Bulk Password Control - Pre-defined Queries

 

Note about the queries on this page

The LDAP queries listed in this page are the pre-defined LDAP filters that are installed with Password Control.  All queries exclude the part of the query that filters for user accounts "(&(ObjectClass=user)(ObjectCategory=person))".  Some queries also define parameters, which are placeholders for the actual value used in the query.  For example a query may contain a parameter that is to be replaced by the current date in filetime (large integer) format.

Date Parameters

Date parameters can be specified inside two hash symbols.  Date parameters allow you to specify a date in a user friendly format and have it converted to either a larger integer (filetime) or generalized time at runtime.

e.g.

##FT:2007-09-30## converts to 128355804000000000
##GT:2007-09-30## converts to 20070930000000.0+0Z (Time zone dependant)

You can also use the keyword "Now" for the current date. 

##FT:Now## = Todays date.
##FT:Now+d1## = Tomorrows date.
##FT:Now-d1## = Yesterdays date.
##FT:Now+m3## = 3 Months from todays date.
##FT:Now-y2## = 2 years ago

PreDefined LDAP Queries

Account expires in 7 days

User accounts that expire in the next 7 days (but have not already expired). 

(&(!(accountExpires=0))(accountExpires>=##FT:Now+d1##)(accountExpires<=##FT:Now+d8##))

Please note that the LDAP query above specifies two date parameters that will be converted to large integer dates at runtime.

Account has Expiry Date

All user accounts that have a specified account expires date.

(!(|(accountExpires=9223372036854775807)(accountExpires=0)))

Account Is Expired

This query finds all the user accounts that have expired by searching for accounts that have an expiry date less than or equal to the current date.  Please note that if the accountExpires attribute is the current date, the account has already expired.  The value shown in Active Directory Users and Computers is actually the previous days date (Expires End Of).

(&(!(accountExpires=0))(accountExpires<=##FT:Now##))

Account Never Expires

All the user accounts that never expire.

(|(accountExpires=9223372036854775807)(accountExpires=0))

Disabled User Accounts

(userAccountControl:1.2.840.113556.1.4.803:=2)

Enabled User Accounts

(!userAccountControl:1.2.840.113556.1.4.803:=2)

Locked User Accounts

All the user accounts that have been locked out by the domain lockout policy.  Please note that this query does not take into account the lockout duration.  An account may have automatically been unlocked depending on your domain policy.

(lockoutTime>=1)

Must change password at next logon

All the user accounts that are forced to change their password at next logon

(pwdLastSet=0)

Never Logged on to the domain

All the user accounts that have never logged on to the domain.

(|(lastlogon=0)(!(lastlogon=*)))

Password Never Expires

All users that are exempt from the "Maximum Password Age" policy.  These user accounts are never forced to change their password.

(userAccountControl:1.2.840.113556.1.4.803:=65536)

Recently Created User Accounts

User accounts that have been created in the last two days.  The date can be modified to suite your own needs and will be converted to generalized time format in the runnable LDAP Query.

(whenCreated>=##GT:Now-d2##)

Users with Exchange Mailbox

All user accounts with an exchange mailbox.

(msExchHomeServerName=*)

Users with old Passwords

User accounts where the password hasn't been changed for 3 months. 

((pwdLastSet<=##FT:Now-m3##)(!(pwdLastSet=0)))

More LDAP Queries?

You can add additional LDAP Queries or modify exising queries by editing the "LDAPFilters.xml" file in the Password Control program directory.  Before you edit the file, you might want to make a backup copy.

 



Password Control 

Product Home
 Download
Password Control
Bulk Password Control
Bulk Modify
General
User Comments
Report a Bug
Suggest a new feature
Press!
Registration Code