J
Jay
Ok..in my ADUC i have a saved query folder what is this used for....its 2003
server...so i could really see on MS what its for....
server...so i could really see on MS what its for....
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
M
Matjaz Ladava [MVP]
You can create custom LDAP queries there and save them, so you don't need to
specify your search filters every time you are looking for specific
information in AD. One example would be an LDAP query for all dissabled
accounts. Administrator can then just refresh this query to get all
dissabled accounts in domain.
--
Regards
Matjaz Ladava, MCSE (NT4 & 2000), MVP
(e-mail address removed)
http://ladava.com
specify your search filters every time you are looking for specific
information in AD. One example would be an LDAP query for all dissabled
accounts. Administrator can then just refresh this query to get all
dissabled accounts in domain.
--
Regards
Matjaz Ladava, MCSE (NT4 & 2000), MVP
(e-mail address removed)
http://ladava.com
J
Jeff Jones [MSFT]
This container is used to store commonly used queries. To create a query
select the "Saved Queries" folder and on the Action menu select New->Query.
Type any name you want to give the query, like "Disabled user accounts".
Provide a description if you want one. If you want to scope the query to a
certain contain or OU select the Browse button and then select the container
you want to search. Then hit OK. To define the query that is to be
performed click Define Query. Select the criteria for the query and hit OK.
For instance, to find all the disabled user accounts click the "Disabled
accounts" checkbox on the User page of the Common Queries form. Click OK.
You can see the LDAP query string that was generated in the Query String
field of the dialog.
Once all the required fields are filled in click OK. This will create a
query node under the Saved Queries container. Anytime you expand this node
or refresh it the query is run to populate the result pane (right pane).
You can also organize your saved queries by creating folders. Click on the
Saved Queries folder and select Action->New->Folder to create a new folder.
Saved queries are stored with the console file (dsa.msc if launched from the
Start menu). If you want to copy the saved queries to another console file
you can export a saved query to an XML file and then import it into another
console file.
select the "Saved Queries" folder and on the Action menu select New->Query.
Type any name you want to give the query, like "Disabled user accounts".
Provide a description if you want one. If you want to scope the query to a
certain contain or OU select the Browse button and then select the container
you want to search. Then hit OK. To define the query that is to be
performed click Define Query. Select the criteria for the query and hit OK.
For instance, to find all the disabled user accounts click the "Disabled
accounts" checkbox on the User page of the Common Queries form. Click OK.
You can see the LDAP query string that was generated in the Query String
field of the dialog.
Once all the required fields are filled in click OK. This will create a
query node under the Saved Queries container. Anytime you expand this node
or refresh it the query is run to populate the result pane (right pane).
You can also organize your saved queries by creating folders. Click on the
Saved Queries folder and select Action->New->Folder to create a new folder.
Saved queries are stored with the console file (dsa.msc if launched from the
Start menu). If you want to copy the saved queries to another console file
you can export a saved query to an XML file and then import it into another
console file.
M
MadDHatteR
I've used this for disabled accounts, etc. How would I generate a query to
list domain-wide locked out accounts?
\\ MadDHatteR
list domain-wide locked out accounts?
\\ MadDHatteR
J
Jeff Jones [MSFT]
If you create a new saved query and define a custom query you can get most
of the way there. After you click Define Query and the query builder comes
up, select Custom Search in the Find dropdown. Then click on the Advanced
tab and enter
(&(objectClass=user)(objectCategory=person)(!lockoutTime=0))
Hit OK and then OK to create the query.
The results of this query are any users that have had their account locked
out and have not logged on past the account lockout duration to reset their
lockoutTime attribute. So depending on the lockout duration that is
configured for the domain and whether or not the person has logged on since
the account has been locked out you can determine if the account is truely
locked out.
At least this can narrow down the user accounts you have to look through.
--
Jeff Jones [MS]
Active Directory Administration Tools Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
of the way there. After you click Define Query and the query builder comes
up, select Custom Search in the Find dropdown. Then click on the Advanced
tab and enter
(&(objectClass=user)(objectCategory=person)(!lockoutTime=0))
Hit OK and then OK to create the query.
