Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: LDAP Query on expired Accounts

146 views
Skip to first unread message

JHP

unread,
Aug 31, 2005, 3:20:35 PM8/31/05
to
I believe this has to do with the returned value being a 64-bit number -
which means you need to get the HighPart and LowPart of the value - Refer to
the following link:

http://www.rlmueller.net/Integer8Attributes.htm

HTH

"Venkman" <Ven...@discussions.microsoft.com> wrote in message
news:4BFF6DF8-8C83-4367...@microsoft.com...
> Hi all!
>
> I'm having a bit of a problem.
> I want to get all users who have an expired account out of my AD using the
> LDAP moniker like in all the examples.
> In the first step I searched for Users who have an employeeID, and got
> them
> via (employeeID=*). This was quite simple.
>
> When I try to get user Accounts via (accountExpires=0) I get no records
> from
> my query. The result of the query is the same when I try to search with
> (accountExpires<>0) or (!accountExpires=0)
> I am shure that my mistake is very simple, but I was not able to find a
> solution,yet. Can anybody please point me into the correct direction?
> The goal ist to move all expired Accounts to a different OU.


JHP

unread,
Aug 31, 2005, 4:02:06 PM8/31/05
to
Looking a little deeper I confirmed it:

http://www.rlmueller.net/Integer8Discussion.htm

TDM

unread,
Aug 31, 2005, 5:03:26 PM8/31/05
to

I am pretty sure your problem is related to the fact that the
actual AD property accountExpires is of type "Interval", not really a 0. You
need to convert the property.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_accountexpires.asp

http://www.dbforums.com/archive/index.php/t-964374.html

TDM

Venkman

unread,
Sep 1, 2005, 2:56:02 AM9/1/05
to
Thanks for the answers. This shure is a way to go, but I thought of using the
"accountExpires" attribute within th LDAP string as a filter like:

query = "<LDAP://OU=USER,OU=ACCOUNT,dc=admin,dc=ms,dc=com>;"
query = query & "(&(objectclass=user)"
query = query & "(accountExpires<>0 ))"
query = query & ";sAMAccountName,accountExpires;onelevel"

I planned to include a reference expiration date in the query to find
accounts that have been expired for 2 weeks - and move them to a different OU.
Is this possible, or di I really have to go throgh all the accounts in my OU
to check for the expiration date?

TDM

unread,
Sep 1, 2005, 10:09:41 AM9/1/05
to

Not sure if you can do this via a filter as I chose to simply enumerate all
accounts.
It really does not take that long, in my case, with about 93K user accounts,
it takes
about 25 seconds for the script to run. Acceptable for me, maybe not for
you. Plus
I was after more info then just the account expiration.

In my research during script creation, I started here :

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/attributes_all.asp

What I found important here was the Syntax, this helps understand the data
type
so you can perform additional manipulation if need be. You might also give
this a wack :

(&(objectClass=top)(objectClass=user)(accountExpires=9223372036854775807))

I tried this filter and it returned 52,688 objects in my environment. This
is based on the
information for Account-Expires in the link above.


TDM

"Venkman" <Ven...@discussions.microsoft.com> wrote in message

news:9F20AEA6-F326-4607...@microsoft.com...

0 new messages