UserAccountControl Attribute
in [Active Directory]
|
From: Dixson on 10 Dec 2008 14:12 We have a custom application that uses an LDAP query against AD (2000 native) to provide a list of all active user accounts but, the results of the query is missing a handfull of active user accounts. From what I've been able to find, all the user accounts in question are not flagged as NORMAL_ACCOUNT (hex=0x0200, dec=512) but, when I've checked the properties of each account in AD there's nothing different from the accounts that appear from the query. Can ldp.exe or adsiedit.msc help find what may be different about the user accounts in question? If so, is there a good "for dummies" on how to use these tools?
From: Jorge de Almeida Pinto [MVP - DS] on 10 Dec 2008 16:52 what is your definition of ACTIVE accounts? do you mean accounts that are NOT DISABLED? if yes, use the following filter in the following example: ADFIND -bit -default -f "(&(objectCategory=person)(objectClass=user)(!(userAccountControl:AND:=2)))" sAMAccountName -- Cheers, (HOPEFULLY THIS INFORMATION HELPS YOU!) # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services # BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx ------------------------------------------------------------------------------------------ * How to ask a question --> http://support.microsoft.com/?id=555375 ------------------------------------------------------------------------------------------ * This posting is provided "AS IS" with no warranties and confers no rights! * Always test ANY suggestion in a test environment before implementing! ------------------------------------------------------------------------------------------ ################################################# ################################################# ------------------------------------------------------------------------------------------ "Dixson" <Dixson(a)discussions.microsoft.com> wrote in message news:2FD7B24A-2762-4CC1-8EC3-2224DE0FCBD4(a)microsoft.com... > We have a custom application that uses an LDAP query against AD (2000 > native) > to provide a list of all active user accounts but, the results of the > query > is missing a handfull of active user accounts. From what I've been able > to > find, all the user accounts in question are not flagged as NORMAL_ACCOUNT > (hex=0x0200, dec=512) but, when I've checked the properties of each > account > in AD there's nothing different from the accounts that appear from the > query. > > Can ldp.exe or adsiedit.msc help find what may be different about the user > accounts in question? If so, is there a good "for dummies" on how to use > these tools?
From: Richard Mueller [MVP] on 10 Dec 2008 17:50 "Dixson" <Dixson(a)discussions.microsoft.com> wrote in message news:2FD7B24A-2762-4CC1-8EC3-2224DE0FCBD4(a)microsoft.com... > We have a custom application that uses an LDAP query against AD (2000 > native) > to provide a list of all active user accounts but, the results of the > query > is missing a handfull of active user accounts. From what I've been able > to > find, all the user accounts in question are not flagged as NORMAL_ACCOUNT > (hex=0x0200, dec=512) but, when I've checked the properties of each > account > in AD there's nothing different from the accounts that appear from the > query. > > Can ldp.exe or adsiedit.msc help find what may be different about the user > accounts in question? If so, is there a good "for dummies" on how to use > these tools? The userAccountControl attribute is a integer used to indicate several things. You cannot just look at the integer value. You must AND the value with a bit mask to check for each condition. For example, the bit mask for a normal account is &H200 (512 decimal). If lngFlag is the value of the userAccountControl attribute, then: ========= Const ADS_UF_NORMAL_ACCOUNT = &H200 lngFlag = 512 If (lngFlag AND ADS_UF_NORMAL_ACCOUNT) <> 0 Then Wscript.Echo "Normal user account" Else Wscript.Echo "NOT a normal user account" End If ======== The above shows that 512 corresponds to a normal user account, but many other values do also. For example 514 (a disabled account), 544 (no password required), 546 (disabled and no password required), and 66048 (password does not expire). The LDAP query for all user objects should be similar to: (&(objectCategory=person)(objectClass=user) However, the following also works (it's just harder to remember): (sAMAccountType=805306368) What does your query look like? What values for userAccountControl do you see? Also, how many user objects are returned by the query? -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --
