Complex dsquery question - smart card required for interactive login -- false

All replies

• 

  

  0

  Sign in to vote

  Hi,

  What have you tried so far, and what are the results?

  Bill

  Wednesday, April 25, 2012 3:40 PM
• 

  

  0

  Sign in to vote

  smartCard is userAccountControl bit 0x40000

  ---

  ¯\_(ツ)_/¯

  Wednesday, April 25, 2012 3:58 PM
• 

  

  1

  Sign in to vote

  This will work (one line):

  dsquery * -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=262144))" -attr displayName name sn

  In case the scroll bar obliterates the above, here is the same command (one line, so watch for line wrapping):

  dsquery * -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=262144))" -attr displayName name sn
  

  -----

  Note that none of the attributes you mention uniquely identify the user, so you may want to add sAMAccountName and/or distinguishedName. For more on the LDAP syntax filter I used, see this link:

  http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters-en-us.aspx

  ---

  Richard Mueller - MVP Directory Services

  
  

  • Proposed as answer by Bigteddy Wednesday, April 25, 2012 4:14 PM
  • Edited by Richard MuellerMVP Saturday, April 28, 2012 11:54 PM Fixed format for second code block
  • Marked as answer by Bill_Stewart Wednesday, May 2, 2012 12:12 AM

  Wednesday, April 25, 2012 4:03 PM
• 

  

  0

  Sign in to vote

  dsquery * domainroot -limit 0 -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=262144))" -attr cn userAccountControl sn givenname displayname

  
  
  

  ---

  ¯\_(ツ)_/¯

  • Proposed as answer by Bigteddy Wednesday, April 25, 2012 4:14 PM

  Wednesday, April 25, 2012 4:11 PM
• 

  

  0

  Sign in to vote

  Hi,

  Wow .. thanks the command line work very fine but there one thing .. i wrote -.... "to get a list of all users" but these have to be enabled users in Active Directory 

  because have bunch of disabled users that must not show up in the list 

  please help

  Wednesday, April 25, 2012 4:28 PM
• 

  

  0

  Sign in to vote

  Add another clause to the filter for "not disabled". The clause would be:

  (!userAccountControl:1.2.840.113556.1.4.803:=2)
  

  -----

  This clause (in parentheses) would be combined with the others. All are AND'ed by the "&" AND operator in the filter. The "!" character is the NOT operator. The bit mask for "account disabled" is 2. The clause means the the bit for "Account Disabled" in the userAccountControl attribute is not set (so the account must be enabled).

  ---

  Richard Mueller - MVP Directory Services

  
  

  • Edited by Richard MuellerMVP Saturday, April 28, 2012 11:55 PM Fixed format for code block

  Wednesday, April 25, 2012 5:36 PM
• 

  

  0

  Sign in to vote

  I have tried new code with this line (adding &(!userAccountControl:1.2.840.113556.1.4.803:=2) but i get an error "dsquery failed:The search filter cannot be recognized."

  code used:

  dsquery * domainroot -limit 0 -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=262144)&(!userAccountControl:1.2.840.113556.1.4.803:=2)" -attr cn userAccountControl sn givenname displayname

  please help. thanks in advance

  Thursday, April 26, 2012 8:45 AM
• 

  

  0

  Sign in to vote

  You only need one of these &.

  The AND operatorr specifies that all members of the group are anded>

  (&()()()())

  Please read the help for LDSP query filters.

  http://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx

  ---

  ¯\_(ツ)_/¯

  Thursday, April 26, 2012 10:43 AM
• 

  

  0

  Sign in to vote

  Also, the parentheses must match. You are missing one closing parentheses. I would use (all one line)"

  dsquery * domainroot -limit 0 -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=262144)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -attr sAMAccountName displayName sn givenName
  

  -----

  This filters on all users that are not required to use a smartcard and are not disabled.

  ---

  Richard Mueller - MVP Directory Services

  
  

  • Edited by Richard MuellerMVP Saturday, April 28, 2012 11:56 PM Fixed format for code block

  Thursday, April 26, 2012 11:56 AM
• 

  

  0

  Sign in to vote

  Thanks for your quick reply but actualy the code must apply ONLY ENABLED USERS NOT DISABLED USERS. When i run the code

  dsquery * domainroot -limit 0 -Filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=262144)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -attr sAMAccountName displayName sn givenName

  i also see disabled users in the list, this is not ok. Only enabled users that DO NOT have the check box "smart card required for interactive login"

  Can i do a search on the OU where our enabled users are located with same line of code? or is there an other way.

  please help.

  thanks in advance

  Thursday, April 26, 2012 3:36 PM
• 

  

  0

  Sign in to vote

  Thanks for your quick reply but actualy the code must apply ONLY ENABLED USERS NOT DISABLED USERS.

  You might consider that your tone could be construed as rude and impolite. (Bold and all caps is considered to be shouting.) Keep in kind that you are asking for free help from busy professionals who volunteer their time.

  Bill

  Thursday, April 26, 2012 3:47 PM
• 

  

  0

  Sign in to vote

  First, the filter clause:

  (!userAccountControl:1.2.840.113556.1.4.803:=2)
  

  -----

  should only retrieve enabled users. The clause means that the bit for "account disabled" (the bit masked by the integer 2) is Not set (the "!" is the NOT operator).

  Second, the domainroot parameter means to query the entire domain. You can replace this with the distinguished name of an OU. This will restrict the query to the specified OU (and child OU's).

  ---

  Richard Mueller - MVP Directory Services

  
  

  • Edited by Richard MuellerMVP Saturday, April 28, 2012 11:57 PM Added border around code block

  Thursday, April 26, 2012 4:19 PM
• 

  

  0

  Sign in to vote

  ok sorry, i only wanted to emphasize

  Thursday, April 26, 2012 4:20 PM
• 

  

  1

  Sign in to vote

  For anyone who may look at this later on, there was an extra exclamation point (LOGICAL NOT) in the first part of the filter in the query that Richard Muller posted. Just remove that, and you will get users who are Smartcard required, and who are not disabled. Add it back to get a list of users who are enabled but not Smart Card required. See below, for original requested query.

  dsquery * domainroot -limit 0 -Filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=262144)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -attr sAMAccountName displayName sn givenName

  
  

  Also regarding the etiquette discussion. I've always sort of went with the below info.

  Emphasis

  Header or slightly stronger Emphasis added for visibility.

  Directing the readers attention to a specific part of a sentence.

  YELLING or ACRONYM

  RUDE

  COMPLETE JERK

  
  
  
  

  • Proposed as answer by SWFPAC Information Technology Services Tuesday, June 11, 2013 6:35 PM
  • Edited by SWFPAC Information Technology Services Tuesday, June 11, 2013 6:39 PM

  Tuesday, June 11, 2013 6:33 PM