Saved queries have been one of the overlooked features in the admins toolbox.

ADUC-saved-Q

You can save queries to search for disabled user or computer accounts, number of days since the last user logon, users with non-expiring Passwords, and many other commonly used queries. All queries located in the Saved Queries folder are stored in Active Directory Users and Computers (dsa.msc). Once you have successfully created your customized set of queries you can copy the .msc file to other domain controllers (located in the same domain) and use the same set of saved queries. You can also export saved queries to an .xml file and import them into other Active Directory User and Computer consoles located on domain controllers (within the same domain).

To get started go to Active Directory Users and Computers:

Right click the Saved Queries folder and select New, Query.
Enter an appropriate Name and Description.
Make sure the query root is set to the domain level you want the query to pertain to.
Select the Include sub-containers check box if you want the query to search all sub-containers.
Click Define Query.
In the Find dialog box, click the Find drop-down arrow and select Custom Search.
On the Advanced tab, enter your LDAP query string into the Enter LDAP query box.
Click OK twice.

 

Some LDAP query examples:
Users whose accounts are disabled
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Users that must change password at next logon
(objectCategory=user)(pwdLastSet=0)

Find Groups that contains the word admin
(objectcategory=group)(samaccountname=*admin*)

Find users who have admin in description field
(objectcategory=person)(description=*admin*)

Groups with No Members (finds groups that have no members in them)
(objectCategory=group)(!member=*)
Note: The ! symbol means “Not” and * means “Has a value,” so the combination of the two evaluates to “Doesn’t have a value.”

Finds all groups defined as a Global Group, a Domain Local Group, or a Universal Group
(groupType:1.2.840.113556.1.4.804:=14)

Find user accounts with passwords set to never expire
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

Find all users that never log in to domain
(&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))

Find user accounts with no log on script
(objectcategory=person)(!scriptPath=*)

Find user accounts with no profile path
(objectcategory=person)(!profilepath=*)

Finds non disabled accounts that must change their password at next logon
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Finds all disabled accounts in active directory
(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Finds all locked out accounts
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

Finds Domain Local Groups
(groupType:1.2.840.113556.1.4.803:=4)

Finds all Users with Email Address set
(objectcategory=person)(mail=*)

Finds all Users with no Email Address
(objectcategory=person)(!mail=*)

Find all Users, Groups or Contacts where Company or Description is Contractors
(|(objectcategory=user)(objectcategory=group)(objectcategory=contact))(|(description=North*)(company=Contractors*))

Find all Users that are almost Locked-Out
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)

Find all Computers that do not have a Description
(objectCategory=computer)(!description=*)

Find all users with Hidden Mailboxes
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))

Find all Windows 2000 SP4 computers
(&(&(&(objectCategory=Computer)(operatingSystem=Windows 2000 Professional)(operatingSystemServicePack=Service Pack 4))))

Find all Windows XP SP2 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))))))))

Find all Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

Find all Vista SP1 computers
(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1)))))

Find All Workstations
(sAMAccountType=805306369)

Find all 2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))

Find all 2003 Servers – DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))

 

One of the other features I like to enable is the Status option within ADUC.  It will provide a total of all the objects in the ADUC window.

ADUC-Status

 

Next time we will look at AD Administrative Center the new ADUC well kinda.

About the Author: steve bowman

Three Minutes For A More Secure & Efficient Infrastructure

Short and to the point, Steve’s Email Blasts give you endpoint management tips, tricks, and news in three minutes or less email read-time, guaranteed.

Model says no to spam. Privacy Policy

Model Technology Solutions

Model Technology Solutions is a small but mighty band of infrastructure experts. We’ve helped companies in diverse industries to modernize and automate their infrastructures through effectively managing their Microsoft endpoint suite.

With us on your team, you’ll watch your security and compliance go up and your IT team’s costs (and headaches) go down. You’ll relax in knowing that your endpoints will be secure and online when your users need them most. And you’ll finally get back to your most-important tasks.

Model Technology Solutions
12125 Woodcrest Executive Drive, Ste. 204 Creve Coeur, MO 63141

Phone: (314) 254-4138
General Inquiries: model@model-technology.com
Sales and Quotes: sales@model-technology.com