To totally unlock this section you need to Log-in
Login
The Saved Queries feature in Active Directory is a useful tool for administrators to save custom Lightweight Directory Access Protocol (LDAP) queries and share it with other co-workers or copy them to other domain controllers to ease the administration burden. You save queries by either using some of the built-in queries that are provided by Microsoft in Active Directory Users and Computers (ADUC), or you can create your own custom queries. This article focuses on custom queries that will allow you to perform additional tasks that can't be easily done in Active Directory.
One advantage of using saved queries is that they are dynamic. Whenever there are changes to the query, you can simply run the query again to get updated results. Another advantage of using saved queries is that you can easily copy those queries to other domain controllers or share it with other people.
To export a query, right-click the query and select Export Query Definition. To import a query, simply right-click the Saved Queries folder and select Import Query Definition. As mentioned above, you can export queries on one domain controller and import them into another domain controller.
A couple of things to keep in mind. The pipe symbol "|" means OR, and the exclamation mark "!" means NOT. Once you've seen these examples, you should be able to come up with your own custom searches by modifying these queries. Needless to say, these are only few examples. If you are more serious about learning LDAP commands, you might want to consider purchasing a good book on LDAP. One of the challenges when looking for a good book is that not all books are written with Active Directory in mind. Keep in mind that LDAP is an industry standard protocol so a lot of books may be too UNIX-centric.
Here’s the procedure for creating a custom LDAP search for users that have never logged on to the domain.
In ADUC, right-click on Saved Queries and select New, Query.
Type a name and description for the query, such as “Users that have never logged in”.
Click on Define Query.
In the Find drop-down box select Custom Search and then click the Advanced tab.
Type the following LDAP query in the box.
(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*)))
Click OK twice.
Query Examples
Users that have been given dial-in permissions:
(objectCategory=user)(msNPAllowDialin=TRUE)
Users created after 7/4/05:
(objectCategory=user)(whenCreated>=20050407000000.0Z)
Users whose accounts are disabled:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
Users that must change password at next logon:
(objectCategory=user)(pwdLastSet=0)
Users whose password never expires:
(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
Users whose first name is either Rose or Todd:
(objectcategory=user)(|(cn=Rose*)(cn=Todd*))
Users whose first name starts with letter A:
(objectcategory=user)((cn=A*))
Users who will be locked out after one more bad password attempt:
(Assumes accounts are locked after 5 bad attempts)
(objectCategory=user)(badPwdCount>=4)
List all users except Administrator:
(objectCategory=user)(!cn=administrator*)
List all groups that start with DL or GL:
(objectCategory=group)(|(cn=DL*)(cn=GL*))