See the problem? It’s grabbing all users. Because we have thousands and thousands of disabled AD objects (I have no control over this), this is altering our number of users in the system. To correct this we needed to query on something in AD that would filter out disabled users.
Instead of giving you the answer right away I am going to show you my thought process. First thing was to figure out the attributes I could query off. I need to do a Get-Adobject but first need my DN to run that command. So I run:
Get-AdUser –Identity keith.smith
To get the DN I just need to run:
((Get-AdUser –Identity keith.smith).DistinguishedName)
Then to get all the attributes on my AD User Object, I put that into my Get-ADObject command:
Get-ADObject -Identity ((get-aduser -Identity ksmi13).distinguishedname) -Properties *
That will pull back alotta (yes that’s a word) different attributes. The one we are looking for that seems interesting is “userAccountControl”
So I Google it and come up with this url:
On here what I need to figure out is the OID for a disabled user. The syntax should look like:
I really wanted to know how the OID syntax was generated so I searched the MS-ADTS Glossary for OID.
object identifier (OID): In the Lightweight Directory Access Protocol (LDAP), a sequence of numbers in a format described by [RFC1778]. In many LDAP directory implementations, an OID is the standard internal representation of an attribute. In the directory model used in this specification, the more familiar ldapDisplayName represents an attribute.
So to learn more I read RFC 1778.
Which didn’t really work because I didn’t understand anything at all in that RFC, but after some other reading found that I needed to figure out the below Syntax:
$Attribute-ID+ $LdapMatchingRule + “:$Identifier (defined in iads.h)”
I went to the UserAccountControl page
And found the $Attribute-Id 1.2.840.1135126.96.36.199
Then found the LDAP Matching Rule I wanted to use 03 (Needed an AND bitwise operation)
Then found the UserAccountControl Disabled attribute (2) at the bottom of
So what I have so far is:
- Attribute-ID = 1.2.840.1135188.8.131.52
- LDAP_MATCHING_RULE_BIT_AND = 1.2.840.1135184.108.40.2063
- ADS_UF_ACCOUNTDISABLE = 0x00000002
What I want is…
“If Attribute-ID AND 2 Then”.
In OID Syntax, that would be…
(1.2.840.1135220.127.116.11 + 03 + := + 2)
So to find disabled users you would use as the filter
In my case I am trying to find Enabled accounts. To do that just put a NOT before it.
And finally all together my final query would look like…
One last RFC that I haven't read yet but looks pretty interesting on LDAP Attributes is RFC 2251.