This post provides a number of LDAP Search Favorites for common operations, copy the text of the query and import into the favorites, the samples will be saved in the favorites list as the name in square brackets, see Favorites for more information.
Inactive Users
Return a list of users that have not logged on in the last 60 days and excluded any accounts created in the last 60 days
[Users - Inactive Accounts] Options=660045 Server= BaseDN=##default Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp<={idate:now-60})(&(whencreated<={zdate:now-60})(pwdlastset=0)))) Attributes=canonicalname, samaccountname, displayname, description, pwdlastset, accountexpires, lastlogontimestamp, msExchShadowDepartment, msExchWhenMailboxCreated, msExchRecipientDisplayType, msExchRecipientTypeDetails, homeMDB DisplayFilter= Filename= Sort= Authentication=1158 Separator=,
Active Accounts
A simple active users query to display a list of users where the user has logged on or changed their password in the last 60 days, and any account that have been created in the last 60 days but the user has not set their password yet.
[Users - Active Accounts] Options=660036 Server= BaseDN=##default Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp>={idate:now-60})(pwdlastset>={idate:now-60})(&(whencreated>={zdate:now-60})(pwdlastset=0)))) Attributes=canonicalname, samaccountname, displayname, description, pwdlastset, accountexpires, lastlogontimestamp, msExchShadowDepartment, msExchWhenMailboxCreated, msExchRecipientDisplayType, msExchRecipientTypeDetails, homeMDB DisplayFilter= Filename= Sort= Authentication=1158 Separator=,
Active User with user input
This query is the same as the one above however the static 60 days used above is replaced with a prompt. At execution time a dialog will be displayed to enter the Activity Period. In the query the static 60 has been replaced with {userinput:Activity Period (Days)} to prompt for the value. This Subst is used a number of times in the query but only prompted for once, as the first response is cached and used for subsequent entries with the same label. See Substitutions
[Users - Active Accounts Input] Options=8590594637 Server= BaseDN=##default Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp>={idate:now-{userinput:Activity Period (Days)})(pwdlastset>={idate:now-{userinput:Activity Period (Days)}})(&(whencreated>={zdate:now-{userinput:Activity Period (Days)}})(pwdlastset=0)))(|(accountExpires=0)(accountExpires=9223372036854775807)(accountExpires<={idate:now}))) Attributes=canonicalname, samaccountname, displayname, description, pwdlastset, accountexpires, lastlogontimestamp, msExchShadowDepartment, msExchWhenMailboxCreated, msExchRecipientDisplayType, msExchRecipientTypeDetails,accountExpires DisplayFilter= Filename= Sort= Authentication=1158 Separator=,
Active Accounts Count
This is the same as the first active accounts queries, but this doesn't display any details of the users, just the count.
[Users - Active Accounts Count] Options=8590594628 Server= BaseDN=##default Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp>={idate:now-60})(pwdlastset>={idate:now-60})(&(whencreated>={zdate:now-60})(pwdlastset=0)))) Attributes=1.1 DisplayFilter= Filename= Sort= Authentication=1158 Separator=,
Active Accounts (More Complex)
This query builds on the queries above and include the account expires attributes in the checking.
[Users - Active Accounts AE] Options=8590594637 Server= BaseDN=##default Filter=(&(objectclass=user)(objectcategory=user)(!useraccountcontrol|=2)(|(lastlogontimestamp>={idate:now-60})(pwdlastset>={idate:now-60})(&(whencreated>={zdate:now-60})(pwdlastset=0)))(|(accountExpires=0)(accountExpires=9223372036854775807)(accountExpires<={idate:now}))) Attributes=canonicalname, samaccountname, displayname, description, pwdlastset, accountexpires, lastlogontimestamp, msExchShadowDepartment, msExchWhenMailboxCreated, msExchRecipientDisplayType, msExchRecipientTypeDetails, homeMDB DisplayFilter= Filename= Sort= Authentication=1158 Separator=,
Disable users
This favorite is a input mode Update query which will disable the provided list of SamAccountNames, it will prompt for a change number which will be added to the Info field of each user. See Update Queries for more information about update queries.
Warning: This is a Update Query which will make changes to your AD once the update feature is enabled
[Users - Disable Users]
Options=489626931805
Server=
BaseDN=##default
Filter=(samaccountname=##input)
Attributes=useraccountcontrol=|2:2, info==Account disabled as part of change {userinput:Enter Change Number}\n{attrib:info}
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,
This query will display the current AD tombstone period for deleted\recycled objects.
[AD Tombstone Period] Options=132677 Server= BaseDN=CN=Directory Service,CN=Windows NT,CN=Services,##config Filter=(objectclass=*) Attributes=tombstonelifetime DisplayFilter= Filename= Sort= Authentication=1158 Separator=,
AD Schema Version
This query will display the current AD schema version
[Schema Version - AD] Options=132673 Server= BaseDN=##schema Filter=(objectclass=*) Attributes=objectversion DisplayFilter= Filename= Sort= Authentication=1158 Separator=,
Exchange Schema Version
This query will display the current exchange schema version.
[Schema Version - Exchange] Options=132673 Server= BaseDN=CN=ms-Exch-Schema-Version-Pt,##schema Filter=(objectclass=*) Attributes=rangeupper Filename= Authentication=1158 User= Domain=
OCS Schema Version
This query will display the current OCS\Link\SfB schema version.
[Schema Version - OCS] Options=132673 Server= BaseDN=CN=ms-RTC-SIP-SchemaVersion,##schema Filter=(objectclass=*) Attributes=rangeupper,rangelower Filename= Authentication=1158 User= Domain=
Root DSE
This query will return the default values for the RootDSE
[RootDSE] Options=656901 Server= BaseDN=NULL Filter=(objectclass=*) Attributes= DisplayFilter= Filename= Sort= Authentication=0 Separator=,
RootDSE (Full)
This query will display both the default and optional values of the RootDSE, the values returned are based on the current DC OS and DFF level.
[RootDSE (Full)] Options=132613 Server= BaseDN=NULL Filter=(objectclass=*) Attributes=*,domainControllerFunctionality,domainFunctionality,forestFunctionality,msDS-ReplAllInboundNeighbors,msDS-ReplAllOutboundNeighbors,msDS-ReplConnectionFailures,msDS-ReplLinkFailures,msDS-ReplPendingOps,msDS-ReplQueueStatistics,msDS-TopQuotaUsage,supportedConfigurableSettings,supportedExtension,dsaVersionString,msDS-PortLDAP,msDS-PortSSL,msDS-PrincipalName,serviceAccountInfo,spnRegistrationResult,validfsmos,tokenGroups,usnAtRifm Filename= Authentication=1158 Separator=,