The saved queries function in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in lets you create, save, and organize queries that you'll use repeatedly for administering Active Directory (AD) objects. You can create queries using the wizardlike options on the New Query dialog box, or you can define custom searches that can be used to gather whatever objects you like simply by keying in your own LDAP queries.
Here are the steps to follow in the Active Directory Users and Computers console to create a Custom Search saved query:
- Right click the Saved Queries folder and select New, Query.
- Enter an appropriate Name and Description.
- Make sure the query root is set to the domain level you want the query to pertain to.
- Select the Include subcontainers check box if you want the query to search all subcontainers.
- Click Define Query.
- In the Find dialog box, click the Find drop-down arrow and select Custom Search.
- On the Advanced tab, enter your LDAP query string into the Enter LDAP query box.
- Click OK twice.
What follows is a list of queries that can help you administer AD—and get you started on the road to using saved queries to simplify AD management.
Groups Like Service (finds any group name that contains the word service)
(objectcategory=group)(samaccountname=*service*)
Description Like Service (finds accounts in which the description contains the word service)
(objectcategory=person)(description=*service*)
Groups Like Admin (finds any groups whose name contains the word admin)
(objectcategory=group)(samaccountname=*admin*)
Universal Groups (finds groups with universal scope)
(groupType:1.2.840.113556.1.4.803:=8)
Groups with No Members (finds groups that have no members in them)
(objectCategory=group)(!member=*)
Note: The ! symbol means "Not" and * means "Has a value," so the combination of the two evaluates to “Doesn’t have a value.”
Global, Domain Local, or Universal Groups (finds any group defined as a Global Group, a Domain Local Group, or a Universal Group)
(groupType:1.2.840.113556.1.4.804:=14)
Global, Domain Local, or Universal Groups with No Members (finds any group defined as a Global Group, a Domain Local Group, or a Universal Group that has no members)
(groupType:1.2.840.113556.1.4.804:=14)(!member=*)
User Like Service (finds any account ID that has a name containing the word service)
(objectcategory=person)(samaccountname=*service*)
Password Does Not Expire (finds user accounts with nonexpiring passwords)
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
No Employee ID (finds any user account that has no employeeid value)
(objectcategory=person)(!employeeid=*)
No Login Script (finds accounts that don't run a logon script)
(objectcategory=person)(!scriptPath=*)
No Profile Path (finds accounts that don’t have roaming profiles)
(objectcategory=person)(!profilepath=*)
Must Change Password and Not Disabled (finds nondisabled accounts that must change their password at next logon)
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
UserList Exclude Disabled Account (finds all user accounts except those that are disabled)
(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Locked Out Accounts (finds all locked out accounts)
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
Domain Local Groups (finds groups with Domain Local scope)
(groupType:1.2.840.113556.1.4.803:=4)
Users with Email Address (finds accounts that have an email address)
(objectcategory=person)(mail=*)
Users with No Email Address (finds accounts with no email address)
(objectcategory=person)(!mail=*)
End of Article
)
Register
hlbgiang October 11, 2007 (Article Rating: