Over the last month I have been working more intensely with Windows 2003 Active Directory. In this process I have found the need to create custom filters to make finding objects and updating security policies easier. So thought it would be helpful to others to share my set of custom filters.
To use these filters you need to open the ADUC snap in and right click on Saved Queries. Select 'New' then 'Query'. Click the 'Define Query' button. A new window will open. In the Find drop down menu, choose 'Custom Search', and click the 'Advanced' tab. Paste the query into the textbox and select 'OK'. Now you can give your query a name and click 'OK' again. You should immediately see the results of your query in the right hand window portion of the snap in.
User Management
- Locked out Accounts
(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295)(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)))
- All Contacts
(&(objectClass=contact))
- All Users
(&(objectCategory=User)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!objectClass=Contact))
- Disabled User Accounts
(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2))
- Account Passwords Never Expire
(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))
- User Accounts Inactive for 60 Days
(&(&(objectCategory=User)(lastLogonTimeStamp<=XXX)(!userAccountControl:1.2.840.113556.1.4.803:=2)))
This filter requires a bit of massaging to get it to work correctly. I modified a vbscript to produce the correct number of 100 nanosecond intervals between January 1, 1601 and 60 days prior to the current date. I found the script; however, I can not remember to whom the credit should be long. The Get_60_Day_Interval.vbs script will respond with a message box with the correct long integer you need. You will then need to replace XXXX in the filter with that number (e.g. 127578167790000000). The following is the text of the BLOCKED SCRIPT
Dim dtmDate, dbl100NanoSecs
Const MAXIMUM_PASSWORD_AGE_IN_DAYS = 60
dtmDate = DateAdd("d", -MAXIMUM_PASSWORD_AGE_IN_DAYS, Now())
dbl100NanoSecs = 10000000 * (DateDiff("s", "1/1/1601", dtmDate))
dbl100NanoSecs = _
FormatNumber(dbl100NanoSecs, 0, False, False ,0)
WScript.Echo ("Value for query = " & dbl100NanoSecs)
Computer Management
- Disabled Computer Accounts
(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))
- All Computer Accounts
(&(objectCategory=computer)(name=*))
- Windows XP Computers
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows XP*))
- Windows Server 2003
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=*Server 2003))
- Windows 2000 Server
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Server 2000*))
- Windows NT
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows NT*))
- Windows 2000
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows 2000*))
- Windows Server 2003 no Service Packs
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=*Server 2003)(!operatingSystemServicePack=*))
- Windows XP no Service Packs
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows XP*)(!operatingSystemServicePack=*))
- Windows 2000 no Service Packs
(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows 2000*)(!operatingSystemServicePack=*))
- Computer Accounts Inactive for 60 Days
(&(objectCategory=Computer)(lastLogonTimeStamp<=XXXX)(!userAccountControl:1.2.840.113556.1.4.803:=2))
Again this filter uses the Get_60_Day_Interval.vbs script. You will then need to replace XXXX in the filter with that number (e.g. 127578167790000000)
Group Management
- All Distribution Groups
(&(objectCategory=group)(sAMAccountType=268435457))
- Mail Enabled Groups
(&(objectCategory=group)(mail=*)(!sAMAccountType=268435457))
- All Empty Groups
(&(&(|(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)(!objectSid=*))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14)))(objectCategory=group)(!member=*)))