Directory Admin: 2014

Find attached a lot of ldap queries. An example how to use this queries using ADUC, see this post.

Computer accounts

Computer accounts starting with WS
(objectcategory=computer)(samaccountname=WS*)

Computer accounts with "COP" in the attribute "description"
(&(objectCategory=computer)(description=*COP*))
or
(&(objectCategory=computer)(description=*COP)) -->for only COP in the description

Computer accounts with MS-SQL installed
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))

Computer accounts with a Server OS
(&(objectCategory=computer)(operatingsystem=*server*))

Find all Computers that do not have a Description
(objectCategory=computer)(!description=*)

Find All Workstations
(sAMAccountType=805306369)
or
(&(objectCategory=computer)(objectClass=computer))

Find all 2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))

Find all 2003 Servers – DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))

Find all 2008 Servers – DCs
(&(&(&(&(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server* 2008*)))))

Disabled Computer Acounts
(&(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2)))

Enabled Computer Acounts
(&(&(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))))

SQL Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server*))

Exchange Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*))

Find all Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

Find all Windows Vista SP1 computers
(&(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1))

Find all Windows Server 2008 Enterprise computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008 Enterprise)(operatingSystemServicePack=Service Pack 1))

Find all Windows Server 2008 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008*))

Find all Windows 8.0 (all versions) computers

(&(objectCategory=computer)(operatingSystem=Windows 8*)(operatingSystemVersion=6.2 (9200)))

Find all Windows 8.1 (all versions) computers

(&(objectCategory=computer)(operatingSystem=Windows 8.1*))

Find all computer accounts for whom a manager is specified
(&(&(objectCategory=computer)(objectClass=computer))
(managedBy=*))

Find all Windows Server 2012 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*))

Find all Windows Server 2012 no R2 (all versions) computers
(&(objectCategory=computer)(operatingSystem=Windows Server 2012*)(operatingSystemVersion=6.2 (9200)))

Find all Windows Server 2012 R2 (all versions) computers

(&(objectCategory=computer)(operatingSystem=Windows Server 2012 R2*))

User accounts

Find all user accounts
(&(objectCategory=person)(objectClass=user))

Find all user accounts for whom a password is not required
(&(&(objectCategory=person)(objectClass=user))
(UserAccountControl:1.2.840.113556.1.4.803:=32))

Find all user accounts that do not require a SmartCard for logon
(&(&(objectCategory=person)(objectClass=user))
(!(UserAccountControl:1.2.840.113556.1.4.803:=262144)))

Find users that have non-expiring passwords
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

To find all user accounts that have the name “Mueller” in them
(objectcategory=person)(samaccountname=*Mueller*)

Locked out user accounts
(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))

Useraccounts starting with "A" in the Attribute "Common Name"
(&(objectCategory=user)(cn=A*))

Diabled user accounts
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Useraccounts without an value in Attribute "Mail"
(&(objectCategory=person)(objectClass=user)(!mail=*))

Useraccounts with Mail Enabled
(objectClass=user)(mail=*)

Useraccounts that have never logged on
(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*)))

Users that have been given dial-in permissions
(objectCategory=user)(msNPAllowDialin=TRUE)

Users find who have admin in description field
(objectcategory=person)(description=*admin*)

Find user accounts with no log on script
(objectcategory=person)(!scriptPath=*)

Find user accounts with no profile path
(objectcategory=person)(!profilepath=*)

Find non disabled accounts that must change their password at next logon
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Find all Users that need to change password on next login
(&(objectCategory=user)(pwdLastSet=0))

Finds all locked out accounts
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

Finds all Users with Email Address set
(objectcategory=person)(mail=*)

Finds all Users with no Email Address
(objectcategory=person)(!mail=*)

Find all Users with Dial-In permissions
(objectCategory=user)(msNPAllowDialin=TRUE)

Finds all disabled accounts in active directory
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)

Find all Users that are almost Locked-Out
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)

Find all mail-enabled groups hidden from the Global Address list (GAL)
(&(&(objectCategory=group)(objectClass=group))
(&(mailnickname=*)(msExchHideFromAddressLists=TRUE)))

Find all mail-enabled security groups
(&(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=2147483648))
(mailnickname=*))

Find all mailbox-enabled accounts
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))))

Find all mailbox-enabled accounts with Outlook Web Access (OWA) disabled
(&(&(objectCategory=person)(objectClass=user))
(&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))
(|(protocolSettings=*HTTP§0*)(protocolSettings=*OWA§0*))))

Find all users with Hidden Mailboxes
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))

(&(&(objectCategory=person)(objectClass=user))(lastLogon>=129772445240000000))

Groups

To find all groups that have no members
(objectCategory=group)(!member=*)

Find Groups that contains the word admin
(objectcategory=group)(samaccountname=*admin*)

Find all Universal Groups
(groupType:1.2.840.113556.1.4.803:=8)

Find all global security groups
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))

Finds Domain Local Groups
(groupType:1.2.840.113556.1.4.803:=4)

Find all distribution groups
(&(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2)))(objectCategory=ms-Exch-Dynamic-Distribution-List)(objectClass=msExchDynamicDistributionList)))

List all groups with sec- prefix convention
(&(objectCategory=group)(name=*sec-*))

Find all security groups with members
(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.804:=2147483648)(member=*))

Service connection Points

Find all service connection points
(objectCategory=serviceConnectionPoint)

Find all service connection points that do not have service bindings specified
(&(objectCategory=serviceConnectionPoint)(!(serviceBindingInformation=*)))

Find all service connection points that do not have a service DNS name specified
(&(objectCategory=serviceConnectionPoint)(!(serviceDNSName=*)))

Directory Admin

Wednesday, December 17, 2014

LDAP Queries for Users, Computers, Groups and Service Connection Points

Computer accounts

User accounts

Groups

Service connection Points

Monday, November 17, 2014

Create the Windows 10 GodMode folder and Shortcuts for the listed tasks