locked
LDAP query that excludes accounts expired AD user accounts RRS feed

  • Question

  • Hi

    I have the following LDAP user account query running in a powershell script.

    $Searcher.Filter = "(&(objectCategory=person)(objectClass=user))"

    I would like to filter out any accounts that have expired but cant get it to work.  i've tried adding (!accountexpires<=$today) but there seems to be a mismatch in the formats.

    Any help would be greatly appreciated.

    Wednesday, April 4, 2012 1:35 PM

Answers

  • If an account has no expiration date, accountExpires can be either 0 or 2^63-1 (the largest number that can be saved  in a 64-bit register). If the account never had an expiration date, the system assigns the hugh number. If the account had an expiration date, but it was removed, the system assigns 0. The filter

    (!accountexpires<=$today)

    excludes cases where accountExpires is 0. I think you want:

    $ldapquery = "(&(objectCategory=person)(objectClass=user)(|(!accountexpires<=$today)(accountExpires=0)))"

    -----

    or, perhaps easier to understand:

    $ldapquery = "(&(objectCategory=person)(objectClass=user)(|(accountExpires>=$today)(accountExpires=0)))"

    -----



    Richard Mueller - MVP Directory Services

    • Marked as answer by [AgK] Wednesday, April 4, 2012 3:09 PM
    Wednesday, April 4, 2012 2:33 PM

All replies

  • $today = (Get-Date).ToFileTime()
    $ldapquery = "(&(objectCategory=person)(objectClass=user)(!accountexpires<=$today))"
    ([DirectoryServices.DirectorySearcher]$ldapquery).FindAll()

    • Proposed as answer by Bigteddy Wednesday, April 4, 2012 2:08 PM
    • Marked as answer by [AgK] Wednesday, April 4, 2012 2:20 PM
    • Unmarked as answer by [AgK] Wednesday, April 4, 2012 3:09 PM
    Wednesday, April 4, 2012 2:03 PM
  • Many thanks

    I've been reading for hours trying to figure that out.

    Kind Regards

    Wednesday, April 4, 2012 2:22 PM
  • If an account has no expiration date, accountExpires can be either 0 or 2^63-1 (the largest number that can be saved  in a 64-bit register). If the account never had an expiration date, the system assigns the hugh number. If the account had an expiration date, but it was removed, the system assigns 0. The filter

    (!accountexpires<=$today)

    excludes cases where accountExpires is 0. I think you want:

    $ldapquery = "(&(objectCategory=person)(objectClass=user)(|(!accountexpires<=$today)(accountExpires=0)))"

    -----

    or, perhaps easier to understand:

    $ldapquery = "(&(objectCategory=person)(objectClass=user)(|(accountExpires>=$today)(accountExpires=0)))"

    -----



    Richard Mueller - MVP Directory Services

    • Marked as answer by [AgK] Wednesday, April 4, 2012 3:09 PM
    Wednesday, April 4, 2012 2:33 PM
  • Yes indeed.

    I just tested it, and originally if an account was re-enabled, then it was still missed from the query.

    Many thanks

    Wednesday, April 4, 2012 3:11 PM