How to Query Individual Properties of the "userAccountControl" Active Directory User property using LDAP

I was working with a customer this week who was asking me how to query Active Directory for valid, active users accounts that were not service accounts.  I made a couple of assumptions; an active account would not be disabled and only service accounts would be set to PASSWORD NEVER EXPIRES.   Initially I tried to query the valueuserAccountControl property of the user object using operators like > and < but soon realized there were too many exceptions.  I then discovered it was possible to query the individual bits of the userAccountControl property which yielded the query below.

The following LDAP query can be used in Active Directory Users and Computers to query specific details of the userAccountControl property in AD. The query below will return all active user accounts that are not set to PASSWORD NEVER EXPIRES 

(&(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl<=600))

I'll describe the query in more detail:

(objectCategory=person)(objectClass=user)(mail=*) - All user objects with a value in the mail field (no contacts)

(!userAccountControl:1.2.840.113556.1.4.803:=2) - Filters out disabled accounts

(!userAccountControl:1.2.840.113556.1.4.803:=65536) - Filters accounts set to PASSWORD NEVE EXPIRES

(!userAccountControl<=600)) - Filters out Exchange Organization Mailboxes

SAMPLE LDAP QUERIES

UAC - Smart Card Login Enforced on The User
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=262144) )
 
UAC - PWD Never Expires
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))
 
UAC - CAC Enabled Accounts (no disabled accounts or password never expires)
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(userAccountControl:1.2.840.113556.1.4.803:=262144)(userPrincipalName=1*@mil))
 
UAC - Not CAC Enabled (no disabled accounts or password never expires)
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userPrincipalName=1*@mil))

UAC - Users with CAC enabled attributes but not enforced, exclude resource mailboxes (SN=*).
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(<!userPrincipalName=1*@mil)(sn>=*)) 

Kerberos Preauthentication Disabled
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=4194304))

REFERENCE

How to use the UserAccountControl flags to manipulate user account properties
https://support.microsoft.com/kb/305144 https://support.microsoft.com/kb/269181

How to query Active Directory by using a bitwise filter
https://support.microsoft.com/kb/269181

Comments

  • Anonymous
    October 08, 2008
    PingBack from http://www.easycoded.com/query-individual-properties-of-the-useraccountcontrol-active-directory-user-property/

  • Anonymous
    July 23, 2013
    (objectCategory=person)(objectClass=user) is sufficient enough to not get any "Contact" type objects, just User accounts.  No need for the "(mail=*)".

  • Anonymous
    September 30, 2013
    You saved my day. Thank you man!

  • Anonymous
    March 04, 2015
    Attention:  The correct notation (per RFC-1422) for a negated filter would be  (!(userAccountControl:1.2.840.113556.1.4.803:=2)) instead of  (!userAccountControl:1.2.840.113556.1.4.803:=2) My LDAP server rejected your filter; other LDAP servers may or may not accept it. Bernhard