Sometimes a set of yes/no values is stored in a single value by setting various bits. You can use a bitmask to check if they are set.
For example, 546 in decimal is the binary value 10 0010 0010 - in decimal, the sum of 512, 32, and 2. (All those numbers are powers of 2, which means they only have one '1' in their binary representation): That means those three yes/no values are set.
According to the userAccountControl docs that means the following values are set:
NORMAL_ACCOUNT (512)
PASSWD_NOTREQD (32)
ACCOUNTDISABLE (2)
However, for example, if you had a user who did not have PASSWD_NOTREQD
set (so their userAccountControl value was 512), or one who also had DONT_EXPIRE_PASSWORD
(65536) set (meaning their value was 66082), you would not find those users in your query.
What you need to do is use a bitwise AND in order to query the value of only that bit:
10 0010 0010
00 0000 0010
------------
00 0000 0010
If the value for that bit is 1, then that bit is set. It doesn't matter what the other bits are set to, so you are effectively asking if userAccountControl & 2 == 2
.
The LDAP syntax for checking a bit using AND is 1.2.840.113556.1.4.803, therefore you can see if the ACCOUNTDISABLE
bit is set with (userAccountControl:1.2.840.113556.1.4.803:=2). Adding (!(foo)) around it gives you all the users who are not disabled.
On your domain object, you need to assign the querying user the "Read MemberOf" right to User objects.
- Open AD U&C browse to your domain object
- Right click and go to properties:
- Security tab, click Advanced
- Click Add
- Enter the user name to add
- Click the Properties tab
- In 'Apply Onto' change the type to User
- Click the "Read MemberOf" checkbox:
- OK out of there
That should set it up so that the specified account can read the group memberships of all User accounts in the domain.
Best Answer
The third syntax works fine for me in LDP.EXE against one of my domains. I don't normally put the (objectCategory=person) in there, but it works fine with it, too.
What kind of error are you getting back when you try to use that?