Search for all user accounts not disabled

Hello.  This is my first post to the list so please excuse any ignorance on=
my part.

I am trying to find all user accounts in a Windows 2000 Active Directory th=
at are not disabled using the Net::LDAP module.  This is the code I'm using=
for my search:

my $base =3D 'OU=3DDomain Users,DC=3Dmydomain,DC=3Dcom';
my $filter =3D '(& (objectclass=3Duser)(objectCategory=3Dpe
rson)(!useraccoun=
tcontrol:1.2.840.113556.1.4.803:=3D2))';
my @attrs =3D ['cn','mail','telephoneNumber'];
my $scope =3D 'sub';
my $searchRes =3D $ldap->search(
base =3D> $base,
filter =3D> $filter,
scope =3D> $scope,
attrs =3D> @attrs
);

I worked out the filter using LDP.exe, so I'm fairly certain it works and i=
s correct.  It returns all of the active users when run in LDP.  However, t=
his search returns no results when I run the perl script.  If I remove the =
useraccountcontrol section from my filter and run the script, it will retur=
n all users (enabled and disabled). I am  as to why the filter woul=
d work through LDP and not in my perl script.  Any guidance is greatly appr=
eciated.

___________________________
Aaron Giuoco
agiuoco@atlantia.com

On Friday 01 April 2005 18:02, Giuoco, Aaron wrote:

Hi,

> I am trying to find all user accounts in a Windows 2000 Active Directory
> that are not disabled using the Net::LDAP module.  This is the code I'm
> using for my search:
>
> my $base = 'OU=Domain Users,DC=mydomain,DC=com';
> my $filter =
> '(& (objectclass=user)(objectCategory=person
)(!useraccountcontrol:1.2.840.1
1
>3556.1.4.803:=2))'; my @attrs = ['cn','mail','telephoneNumber'];
> my $scope = 'sub';
> my $searchRes = $ldap->search(
>  base => $base,
>  filter => $filter,
>  scope => $scope,
>  attrs => @attrs
> );
>
> I worked out the filter using LDP.exe, so I'm fairly certain it works and
> is correct.  It returns all of the active users when run in LDP.  However,
> this search returns no results when I run the perl script.  If I remove th
e
> useraccountcontrol section from my filter and run the script, it will
> return all users (enabled and disabled). I am  as to why the filte
r
> would work through LDP and not in my perl script.  Any guidance is greatly
> appreciated.

What I have been using to enable/disable the accounts in AD with perl_ldap i
s
setting next values to the userAccountControl attribute:

512     (enabled)
514     (disabled)

The example to disable account might look like:

$ldap->modify( "cn=foo,OU=bar,dc=example,dc=dom",
replace => { userAccountControl => 514 } );

Cheers,

--
[vl@dimir]#

Yeah, I remember reading about that technique in Robbie Allen's Active Dire=
ctory Cookbook.  Very handy.

But my question was about why my search below fails when I include:

(!useraccountcontrol:1.2.840.113556.1.4.803:=3D2)

in my search filter.  That should be a bit mask for the useraccountcontrol =
property.  It should perform an AND with the bit mask 10.  If the 2 bit is =
set, the account should be disabled.  I have not-ed the statement, so I sho=
uld find all accounts that are not disabled.  This works in LDP.exe, but no=
t in my perl script.

AG


> -----Original Message-----
> From: Vladimir Levijev [mailto:dimir@rul0r.com]
> Sent: Friday, April 01, 2005 9:16 AM
> To: perl-ldap@perl.org
> Cc: Giuoco, Aaron
> Subject: Re: Search for all user accounts not disabled
>=20
>=20
> On Friday 01 April 2005 18:02, Giuoco, Aaron wrote:
>=20
> Hi,
>=20 
> Active Directory 
> the code I'm 
> '(& (objectclass=3Duser)(objectCategory=3Dpe
rson)(!useraccountcontr
> ol:1.2.840.11 
> certain it works and 
> LDP.  However, 
> If I remove the 
> script, it will 
> to why the filter 
> guidance is greatly 
>=20
> What I have been using to enable/disable the accounts in AD=20
> with perl_ldap is=20
> setting next values to the userAccountControl attribute:
>=20
> 512     (enabled)
> 514     (disabled)
>=20
> The example to disable account might look like:
>=20
> $ldap->modify( "cn=3Dfoo,OU=3Dbar,dc=3Dexample,dc=3Ddom",
>  replace =3D> { userAccountControl =3D> 514 } );
>=20
> Cheers,
>=20
> --=20
> [vl@dimir]#
>=20
>=20

On Apr 1, 2005, at 7:02 AM, Giuoco, Aaron wrote:

> Hello.  This is my first post to the list so please excuse any
> ignorance on my part.
>
> I am trying to find all user accounts in a Windows 2000 Active
> Directory that are not disabled using the Net::LDAP module.  This is
> the code I'm using for my search:
>
> my $base = 'OU=Domain Users,DC=mydomain,DC=com';
> my $filter =
> '(& (objectclass=user)(objectCategory=person
)(!useraccountcontrol:
> 1.2.840.113556.1.4.803:=2))';
> my @attrs = ['cn','mail','telephoneNumber'];
> my $scope = 'sub';
> my $searchRes = $ldap->search(
> 	base => $base,
> 	filter => $filter,
> 	scope => $scope,
> 	attrs => @attrs
> );
>
> I worked out the filter using LDP.exe, so I'm fairly certain it works
> and is correct.  It returns all of the active users when run in LDP.
> However, this search returns no results when I run the perl script.
> If I remove the useraccountcontrol section from my filter and run the
> script, it will return all users (enabled and disabled). I am 
> as to why the filter would work through LDP and not in my perl script.
>  Any guidance is greatly appreciated.
>

try this filter

& (objectclass=user)(objectcategory=person
)(!(useraccountcontrol:dn:
1.2.840.113556.1.4.803:=2))

Notice the :dn: between useraccountcontrol and 1.2.840....

Yup, that did it.  Thanks!

AG


> -----Original Message-----
> From: Glenn Lamb [mailto:glamb@stanford.edu]
> Sent: Friday, April 01, 2005 9:44 AM
> To: Giuoco, Aaron
> Cc: <perl-ldap@perl.org>
> Subject: Re: Search for all user accounts not disabled
>=20
>=20
>=20
> try this filter
>=20
> & (objectclass=3Duser)(objectcategory=3Dpe
rson)(!(useraccountcontrol:dn:
> 1.2.840.113556.1.4.803:=3D2))
>=20
> Notice the :dn: between useraccountcontrol and 1.2.840....
>=20
>=20
>=20