Obscurum per Obscurius

Explaining the obscure by means of the more obscure

How to Query Individual Properties of the "userAccountControl" Active Directory User property using LDAP

How to Query Individual Properties of the "userAccountControl" Active Directory User property using LDAP

  • Comments 3

I was working with a customer this week who was asking me how to query Active Directory for valid, active users accounts that were not service accounts.  I made a couple of assumptions; an active account would not be disabled and only service accounts would be set to PASSWORD NEVER EXPIRES.   Initially I tried to query the valueuserAccountControl property of the user object using operators like > and < but soon realized there were too many exceptions.  I then discovered it was possible to query the individual bits of the userAccountControl property which yielded the query below.

The following LDAP query can be used in Active Directory Users and Computers to query specific details of the userAccountControl property in AD.  The query below will return all active user accounts that are not set to PASSWORD NEVER EXPIRES 

(&(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl<=600))

I'll describe the query in more detail:

(objectCategory=person)(objectClass=user)(mail=*) - All user objects with a value in the mail field (no contacts)

(!userAccountControl:1.2.840.113556.1.4.803:=2) - Filters out disabled accounts

(!userAccountControl:1.2.840.113556.1.4.803:=65536) - Filters accounts set to PASSWORD NEVE EXPIRES

(!userAccountControl<=600)) - Filters out Exchange Organization Mailboxes

SAMPLE LDAP QUERIES

UAC - Smart Card Login Enforced on The User
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=262144) )
 
UAC - PWD Never Expires
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))
 
UAC - CAC Enabled Accounts (no disabled accounts or password never expires)
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(userAccountControl:1.2.840.113556.1.4.803:=262144)(userPrincipalName=1*@mil))
 
UAC - Not CAC Enabled (no disabled accounts or password never expires)
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userPrincipalName=1*@mil))

UAC - Users with CAC enabled attributes but not enforced, exclude resource mailboxes (SN=*).
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userPrincipalName=1*@mil)(sn=*)) 

Kerberos Preauthentication Disabled
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=4194304))


REFERENCE

How to use the UserAccountControl flags to manipulate user account properties
http://support.microsoft.com/kb/305144 http://support.microsoft.com/kb/269181

How to query Active Directory by using a bitwise filter
http://support.microsoft.com/kb/269181

Leave a Comment
  • Please add 4 and 8 and type the answer here:
  • Post
Page 1 of 1 (3 items)