Saved Queries in Avrtive Directory

  • Thread starter Thread starter Matjaz Ladava [MVP]
  • Start date Start date
M

Matjaz Ladava [MVP]

The closest you could get to this by using a single query would be with
query

(&(objectClass=user)(objectCategory=person)(!lockoutTime=0))

This would return users, which have account locked out. The only problem is
the system defined account lockout duration, as account can be unlocked
automatically after specific time, but lockoutTime attribute would still
contain a value which is cleared after user loges to the system again.

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
Does anyone now where u can find som eexamples for making Saved
Queries.
I want to make a Query so i can see ONLY the users with an account that
is locked out.

Does somebody know the answer ????


Miralce
 
I was looking at this the other day and another poster recommended using
this query. This looks like it only shows up accounts that are currently
locked and seems a bit more reliable, although I've no idea what the
difference between the two is.

(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))
 
No diference at all >=1 or !=0 is the same statement. ;-)

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
The two queries definitely show up different results though, so I think
there must be a difference (also, it's not just the number at the end that's
different)

When I run the query you gave it throws up a few accounts that are not
locked out, about 200 of them! Running the query I found in this NG a few
days ago it looks much more reliable and doesn't seem to have any false
positives. I guess I just need to learn more LDAP stuff so I can figure out
what's going on!
 
I was looking at this the other day and another poster recommended using
this query. This looks like it only shows up accounts that are currently
locked and seems a bit more reliable, although I've no idea what the
difference between the two is.

(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))
Click to expand...
Hi Simon,

you are right, that's the query to use.

Background:
Per Default the LockoutTime is <not set>
if a user locks himself out, the lockoutTime is written in that attribute
after a administrator resets the account, the lockoutTime is set to 0.

So if you would be using a query with !lockoutTime=0 you will receive all users
which are locked out and those who've never been locked out.

Another query which would be working but is more complicated is
&(lockoutTime=*)(!lockouttime=0) which proves there's a lockoutTime set but
different than 0.

Gruesse - Sincerely,

Ulf B. Simon-Weidner
 
Eh. I totally forgot about NULL values, which ! returns... :-). Thanks

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com
 
Why doesn't this work when I inseert the Query ??
The Query doen't give any results.
I know for sure that there are accounts locked out. !!





*Eh. I totally forgot about NULL values, which ! returns... :-)
Thanks

--
Regards

Matjaz Ladava, MCSE, MCSA, MCT, MVP
Microsoft MVP - Active Directory
(e-mail address removed), (e-mail address removed)
http://ladava.com

message
receive all
users
Click to expand...

Miralc
Click to expand...
 
Back
Top