Ldap – Search AD for empty sAMAccountName & userPrincipalName

active-directoryldapquery

I'm in the process of implementing a User privilege management solution and it needs to audit all users within our AD. It's currently falling over due to an account which has two blank attributes: sAMAccountName & userPrincipleName. I've tried finding this account using the following LDAP query:

(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(sAMAccountName=""))

But unfortunately this query fails to find anything.

What would be the best method to find this account?

Thanks in advance.

Best Answer

Your filter assumes that sAMAccountName has been set to a value of "" (that is, an emptystring)

If the sAMAccountName attribute has not been set at all, your filter won't match it. Search for accounts where the attribute is not set instead:

(!sAMAccountName=*)

You could also combine the 2 statements to look for both:

(|(!sAMAccountName=*)(sAMAccountName=""))
Related Topic