From: Dixson on 10 Dec 2008 20:11 Thanks for the input fellas. As we continued to dig into this what we've found is all the user accounts that are found by the query have a count of 6 _hashtable entries...the accounts we're having issues with only have 4. The AD atributes 'MEMBEROF' and 'userACCOUNTCONTROL' are not found or included in the _hashtable results so when masked with the bit for NORMAL_ACCOUNT the results become false. I beleive the query is written in ASP.net...I'm not the developer but just the guy trying to get everyone to show on the list. I believe this is the query: string[] Parameters = { "samaccountname", "cn", "mail", "memberof", "useraccountcontrol" }; try { DirectoryEntry entry = new DirectoryEntry("LDAP://" + AdDomain, AdAccount, AdPassword); DirectorySearcher Searcher = new DirectorySearcher(entry); Searcher.Filter = "(objectCategory=" + "user" + ")"; foreach (string parameter in Parameters) { Searcher.PropertiesToLoad.Add(parameter); } Searcher.Sort.PropertyName = "cn"; XmlElement RowsNode = (XmlElement)UsersDoc.DocumentElement.SelectSingleNode("Rows"); foreach (SearchResult result in Searcher.FindAll()) { DirectoryEntry Entry = result.GetDirectoryEntry(); ResultPropertyCollection PropColl = result.Properties; string AccountName = null; string CommonName = null; string EmailAddress = null; bool NORMAL_ACCOUNT = false; bool ACCOUNTDISABLE = false; Int32 AccountControl = 0; foreach (string Key in PropColl.PropertyNames) { if (Key == "samaccountname") { AccountName = PropColl[Key][0].ToString(); } if (Key == "cn") { CommonName = PropColl[Key][0].ToString(); } if (Key == "mail") { EmailAddress = PropColl[Key][0].ToString(); } if (Key == "useraccountcontrol") { //http://support.microsoft.com/kb/305144 AccountControl = (Int32)PropColl[Key][0]; NORMAL_ACCOUNT = ((AccountControl & 0x00000200) > 0); ACCOUNTDISABLE = ((AccountControl & 0x00000002) > 0); "Dixson" wrote: > We have a custom application that uses an LDAP query against AD (2000 native) > to provide a list of all active user accounts but, the results of the query > is missing a handfull of active user accounts. From what I've been able to > find, all the user accounts in question are not flagged as NORMAL_ACCOUNT > (hex=0x0200, dec=512) but, when I've checked the properties of each account > in AD there's nothing different from the accounts that appear from the query. > > Can ldp.exe or adsiedit.msc help find what may be different about the user > accounts in question? If so, is there a good "for dummies" on how to use > these tools?
From: Richard Mueller [MVP] on 10 Dec 2008 20:46 The filter "(objectCategory=user)" will include contact objects as well as user objects. Contact objects do not have sAMAccountName or userAccountControl attributes. Does this explain what you experience? As noted before, the filter should be "(&(objectCategory=person)(objectClass=user))". This will exclude contact objects. Contact objects do have cn, mail, and memberOf attributes. -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net -- "Dixson" <Dixson(a)discussions.microsoft.com> wrote in message news:63F3722E-213C-4EF5-A9F5-27A939E5B2B8(a)microsoft.com... > Thanks for the input fellas. As we continued to dig into this what we've > found is all the user accounts that are found by the query have a count of > 6 > _hashtable entries...the accounts we're having issues with only have 4. > The > AD atributes 'MEMBEROF' and 'userACCOUNTCONTROL' are not found or > included > in the _hashtable results so when masked with the bit for NORMAL_ACCOUNT > the > results become false. > > I beleive the query is written in ASP.net...I'm not the developer but just > the guy trying to get everyone to show on the list. > > I believe this is the query: > > string[] Parameters = { "samaccountname", "cn", "mail", "memberof", > "useraccountcontrol" }; > try > { > DirectoryEntry entry = new DirectoryEntry("LDAP://" + > AdDomain, AdAccount, AdPassword); > DirectorySearcher Searcher = new DirectorySearcher(entry); > Searcher.Filter = "(objectCategory=" + "user" + ")"; > foreach (string parameter in Parameters) > { > Searcher.PropertiesToLoad.Add(parameter); > } > Searcher.Sort.PropertyName = "cn"; > > XmlElement RowsNode = > (XmlElement)UsersDoc.DocumentElement.SelectSingleNode("Rows"); > > foreach (SearchResult result in Searcher.FindAll()) > { > DirectoryEntry Entry = result.GetDirectoryEntry(); > > ResultPropertyCollection PropColl = result.Properties; > string AccountName = null; > string CommonName = null; > string EmailAddress = null; > bool NORMAL_ACCOUNT = false; > bool ACCOUNTDISABLE = false; > Int32 AccountControl = 0; > > foreach (string Key in PropColl.PropertyNames) > { > if (Key == "samaccountname") > { > AccountName = PropColl[Key][0].ToString(); > } > if (Key == "cn") > { > CommonName = PropColl[Key][0].ToString(); > } > if (Key == "mail") > { > EmailAddress = PropColl[Key][0].ToString(); > } > if (Key == "useraccountcontrol") > { > //http://support.microsoft.com/kb/305144 > AccountControl = (Int32)PropColl[Key][0]; > NORMAL_ACCOUNT = ((AccountControl & 0x00000200) >> 0); > ACCOUNTDISABLE = ((AccountControl & 0x00000002) >> 0); > > > > "Dixson" wrote: > >> We have a custom application that uses an LDAP query against AD (2000 >> native) >> to provide a list of all active user accounts but, the results of the >> query >> is missing a handfull of active user accounts. From what I've been able >> to >> find, all the user accounts in question are not flagged as NORMAL_ACCOUNT >> (hex=0x0200, dec=512) but, when I've checked the properties of each >> account >> in AD there's nothing different from the accounts that appear from the >> query. >> >> Can ldp.exe or adsiedit.msc help find what may be different about the >> user >> accounts in question? If so, is there a good "for dummies" on how to use >> these tools?
|
Next
|
Last
Pages: 1 2 Prev: Error adding NAP Role Next: I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN |