LDAP Search – Base DN Formats

Active Directory support a number of different formats for the Base DN field, these are Distinguished Name, GUID and SID 

Distinguished Name is based on RFC 4514 e.g. CN=user1,CN=users,DC=domain,DC=com

GUID provides the GUID of an object which will be used as the base for searches, i.e <GUID=01f04883-d68e-4367-8ad1-a2faa79a2e5a>

SID format is the same as GUID but the entry is based on a SID i.e. <SID=S-1-5-21-2816452191-2840564649-4223122534-1000>

The SID and GUID option with the Search Scope set to Base Level can be used as quick search for users or other objects in the AD based on the GUID or SID.  The SIDs and GUIDs are entered in standard readable format.

LDAP Search – Enums

NetTools includes over 50 predefined enumeration to decode the values assigned to specific attributes, these include the definitions of associated values assigned to the attributes. An example would be the UserAccountControl attribute, which is shown below. To display the Enums dialog, click on the button at the end of the filter field.

The dialog can be used to browse the predefined entries and from the context menus, the values can then be used in filters.

There are two type of Enums defined in NetTools, Bit and Value.  The Bit enums are used for attributes that use a bit mask to define the function of the attribute, and a single bit in the value is used to represent an enabled or disabled state of an option.  The Value type is used for attributes that have a single value to represent the function.

The Enums are used by attributes that have the ATTRIBENUM or ATTRIBENUM_NONUM decode type assigned, the attribute name is then used to lookup the corresponding enums assigned to that attribute.  Currently there is no method for a user to add additional Enum to NetTools, they are statically defined in the program. 

LDAP Search – Credentials

Note: The Credentials option was deprecated in version 1.28.0 and replaced with Connection Profiles

LDAP Search provides the ability to specific the credentials under which a query will be executed, it also provides the ability to select the authentication method that will be used to pass the credentials to the server.

The Credentials dialog is found when the More button is pressed.

credentials

There are nine different authentication methods available:

LDAP_AUTH_SIMPLE, this method requires the DN of the account and password, domain is not required
LDAP_AUTH_DIGEST, Digest authentication package
LDAP_AUTH_DPA, Distributed password authentication. Used by Microsoft Membership System
LDAP_AUTH_MSN, Microsoft Network Authentication Service
LDAP_AUTH_NTLM, this method uses NTLM to authenticate against the directory
LDAP_AUTH_SICILY, covers package negotiation to MSN servers
LDAP_AUTH_DIGEST, this method requires the samaccountname and password
LDAP_AUTH_NEGOTIATE, this method requires either, samaccountname or UPN and password, the domain is optional
ANONYMOUS, the username and password are not required.

See the following MS Article for more details ldap_bind_s

Warning: With the simple bind method the password is sent in clear text to the server, you should use this method in association with an SSL based connection to protect the password.

The default behavior of NetTools is use the negotiate method, when connecting to an Active Directory, you don't need to provide any credentials, the current user's context will be used based on Kerberos authentication.

A number of other options in NetTools use the credentials provided in this dialog to run the option under a different or elevated set of credentials, this is shown as Use the LDAP Search Credentials.

Copy to new Window

The Copy to new Window context menu, provides the ability to copy the results from the current output pane in NetTools to a new separate detached window.  The new window provides the ability to sort and filter the view based on a number of selection criteria.

By right clicking on the column headers, the filter dialog box will be displayed.  This allows the entries in the column to be filtered based on a text filter or a contents selection.  You can select a text or context filter, or both.

filter

The Text Filter provides the following filter options:

      • Equals
      • Does not Equal
      • Begins With
      • Does not begin with
      • Ends with
      • Does not end with
      • Contains
      • Does not contain

The Column Filter section displays all the unique items in the column, using the check boxes you can select which items will be displayed. 

When a column filter is applied the heading of the column to appended with the text '- (filtered)'.  The Clear All button, will remove all the filters that have been applied. 

The filter function support up to a maximum of 200 columns, if the output field contains more than 200 columns, a warning message is displayed and filtering option is disabled.

 

LDAP Search – LDAP Filter Wizard

The LDAP Filter Wizard provides the ability to display and edit LDAP filters in a hierarchical view. 

The LDAP Filter Wizard provides the following features:

      • Drag and drop to move items around
      • Insert new operators and conditions
      • Change existing operators and conditions
      • Selection of classes and Attributes from dropdown list

The Operators, AND, OR, NOT, and Filter, have a dual function, one to show the operation of the currently selected item, and two to select the operation for the New and Change operations.  When the New Parent, or New Child buttons are pressed the new item will be added based on the selected Operator.  When the Change button is pressed the selected item will change to the selected Operator.  With the Filter Operator you can select the required attribute or class from the dropdown list, additional text can be added to complete the condition before the items is added.

The Delete Button will delete all items under the selected item.  If you wish to preserve any of the items under the selected items, they must be moved to another point in the filter before the item is deleted.

If you click twice on an items in the hierarchical view, it will allow you to edit the details of the item.

The MS LDAP API and NetTools will accept fully compliant RFC4515 Not statements or the abbreviated alternative.  With RFC4515 the Not statement must be constructed as such (!(condition)) i.e. (!(objectclass=user)), while the MS LDAP API will accept the abbreviated form of (!condition) i.e. (!objectclass=user).  When the RFC4515 option is selected the wizard will return compliant Not statements.  The LDAP Filter Wizard is able to read both formats.

The example shown is using a number of the substitution options, see LDAP Search Substitution

LDAP Search – Static DecodeTypes

NetTools defines a number attributes with of static DecodeTypes, this is the list of attributes that have been defined.  The internal constant is used in the list, this maps as DYN_DECODE_GUID to GUID in the attribute Decode list.   See DecodeTypes for more information

Atrtibute Assign DecodeType
accountExpires DYN_DECODE_64TIME
aelita-Amm-SourceGUID DYN_DECODE_GUID
aelita-Amm-SourceSID DYN_DECODE_SID
aelita-Amm-TargetGUID DYN_DECODE_GUID
aelita-Amm-TargetSID DYN_DECODE_SID
attributeCertificateAttribute DYN_DECODE_CERT
attributeSecurityGUID DYN_DECODE_GUID
attributeSyntax DYN_DECODE_ATTRIBENUM
badpasswordtime DYN_DECODE_64TIME
cacertificate DYN_DECODE_CERT
certificateRevocationList DYN_DECODE_CRL
createtimestamp DYN_DECODE_GTFTIME
creationtime DYN_DECODE_64TIME
crossCertificatePaie DYN_DECODE_CERT
currenttime DYN_DECODE_GTFTIME
deltaRevocationList DYN_DECODE_CRL
dnsproperty DYN_DECODE_BINARY
dnsrecord DYN_DECODE_DNSRECORD
domainControllerFunctionality DYN_DECODE_ATTRIBENUM
domainFunctionality DYN_DECODE_ATTRIBENUM
dsasignature DYN_DECODE_BINARY
dSASignature DYN_DECODE_DSA_SIG
dSCorePropagationData DYN_DECODE_GTFTIME
forestFunctionality DYN_DECODE_ATTRIBENUM
grouptype DYN_DECODE_ATTRIBENUM
IndSS-ActualDate DYN_DECODE_64DATE_UTC
IndSS-PlannedDate DYN_DECODE_64DATE_UTC
IndSS-TaskLastRun DYN_DECODE_64TIME_UTC
instancetype DYN_DECODE_ATTRIBENUM
Invocationid DYN_DECODE_GUID
lastLogon DYN_DECODE_64TIME
lastLogonTimestamp DYN_DECODE_64TIME
lockoutDuration DYN_DECODE_PWDSEC
lockOutObservationWindow DYN_DECODE_PWDSEC
lockoutTime DYN_DECODE_64TIME
lockoutTime DYN_DECODE_64TIME
maxPwdAge DYN_DECODE_PWDSEC
minPwdAge DYN_DECODE_PWDSEC
minPwdAge DYN_DECODE_PWDSEC
modifytimestamp DYN_DECODE_GTFTIME
msDFS-TargetListv2 DYN_DECODE_UNICODE
msds-behavior-version DYN_DECODE_ATTRIBENUM
mS-DS-ConsistencyGuid DYN_DECODE_GUID
msDS-LockoutDuration DYN_DECODE_PWDSEC
msDS-LockoutObservationWindow DYN_DECODE_PWDSEC
msds-ManagedPassword DYN_DECODE_GMSAPWD
msDS-ManagedPasswordId DYN_DECODE_GMSAPWDID
msDS-ManagedPasswordPreviousId DYN_DECODE_GMSAPWDID
msDS-MaximumPasswordAge DYN_DECODE_PWDSEC
msDS-MinimumPasswordAge DYN_DECODE_PWDSEC
msDS-ReplAttributeMetaData DYN_DECODE_META
msDS-ReplValueMetaData DYN_DECODE_METAV
msDS-RequiredForestBehaviorVersion DYN_DECODE_ATTRIBENUM
msDS-RequiredDomainBehaviorVersion DYN_DECODE_ATTRIBENUM
msds-SupportedEncryptionTypes DYN_DECODE_ATTRIBENUM
msDS-TrustForestTrustInfo DYN_DECODE_MSTRUST
msds-user-account-control-computed DYN_DECODE_ATTRIBENUM
msDS-UserPasswordExpiryTimeComputed DYN_DECODE_64DATE_UTC
msExchArchiveGUID DYN_DECODE_GUID
msExchMailboxGuid DYN_DECODE_GUID
msExchMailboxSecurityDescriptor DYN_DECODE_SD
msExchMasterAccountSid DYN_DECODE_SID
msExchOMAAdminWirelessEnable DYN_DECODE_ATTRIBENUM
msExchModerationFlags DYN_DECODE_ATTRIBENUM
msExchRecipientDisplayType DYN_DECODE_ATTRIBENUM
msExchRecipientTypeDetails DYN_DECODE_ATTRIBENUM
msExchRemoteRecipientType DYN_DECODE_ATTRIBENUM
msExchSafeSendersHash DYN_DECODE_BINARY
msexchuseraccountcontrol DYN_DECODE_ATTRIBENUM
msFVE-KeyPackage DYN_DECODE_BINARY
msFVE-VolumeGuid DYN_DECODE_GUID
msFVE-RecoveryGuid DYN_DECODE_GUID
msKds-CreateTime DYN_DECODE_64TIME
msKds-KDFParam DYN_DECODE_BINARY
msKds-RootKeyData DYN_DECODE_BINARY
msKds-SecretAgreementParam DYN_DECODE_BINARY
msKds-UseStartTime DYN_DECODE_64TIME
ms-Mcs-AdmPwdExpirationTime DYN_DECODE_64DATE_UTC
msMQDigests DYN_DECODE_BINARY
mSMQSignCertificates DYN_DECODE_BINARY
mspki-certificate-name-flag DYN_DECODE_ATTRIBENUM
mspki-enrollment-flag DYN_DECODE_ATTRIBENUM
mspki-private-key-flag DYN_DECODE_ATTRIBENUM
msrtcsip-archivedefaultflags DYN_DECODE_ATTRIBENUM
msrtcsip-archivingenabled DYN_DECODE_ATTRIBENUM
msrtcsip-archivingserverversion DYN_DECODE_ATTRIBENUM
msrtcsip-enablefederation DYN_DECODE_ATTRIBENUM
msrtcsip-meetingflags DYN_DECODE_ATTRIBENUM
msrtcsip-optionflags DYN_DECODE_ATTRIBENUM
msRTCSIP-OriginatorSid DYN_DECODE_SID
msrtcsip-poolfunctionality DYN_DECODE_ATTRIBENUM
msrtcsip-pooltype DYN_DECODE_ATTRIBENUM
msrtcsip-poolversion DYN_DECODE_ATTRIBENUM
msrtcsip-serverversion DYN_DECODE_ATTRIBENUM
msrtcsip-sourceobjecttype DYN_DECODE_ATTRIBENUM
msrtcsip-trustedserverversion DYN_DECODE_ATTRIBENUM
msrtcsip-ucflags DYN_DECODE_ATTRIBENUM
msRTCSIP-UserRoutingGroupId DYN_DECODE_GUID
mSSMSRangedIPHigh DYN_DECODE_IP_W
mSSMSRangedIPLow DYN_DECODE_IP_W
ntmixeddomain DYN_DECODE_ATTRIBENUM
ntsecuritydescriptor DYN_DECODE_SD
objectclasscategory DYN_DECODE_ATTRIBENUM
ObjectGUID DYN_DECODE_GUID
ObjectSID DYN_DECODE_SID
omobjectclass DYN_DECODE_BEROID
oMSyntax DYN_DECODE_ATTRIBENUM
pkidefaultkeyspec DYN_DECODE_ATTRIBENUM
pkiexpirationperiod DYN_DECODE_PERIOD
pkikeyusage DYN_DECODE_ATTRIBENUM
pkioverlapperiod DYN_DECODE_PERIOD
pktGUID DYN_DECODE_GUID
pwdLastSet DYN_DECODE_64TIME
pwdproperties DYN_DECODE_ATTRIBENUM_NONUM
replPropertyMetaData DYN_DECODE_BINARY
repluptodatevector DYN_DECODE_BINARY
replUpToDateVector DYN_DECODE_REPL_UTDV
repsfrom DYN_DECODE_BINARY
repsfrom DYN_DECODE_REPSINFO
repsto DYN_DECODE_BINARY
repsto DYN_DECODE_REPSINFO
ridallocationpool DYN_DECODE_RIDPOOL
ridavailablepool DYN_DECODE_RIDPOOL
ridpreviousallocationpool DYN_DECODE_RIDPOOL
samaccounttype DYN_DECODE_ATTRIBENUM
schemaFlagsEx DYN_DECODE_ATTRIBENUM
schemaIDGUID DYN_DECODE_GUID
sdrightseffective DYN_DECODE_ATTRIBENUM
searchflags DYN_DECODE_ATTRIBENUM
securityIdentifier DYN_DECODE_SID
sidhistory DYN_DECODE_SID
supportedcapabilities DYN_DECODE_ATTRIBENUM
supportedcontrol DYN_DECODE_ATTRIBENUM
supportedextension DYN_DECODE_ATTRIBENUM
systemflags DYN_DECODE_ATTRIBENUM
tokengroups DYN_DECODE_SID
tokenGroupsGlobalAndUniversal DYN_DECODE_SID
tokenGroupsNoGCAcceptable DYN_DECODE_SID
trustattributes DYN_DECODE_ATTRIBENUM
trustdirection DYN_DECODE_ATTRIBENUM
trusttype DYN_DECODE_ATTRIBENUM
useraccountcontrol DYN_DECODE_ATTRIBENUM
userCertificate DYN_DECODE_CERT
userparameters DYN_DECODE_BINARY
userSMIMECertificate DYN_DECODE_CERT
validaccesses DYN_DECODE_ATTRIBENUM
WhenChanged DYN_DECODE_GTFTIME
Whencreated DYN_DECODE_GTFTIME

Dynamic & Sort Attributes Options

The Dynamic and Sort Attributes options controls how attributes are decoded and sorted in the LDAP Search table view. 

When the Dynamic Attributes option is selected, before the user query is run, NetTools will query the Schema for all attributes that have the following attributes:

  • Any attributes that have Attribute Syntax of 2.5.5.12 (Sec-Desc) and will set the decode type to DYN_DECODE_SD for these attributes
  • Any attributes that have an Attribute Syntax of 2.5.5.17 (SID) and will set the decode type to DYN_DECODE_SID for these attributes 
  • Any attributes that have an Attribute Syntax of 2.5.5.11 (Generalized Date) and will set the decode type to DYN_DECODE_GTFTIME for these attributes
  • Any attributes that have an Attribute Syntax of 2.5.5.10 (Octet) and a fixed length of 16 and the name contains GUID and will set the decode type to DYN_DECODE_GUID for these attributes

If the Sort Attributes option is also enabled the following additional decode type will be set, this is to support the correct sorting of attribute data in the table view.

  • Any attributes that have Attribute Syntax of 2.5.5.16 (Large-integer) will be set to a decode type of DYN_DECODE_LARGEINT
  • Any attributes that have Attribute Syntax of 2.5.5.9 (Integer) will be set to a decode type of DYN_DECODE_INT

Attributes are have their DecodeType set by this process are shown in the Define Decode dialog with a type as Dynamic.

With both options selected is does result in more data being downloaded from the server, if the server is at the end of a slow link, deselecting these options will increase the speed, but at the cost of functionality.

LDAP Search – Populate

The LDAP Search Populate button is used to load a number of configuration options from the server, these details are then used to enable a number of other features in LDAP Search, this article provides the details of the features that are enabled.  The Populate button is shown below.

Server Bar

When the button is pressed the RootDSE for the server is retrieved and the following details are populated.

  • Sets the ##default, ##config, and ##schema variables with the corresponding naming contexts. See LDAP Search Favorites
  • Set the server field to the server that provided the RootDSE
  • Sets the BaseDN field to the default naming context in the RootDSE, if the server is not AD, this will be set to the first non Configration based NC
  • Instantiates the LDAP API so filter validation is enabled
  • If the Auto Complete option is enabled, the complete list of attributes is also downloaded from the server and the Attribute List button is enabled
  • The complete list of Attributes and classes are available in the LDAP Filter Wizard

LDAP Favorites

This post provides a number of LDAP Search Favorites for common operations, copy the text of the query and import into the favorites, the samples will be saved in the favorites list as the name in square brackets, see Favorites for more information.

Inactive Users
Return a list of users that have not logged on in the last 60 days and excluded any accounts created in the last 60 days

[Users - Inactive Accounts]
Options=660045
Server=
BaseDN=##default
Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp<={idate:now-60})(&(whencreated<={zdate:now-60})(pwdlastset=0))))
Attributes=canonicalname, samaccountname, displayname, description, pwdlastset, accountexpires, lastlogontimestamp, msExchShadowDepartment, msExchWhenMailboxCreated, msExchRecipientDisplayType, msExchRecipientTypeDetails, homeMDB
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Active Accounts
A simple active users query to display a list of users where the user has logged on or changed their password in the last 60 days, and any account that have been created in the last 60 days but the user has not set their password yet.

[Users - Active Accounts]
Options=660036
Server=
BaseDN=##default
Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp>={idate:now-60})(pwdlastset>={idate:now-60})(&(whencreated>={zdate:now-60})(pwdlastset=0))))
Attributes=canonicalname, samaccountname, displayname, description, pwdlastset, accountexpires, lastlogontimestamp, msExchShadowDepartment, msExchWhenMailboxCreated, msExchRecipientDisplayType, msExchRecipientTypeDetails, homeMDB
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Active User with user input
This query is the same as the one above however the static 60 days used above is replaced with a prompt.  At execution time a dialog will be displayed to enter the Activity Period.  In the query the static 60 has been replaced with {userinput:Activity Period (Days)} to prompt for the value.  This Subst is used a number of times in the query but only prompted for once, as the first response is cached and used for subsequent entries with the same label.  See Substitutions

[Users - Active Accounts Input]
Options=8590594637
Server=
BaseDN=##default
Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp>={idate:now-{userinput:Activity Period (Days)})(pwdlastset>={idate:now-{userinput:Activity Period (Days)}})(&(whencreated>={zdate:now-{userinput:Activity Period (Days)}})(pwdlastset=0)))(|(accountExpires=0)(accountExpires=9223372036854775807)(accountExpires<={idate:now})))
Attributes=canonicalname, samaccountname, displayname, description, pwdlastset, accountexpires, lastlogontimestamp, msExchShadowDepartment, msExchWhenMailboxCreated, msExchRecipientDisplayType, msExchRecipientTypeDetails,accountExpires
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Active Accounts Count
This is the same as the first active accounts queries, but this doesn't display any details of the users, just the count.

[Users - Active Accounts Count]
Options=8590594628
Server=
BaseDN=##default
Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp>={idate:now-60})(pwdlastset>={idate:now-60})(&(whencreated>={zdate:now-60})(pwdlastset=0))))
Attributes=1.1
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Active Accounts (More Complex)
This query builds on the queries above and include the account expires attributes in the checking.

[Users - Active Accounts AE]
Options=8590594637
Server=
BaseDN=##default
Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp>={idate:now-60})(pwdlastset>={idate:now-60})(&(whencreated>={zdate:now-60})(pwdlastset=0)))(|(accountExpires=0)(accountExpires=9223372036854775807)(accountExpires<={idate:now})))
Attributes=canonicalname, samaccountname, displayname, description, pwdlastset, accountexpires, lastlogontimestamp, msExchShadowDepartment, msExchWhenMailboxCreated, msExchRecipientDisplayType, msExchRecipientTypeDetails, homeMDB
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

Disable users
This favorite is a input mode Update query which will disable the provided list of SamAccountNames, it will prompt for a change number which will be added to the Info field of each user.  See Update Queries for more information about update queries.

Warning: This is a Update Query which will make changes to your AD once the update feature is enabled

[Users - Disable Users]
Options=489626931805
Server=
BaseDN=##default
Filter=(samaccountname=##input)
Attributes=useraccountcontrol=|2:2, info==Account disabled as part of change {userinput:Enter Change Number}\n{attrib:info}
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

AD Tombstone Period
This query will display the current AD tombstone period for deleted\recycled objects.

[AD Tombstone Period]
Options=132677
Server=
BaseDN=CN=Directory Service,CN=Windows NT,CN=Services,##config
Filter=(objectclass=*)
Attributes=tombstonelifetime
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

AD Schema Version
This query will display the current AD schema version

[Schema Version - AD]
Options=132673
Server=
BaseDN=##schema
Filter=(objectclass=*)
Attributes=objectversion
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

 Exchange Schema Version
This query will display the current exchange schema version.

[Schema Version - Exchange]
Options=132673
Server=
BaseDN=CN=ms-Exch-Schema-Version-Pt,##schema
Filter=(objectclass=*)
Attributes=rangeupper
Filename=
Authentication=1158
User=
Domain=

OCS Schema Version
This query will display the current OCS\Link\SfB schema version.

[Schema Version - OCS]
Options=132673
Server=
BaseDN=CN=ms-RTC-SIP-SchemaVersion,##schema
Filter=(objectclass=*)
Attributes=rangeupper,rangelower
Filename=
Authentication=1158
User=
Domain=

Root DSE
This query will return the default values for the RootDSE

[RootDSE]
Options=656901
Server=
BaseDN=NULL
Filter=(objectclass=*)
Attributes=
DisplayFilter=
Filename=
Sort=
Authentication=0
Separator=,

RootDSE (Full)
This query will display both the default and optional values of the RootDSE, the values returned are based on the current DC OS and DFF level.

[RootDSE (Full)]
Options=132613
Server=
BaseDN=NULL
Filter=(objectclass=*)
Attributes=*,domainControllerFunctionality,domainFunctionality,forestFunctionality,msDS-ReplAllInboundNeighbors,msDS-ReplAllOutboundNeighbors,msDS-ReplConnectionFailures,msDS-ReplLinkFailures,msDS-ReplPendingOps,msDS-ReplQueueStatistics,msDS-TopQuotaUsage,supportedConfigurableSettings,supportedExtension,dsaVersionString,msDS-PortLDAP,msDS-PortSSL,msDS-PrincipalName,serviceAccountInfo,spnRegistrationResult,validfsmos,tokenGroups,usnAtRifm
Filename=
Authentication=1158
Separator=,

 

 

LDAP Search – Conditional Attributes

Conditional Attributes allow the user to define the value that is returned based on a true or false conditional statement that is assessed for each object returned by the query. The condition comprises of two variables and a logic operator, and two results. The variables and results can be based on an attributes or static entries.

A Conditional Attribute has the following Syntax:

<Attribute>;{if:<Variable1>[;DataType] <Op> <Variable2>:<True Result>:<False Result>}{;DecodeType}

Attribute -The name that the value will be returned against, the name will displayed as if it's an attribute of the object.
Variable1, Variable2 - These are values that will be compared, these can be attributes of the object or static value. Attributes are referenced by specifying the name of the attribute. The meta type can also be used as the attribute. For Static values, encapsulate the value in quote marks.  A wildcard character * can be used in a static value for Variable2, to find the value anywhere in the value returned by the attribute i.e. "*disable"

Op - Defines the logical operator used to compare the two variables:

== Equal
!= Not Equal
>= Greater or equal
<= Less or equal
> Greater than
< Less than

DataTypes - defines if the variable needs to be converted into a different format before the comparison is completed, if the DataType is only provided for one variable then both variables are converted to the specific DataType.
The following DataTypes are supported:

Int - Convert the variable to an Integer
Date - Convert the variable to a Date
Len - Returns the length of the variable, if the DataType of the other variable is not specified then Int DataType is assumed

True Result The value that will be returned if the condition is true
False Result The value that will be returned if the condition is false
The result values can also be attributes or static values and use the same formatting as the variables.  The attribute can also use the meta data datatype.

DecodeType - This is used to convert the output using the DecodeTypes.  See Decode Types

Examples:

Updated;{if:usnchanged!=usncreated:"Updated":"Unchanged"}
Active;{if:useraccountcontrol=="*disable":"False":"True"}
LogonTime;{if:lastlogon;date>lastlogontimestamp:lastlogon:lastlogontimestamp}
Changed;{if:meta.time.unicodepwd!=pwdlastset:"invalid":"valid"}

Both the Variables and Results can use any of the filter substitution options, in this case they must be defined as static entries, i.e. encapsulated in quote marks. See Substitutions