Where’s my enabled Users?

Where’s my enabled Users? I’m going through and fine tuning our Proodpoint Spam solution and noticed one of the filters needs to be updated. This filter finds users in ADUC and does a push to our Spam Solution out on the internets. This filter should have an end result that finds active mail enabled users.




Filter:
(&(msExchHomeServerName=*)(!(objectclass=contact))(!(objectclass=group))(!(cn=systemmailbox*))(!(cn=healthmailbox*)))

See the problem? It’s grabbing all users. Because we have thousands and thousands of disabled AD objects (I have no control over this), this is altering our number of users in the system. To correct this we needed to query on something in AD that would filter out disabled users.

Instead of giving you the answer right away I am going to show you my thought process. First thing was to figure out the attributes I could query off. I need to do a Get-Adobject but first need my DN to run that command. So I run:

Get-AdUser –Identity keith.smith


To get the DN I just need to run:

((Get-AdUser –Identity keith.smith).DistinguishedName)



Then to get all the attributes on my AD User Object, I put that into my Get-ADObject command:

Get-ADObject -Identity ((get-aduser -Identity ksmi13).distinguishedname) -Properties *



That will pull back alotta (yes that’s a word) different attributes. The one we are looking for that seems interesting is “userAccountControl


So I Google it and come up with this url:
https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx

On here what I need to figure out is the OID for a disabled user. The syntax should look like:
attributename:ruleOID:=value

I really wanted to know how the OID syntax was generated so I searched the MS-ADTS Glossary for OID.
https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_aaaf2f1a-0b0a-487e-a0f0-c3510a6091b2


object identifier (OID): In the Lightweight Directory Access Protocol (LDAP), a sequence of numbers in a format described by [RFC1778]. In many LDAP directory implementations, an OID is the standard internal representation of an attribute. In the directory model used in this specification, the more familiar ldapDisplayName represents an attribute.

So to learn more I read RFC 1778.
https://www.ietf.org/rfc/rfc1778.txt

Which didn’t really work because I didn’t understand anything at all in that RFC, but after some other reading found that I needed to figure out the below Syntax:
$Attribute-ID+ $LdapMatchingRule + “:$Identifier (defined in iads.h)”

I went to the UserAccountControl page
https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx

And found the $Attribute-Id 1.2.840.113556.1.4.8


Then found the LDAP Matching Rule I wanted to use 03 (Needed an AND bitwise operation)
https://msdn.microsoft.com/en-us/library/cc223367.aspx



Then found the UserAccountControl Disabled attribute (2) at the bottom of
https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx

So what I have so far is:
  • Attribute-ID = 1.2.840.113556.1.4.8
  • LDAP_MATCHING_RULE_BIT_AND = 1.2.840.113556.1.4.803
  • ADS_UF_ACCOUNTDISABLE = 0x00000002

What I want is…
“If Attribute-ID AND 2 Then”.

In OID Syntax, that would be…
(1.2.840.113556.1.4.8 + 03 + := + 2)
So to find disabled users you would use as the filter
  • (1.2.840.113556.1.4.803:=2)

In my case I am trying to find Enabled accounts. To do that just put a NOT before it.
  • (!(1.2.840.113556.1.4.803:=2))

And finally all together my final query would look like…

"(&(msExchHomeServerName=*)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(!(objectclass=contact))(!(objectclass=group))(!(cn=systemmailbox*))(!(cn=healthmailbox*)))"


One last RFC that I haven't read yet but looks pretty interesting on LDAP Attributes is RFC 2251.
https://www.ietf.org/rfc/rfc2251.txt


Comments

Post a Comment

Popular posts from this blog

"F" Keys don't work!

NSIP, MIP, SNIP, VIP explanation

Microsoft - Gpresult ERROR Access Denied