|
| 1 | + |
| 2 | + |
| 3 | +* Examples |
| 4 | + |
| 5 | +** List the DNs of all users in our QAUsers group |
| 6 | + |
| 7 | +: ad_query --subst --attr=dn |
| 8 | +: ^OU=QAUsers,$domain&sub&(&(objectcategory=person)(objectclass=user)) |
| 9 | + |
| 10 | +** List the DN using the user's mail address |
| 11 | + |
| 12 | +: ad_query --subst --attr=dn,userAccountControl |
| 13 | +: (&(objectcategory=person)(objectclass=user) |
| 14 | + |
| 15 | + |
| 16 | + |
| 17 | +After that the userControlFlags should be checked - see below for |
| 18 | +the bit flags. For a non-disabled user use: |
| 19 | + |
| 20 | +: if ((userControlFlags & 0x0212) == 0x200)) |
| 21 | +: use_this_user() |
| 22 | + |
| 23 | + |
| 24 | +* Useful attributes |
| 25 | + |
| 26 | +** userAccountControl |
| 27 | + |
| 28 | +These are bit flags. For details see |
| 29 | +https://learn.microsoft.com/en-us/windows/win32/api/iads/ne-iads-ads_user_flag_enum |
| 30 | + |
| 31 | +- 0x00000002 :: ADS_UF_ACCOUNTDISABLE, the account is disabled. |
| 32 | +- 0x00000010 :: ADS_UF_LOCKOUT, the account is temporarily locked out. |
| 33 | +- 0x00000100 :: ADS_UF_TEMP_DUPLICATE_ACCOUNT, this is an account for |
| 34 | + a user whose primary account is in another domain. |
| 35 | +- 0x00000200 :: ADS_UF_NORMAL_ACCOUNT, the default account type that |
| 36 | + represents a typical user. |
| 37 | +- 0x00000800 :: ADS_UF_INTERDOMAIN_TRUST_ACCOUNT, the account for a |
| 38 | + domain-to-domain trust. |
| 39 | +- 0x00001000 :: ADS_UF_WORKSTATION_ACCOUNT, the computer account for a |
| 40 | + computer that is a member of this domain. |
| 41 | +- 0x00002000 :: ADS_UF_SERVER_TRUST_ACCOUNT, the computer account for |
| 42 | + a DC. |
| 43 | +- 0x00010000 :: ADS_UF_DONT_EXPIRE_PASSWD, the password will not expire. |
| 44 | +- 0x04000000 :: ADS_UF_PARTIAL_SECRETS_ACCOUNT, the computer account |
| 45 | + for an RODC. |
| 46 | + |
| 47 | +For example to select only user accounts which are not disabled or |
| 48 | +are locked out could naivly be used: |
| 49 | + |
| 50 | +: (userAccountControl:1.2.840.113556.1.4.803:=512) |
| 51 | + |
| 52 | +1.2.840.113556.1.4.803 is bit wise AND, 1.2.840.113556.1.4.804 is bit |
| 53 | +wise OR. However, because a mask can't be specified, this is not really |
| 54 | +useful. Thus the above needs to be replaced by explicit checks; i.e. |
| 55 | + |
| 56 | +: (&(userAccountControl:1.2.840.113556.1.4.804:=512) |
| 57 | +: (!(userAccountControl:1.2.840.113556.1.4.804:=2)) |
| 58 | +: (!(userAccountControl:1.2.840.113556.1.4.804:=16))) |
| 59 | + |
| 60 | +I'd suggest to also add explict checks on the returned data. |
| 61 | + |
| 62 | + |
| 63 | +* Resources |
| 64 | + |
| 65 | +- https://qa.social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx |
0 commit comments