The results of this query are any users that have had their account locked
out and have not logged on past the account lockout duration to reset their
lockoutTime attribute. So depending on the lockout duration that is
configured for the domain and whether or not the person has logged on since
the account has been locked out you can determine if the account is truely
locked out.
At least this can narrow down the user accounts you have to look through.
--
Jeff Jones [MS]
Active Directory Administration Tools Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
J
Jeff Jones [MSFT]
The userAccountControl flag can be used to unlock the account but it cannot
be used to determine if the account is locked out via a search. The only
accurate way of determining if the account is locked out is to query the
lockoutTime and then for each object returned get the
userAccountControlComputed attribute which will accurately depict whether or
not the account is truely locked out or if the user just hasn't logged on.
Unfortunately the userAccountControlComputed attribute wasn't added until
Windows Server 2003.
--
Jeff Jones [MS]
Active Directory Administration Tools Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
be used to determine if the account is locked out via a search. The only
accurate way of determining if the account is locked out is to query the
lockoutTime and then for each object returned get the
userAccountControlComputed attribute which will accurately depict whether or
not the account is truely locked out or if the user just hasn't logged on.
Unfortunately the userAccountControlComputed attribute wasn't added until
Windows Server 2003.
--
Jeff Jones [MS]
Active Directory Administration Tools Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
Matjaz Ladava said:Jeff, what about using userAccountControlFlag for this like
(&(objectClass=user)(UserAccountControl:1.2.840.113556.1.4.803:=16))
UserAccountControlFlag's 4 bit sets lockout status of the account.
--
Regards
Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
queryJeff Jones said:If you create a new saved query and define a custom query you can get most
of the way there. After you click Define Query and the query builder comes
up, select Custom Search in the Find dropdown. Then click on the Advanced
tab and enter
(&(objectClass=user)(objectCategory=person)(!lockoutTime=0))
Hit OK and then OK to create the query.
The results of this query are any users that have had their account locked
out and have not logged on past the account lockout duration to reset their
lockoutTime attribute. So depending on the lockout duration that is
configured for the domain and whether or not the person has logged on since
the account has been locked out you can determine if the account is truely
locked out.
At least this can narrow down the user accounts you have to look through.
--
Jeff Jones [MS]
Active Directory Administration Tools Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
MadDHatteR said:I've used this for disabled accounts, etc. How would I generate a
M
Matjaz Ladava [MVP]
Thanks for this update Jeff.
--
Regards
Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
--
Regards
Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
Jeff Jones said:The userAccountControl flag can be used to unlock the account but it cannot
be used to determine if the account is locked out via a search. The only
accurate way of determining if the account is locked out is to query the
lockoutTime and then for each object returned get the
userAccountControlComputed attribute which will accurately depict whether or
not the account is truely locked out or if the user just hasn't logged on.
Unfortunately the userAccountControlComputed attribute wasn't added until
Windows Server 2003.
--
Jeff Jones [MS]
Active Directory Administration Tools Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
Matjaz Ladava said:Jeff, what about using userAccountControlFlag for this like
(&(objectClass=user)(UserAccountControl:1.2.840.113556.1.4.803:=16))
UserAccountControlFlag's 4 bit sets lockout status of the account.
--
Regards
Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com
queryJeff Jones said:If you create a new saved query and define a custom query you can get most
of the way there. After you click Define Query and the query builder comes
up, select Custom Search in the Find dropdown. Then click on the Advanced
tab and enter
(&(objectClass=user)(objectCategory=person)(!lockoutTime=0))
Hit OK and then OK to create the query.
The results of this query are any users that have had their account locked
out and have not logged on past the account lockout duration to reset their
lockoutTime attribute. So depending on the lockout duration that is
configured for the domain and whether or not the person has logged on since
the account has been locked out you can determine if the account is truely
locked out.
At least this can narrow down the user accounts you have to look through.
--
Jeff Jones [MS]
Active Directory Administration Tools Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
I've used this for disabled accounts, etc. How would I generate ato
list domain-wide locked out accounts?
\\ MadDHatteR
This container is used to store commonly used queries.