LDAP - Search for all user accounts not disabled

Author

Search for all user accounts not disabled

Aaron Giuoco

2005-04-01, 4:04 pm

Hello. This is my first post to the list so please excuse any ignorance on=
my part.

I am trying to find all user accounts in a Windows 2000 Active Directory th=
at are not disabled using the Net::LDAP module. This is the code I'm using=
for my search:

my $base =3D 'OU=3DDomain Users,DC=3Dmydomain,DC=3Dcom';
my $filter =3D '(& (objectclass=3Duser)(objectCategory=3Dpe
rson)(!useraccoun=
tcontrol:1.2.840.113556.1.4.803:=3D2))';
my @attrs =3D ['cn','mail','telephoneNumber'];
my $scope =3D 'sub';
my $searchRes =3D $ldap->search(
base =3D> $base,
filter =3D> $filter,
scope =3D> $scope,
attrs =3D> @attrs
);

I worked out the filter using LDP.exe, so I'm fairly certain it works and i=
s correct. It returns all of the active users when run in LDP. However, t=
his search returns no results when I run the perl script. If I remove the =
useraccountcontrol section from my filter and run the script, it will retur=
n all users (enabled and disabled). I am

as to why the filter woul=
d work through LDP and not in my perl script. Any guidance is greatly appr=
eciated.

___________________________
Aaron Giuoco
agiuoco@atlantia.com

Vladimir Levijev

2005-04-01, 4:04 pm

On Friday 01 April 2005 18:02, Giuoco, Aaron wrote:

Hi,

> I am trying to find all user accounts in a Windows 2000 Active Directory
> that are not disabled using the Net::LDAP module. This is the code I'm
> using for my search:
>
> my $base = 'OU=Domain Users,DC=mydomain,DC=com';
> my $filter =
> '(& (objectclass=user)(objectCategory=person
)(!useraccountcontrol:1.2.840.11
>3556.1.4.803:=2))'; my @attrs = ['cn','mail','telephoneNumber'];
> my $scope = 'sub';
> my $searchRes = $ldap->search(
> base => $base,
> filter => $filter,
> scope => $scope,
> attrs => @attrs
> );
>
> I worked out the filter using LDP.exe, so I'm fairly certain it works and
> is correct. It returns all of the active users when run in LDP. However,
> this search returns no results when I run the perl script. If I remove the
> useraccountcontrol section from my filter and run the script, it will
> return all users (enabled and disabled). I am

as to why the filter
> would work through LDP and not in my perl script. Any guidance is greatly
> appreciated.

What I have been using to enable/disable the accounts in AD with perl_ldap is
setting next values to the userAccountControl attribute:

512 (enabled)
514 (disabled)

The example to disable account might look like:

$ldap->modify( "cn=foo,OU=bar,dc=example,dc=dom",
replace => { userAccountControl => 514 } );

Cheers,

--
[vl@dimir]#

Aaron Giuoco

2005-04-01, 4:04 pm

Yeah, I remember reading about that technique in Robbie Allen's Active Dire=
ctory Cookbook. Very handy.

But my question was about why my search below fails when I include:

(!useraccountcontrol:1.2.840.113556.1.4.803:=3D2)

in my search filter. That should be a bit mask for the useraccountcontrol =
property. It should perform an AND with the bit mask 10. If the 2 bit is =
set, the account should be disabled. I have not-ed the statement, so I sho=
uld find all accounts that are not disabled. This works in LDP.exe, but no=
t in my perl script.

AG

> -----Original Message-----
> From: Vladimir Levijev [mailto:dimir@rul0r.com]
> Sent: Friday, April 01, 2005 9:16 AM
> To: perl-ldap@perl.org
> Cc: Giuoco, Aaron
> Subject: Re: Search for all user accounts not disabled
>=20
>=20
> On Friday 01 April 2005 18:02, Giuoco, Aaron wrote:
>=20
> Hi,
>=20
> Active Directory
> the code I'm
> '(& (objectclass=3Duser)(objectCategory=3Dpe
rson)(!useraccountcontr
> ol:1.2.840.11
> certain it works and
> LDP. However,
> If I remove the
> script, it will
> to why the filter
> guidance is greatly
>=20
> What I have been using to enable/disable the accounts in AD=20
> with perl_ldap is=20
> setting next values to the userAccountControl attribute:
>=20
> 512 (enabled)
> 514 (disabled)
>=20
> The example to disable account might look like:
>=20
> $ldap->modify( "cn=3Dfoo,OU=3Dbar,dc=3Dexample,dc=3Ddom",
> replace =3D> { userAccountControl =3D> 514 } );
>=20
> Cheers,
>=20
> --=20
> [vl@dimir]#
>=20
>=20

Glenn Lamb

2005-04-01, 4:04 pm

On Apr 1, 2005, at 7:02 AM, Giuoco, Aaron wrote:

> Hello. This is my first post to the list so please excuse any
> ignorance on my part.
>
> I am trying to find all user accounts in a Windows 2000 Active
> Directory that are not disabled using the Net::LDAP module. This is
> the code I'm using for my search:
>
> my $base = 'OU=Domain Users,DC=mydomain,DC=com';
> my $filter =
> '(& (objectclass=user)(objectCategory=person
)(!useraccountcontrol:
> 1.2.840.113556.1.4.803:=2))';
> my @attrs = ['cn','mail','telephoneNumber'];
> my $scope = 'sub';
> my $searchRes = $ldap->search(
> base => $base,
> filter => $filter,
> scope => $scope,
> attrs => @attrs
> );
>
> I worked out the filter using LDP.exe, so I'm fairly certain it works
> and is correct. It returns all of the active users when run in LDP.
> However, this search returns no results when I run the perl script.
> If I remove the useraccountcontrol section from my filter and run the
> script, it will return all users (enabled and disabled). I am

> as to why the filter would work through LDP and not in my perl script.
> Any guidance is greatly appreciated.
>

try this filter

& (objectclass=user)(objectcategory=person
)(!(useraccountcontrol:dn:
1.2.840.113556.1.4.803:=2))

Notice the :dn: between useraccountcontrol and 1.2.840....

Aaron Giuoco

2005-04-01, 4:04 pm

Yup, that did it. Thanks!

AG

> -----Original Message-----
> From: Glenn Lamb [mailto:glamb@stanford.edu]
> Sent: Friday, April 01, 2005 9:44 AM
> To: Giuoco, Aaron
> Cc: <perl-ldap@perl.org>
> Subject: Re: Search for all user accounts not disabled
>=20
>=20
>=20
> try this filter
>=20
> & (objectclass=3Duser)(objectcategory=3Dpe
rson)(!(useraccountcontrol:dn:
> 1.2.840.113556.1.4.803:=3D2))
>=20
> Notice the :dn: between useraccountcontrol and 1.2.840....
>=20
>=20
>=20

Sponsored Links