In case the scroll bar obliterates the above, here is the same command (one line, so watch for line wrapping):

    dsquery * -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=262144))" -attr displayName name sn

    -----

    Note that none of the attributes you mention uniquely identify the user, so you may want to add sAMAccountName and/or distinguishedName. For more on the LDAP syntax filter I used, see this link:

    http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters-en-us.aspx


    Richard Mueller - MVP Directory Services


    • Proposed as answer by Bigteddy Wednesday, April 25, 2012 4:14 PM
    • Edited by Richard MuellerMVP Saturday, April 28, 2012 11:54 PM Fixed format for second code block
    • Marked as answer by Bill_Stewart Wednesday, May 2, 2012 12:12 AM
    Wednesday, April 25, 2012 4:03 PM
  • dsquery * domainroot -limit 0 -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=262144))" -attr cn userAccountControl sn givenname displayname




    ¯\_(ツ)_/¯

    • Proposed as answer by Bigteddy Wednesday, April 25, 2012 4:14 PM
    Wednesday, April 25, 2012 4:11 PM
  • Hi,

    Wow .. thanks the command line work very fine but there one thing .. i wrote -.... "to get a list of all users" but these have to be enabled users in Active Directory 

    because have bunch of disabled users that must not show up in the list 

    please help

    Wednesday, April 25, 2012 4:28 PM
  • Add another clause to the filter for "not disabled". The clause would be:

    (!userAccountControl:1.2.840.113556.1.4.803:=2)

    -----

    This clause (in parentheses) would be combined with the others. All are AND'ed by the "&" AND operator in the filter. The "!" character is the NOT operator. The bit mask for "account disabled" is 2. The clause means the the bit for "Account Disabled" in the userAccountControl attribute is not set (so the account must be enabled).


    Richard Mueller - MVP Directory Services


    • Edited by Richard MuellerMVP Saturday, April 28, 2012 11:55 PM Fixed format for code block
    Wednesday, April 25, 2012 5:36 PM
  • I have tried new code with this line (adding &(!userAccountControl:1.2.840.113556.1.4.803:=2) but i get an error "dsquery failed:The search filter cannot be recognized."

    code used:

    dsquery * domainroot -limit 0 -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=262144)&(!userAccountControl:1.2.840.113556.1.4.803:=2)" -attr cn userAccountControl sn givenname displayname

    please help. thanks in advance

    Thursday, April 26, 2012 8:45 AM
  • You only need one of these &.

    The AND operatorr specifies that all members of the group are anded>

    (&()()()())

    Please read the help for LDSP query filters.

    http://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx


    ¯\_(ツ)_/¯

    Thursday, April 26, 2012 10:43 AM
  • Also, the parentheses must match. You are missing one closing parentheses. I would use (all one line)"

    dsquery * domainroot -limit 0 -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=262144)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -attr sAMAccountName displayName sn givenName

    -----

    This filters on all users that are not required to use a smartcard and are not disabled.


    Richard Mueller - MVP Directory Services


    • Edited by Richard MuellerMVP Saturday, April 28, 2012 11:56 PM Fixed format for code block
    Thursday, April 26, 2012 11:56 AM
  • Thanks for your quick reply but actualy the code must apply ONLY ENABLED USERS NOT DISABLED USERS. When i run the code

    dsquery * domainroot -limit 0 -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=262144)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -attr sAMAccountName displayName sn givenName

    i also see disabled users in the list, this is not ok. Only enabled users that DO NOT have the check box "smart card required for interactive login"

    Can i do a search on the OU where our enabled users are located with same line of code? or is there an other way.

    please help.

    thanks in advance

    Thursday, April 26, 2012 3:36 PM
  • Thanks for your quick reply but actualy the code must apply ONLY ENABLED USERS NOT DISABLED USERS.

    You might consider that your tone could be construed as rude and impolite. (Bold and all caps is considered to be shouting.) Keep in kind that you are asking for free help from busy professionals who volunteer their time.

    Bill

    Thursday, April 26, 2012 3:47 PM
  • First, the filter clause:

    (!userAccountControl:1.2.840.113556.1.4.803:=2)

    -----

    should only retrieve enabled users. The clause means that the bit for "account disabled" (the bit masked by the integer 2) is Not set (the "!" is the NOT operator).

    Second, the domainroot parameter means to query the entire domain. You can replace this with the distinguished name of an OU. This will restrict the query to the specified OU (and child OU's).


    Richard Mueller - MVP Directory Services


    • Edited by Richard MuellerMVP Saturday, April 28, 2012 11:57 PM Added border around code block
    Thursday, April 26, 2012 4:19 PM
  • ok sorry, i only wanted to emphasize

    Thursday, April 26, 2012 4:20 PM
  • For anyone who may look at this later on, there was an extra exclamation point (LOGICAL NOT) in the first part of the filter in the query that Richard Muller posted. Just remove that, and you will get users who are Smartcard required, and who are not disabled. Add it back to get a list of users who are enabled but not Smart Card required. See below, for original requested query.

    dsquery * domainroot -limit 0 -Filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=262144)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -attr sAMAccountName displayName sn givenName

    Also regarding the etiquette discussion. I've always sort of went with the below info.

    Emphasis

    Header or slightly stronger Emphasis added for visibility.

    Directing the readers attention to a specific part of a sentence.

    YELLING or ACRONYM

    RUDE

    COMPLETE JERK




    Tuesday, June 11, 2013 6:33 PM