JSI Tip 9815. How can I filter an Active Directory query using a bitwise flag?

When you compose an LDAP (Lightweight Directory Access Protocol) query, or a DSQUERY query, or an Adfind.exe query, you can filter your query based upon the values of attributes that you specify, like (sAMAccountName=Jerry).

If the attribute is a bitwise flag, like userAccountControl, you can use the attributename:ruleOID:=value syntax, where:

attributename is the LDAPDisplayName of the attribute, like userAccountControl.

ruleOID       is 1.2.840.113556.1.4.803 for the LDAP_MATCHING_RULE_BIT_AND rule, which is TRUE if all bits match the value,
              or 1.2.840.113556.1.4.804 for the LDAP_MATCHING_RULE_BIT_OR rule, which is TRUE if any bits match the value.

value         is the decimal value that represents the bits to match.
If I wanted to run a DSQUERY that displays a users distinguishedName, and userPrincipalName if the user account is disabled, I would use:
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2))" -attr distinguishedName userPrincipalName -limit 0
If I wanted to display a users sAMAccountName if their account is disabled OR locked out OR their password is expired, I would use
dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.804:=8388626))" -attr sAMAccountName -limit 0
The meaning of the bits in userAccountControl are:

Meaning Value in hexadecimal Value in decimal
SCRIPT 0x0001 1
ACCOUNTDISABLE 0x0002 2
HOMEDIR_REQUIRED 0x0008 8
LOCKOUT 0x0010 16
PASSWD_NOTREQD 0x0020 32
PASSWD_CANT_CHANGE 0x0040 64
ENCRYPTED_TEXT_PWD_ALLOWED 0x0080 128
TEMP_DUPLICATE_ACCOUNT 0x0100 256
NORMAL_ACCOUNT 0x0200 512
INTERDOMAIN_TRUST_ACCOUNT 0x0800 2048
WORKSTATION_TRUST_ACCOUNT 0x1000 4096
SERVER_TRUST_ACCOUNT 0x2000 8192
DONT_EXPIRE_PASSWORD 0x10000 65536
MNS_LOGON_ACCOUNT 0x20000 131072
SMARTCARD_REQUIRED 0x40000 262144
TRUSTED_FOR_DELEGATION 0x80000 524288
NOT_DELEGATED 0x100000 1048576
USE_DES_KEY_ONLY 0x200000 2097152
DONT_REQ_PREAUTH 0x400000 4194304
PASSWORD_EXPIRED 0x800000 8388608
TRUSTED_TO_AUTH_FOR_DELEGATION    0x1000000                   16777216

NOTE: See How can I decode the userAccountControl attribute?

NOTE: See How can I filter an Active Directory query by testing an attribute to be NOT EQUAL?

NOTE: See How can I filter an Active Directory query by testing an attribute to be this OR that?

NOTE: See What operators can I use when filtering an Active Directory query?



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish