Have you ever wanted to know at the click of a button – what accounts have the password set to never expire or create a list of all disabled users?

This is where the Active Directory Users and Computers “Saved Queries” feature can be utilised.

Open Active Directory Users and Computers (dsa.msc)

Navigate to Saved Queries

Right Click on Saved Queries
Select New
Select Query

Populate the Name and Description with something meaningful.

Select Define Query

You can now create your query – in this example we are to find All disabled users.

From the find dialogue

Select Custom Search

Select Advanced

Paste in the following LDAP query

(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=2)

Select OK

Select OK

Click on Saved Query and it will be populated with the information requested.

If you want to export the results in to Excel – then right click the query and select export list and save as a CSV or TAB deliminated file (Top Tip – Do not use comma’s in any of your Active Directory fields as this will displace your columns).

Other custom queries include:

All users whose password never expires:
(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

All users created after xx/xx/xxxx (01/01/2009)
(&(objectCategory=user)(whenCreated>=20090101000000.0Z))

Must change password at next logon
(&(ObjectCategory=user)(pwdlastSet=0))

Password has expired
(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.804:=8388608))

Account is locked out
(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

Users who have never logged on
(&(objectCategory=User)(lastLogon=0))

All XP based Operating Systems
(&(objectCategory=computer)(operatingSystemVersion=5.1*))

All Windows 7/2008 R2 based Operating Systems
(&(objectCategory=computer)(operatingSystemVersion=6.1*))

Commonly used LDAP Syntax which can be utilised with the Saved Queries feature.

&  logical and
|  logical or
!  logical not
=  equal to
~=  approximately equal to
>= e qual to or greater than
<=  less than or equal to

I would recommend experimenting with this feature as you can extract a lot of useful information out of Active Directory without the need for custom code or scripts.

If you need a hand with querying your Active Directory for information, please feel free to contact me as I have just touched on this capability here and there is much more you can achieve with this feature, once you have your head around the syntax and query structure.

Posted by markparris

Microsoft MVP - Enterprise mobility.

8 Comments

  1. Hello,

    Thanks for the update. I have one query :
    I need query to export a excel file from AD for the list of Active users which is created in last 6 moths. lets say from from 1st July 2009 to 28th feb 2010.

    Thanks,
    B.Sridhar
    sridharb_007@yahoo.com

    Reply

    1. Try (&(objectCategory=user)(whenCreated>=20090701000000.0Z&<=20100228000000.0Z&))

      Reply

  2. This is an excellent way to query AD quickly

    Reply

  3. Do you know in which path the queries are saved? I can’t find them in the registry, so it has to be in the userprofile, but I can’t find.

    Reply

    1. C:\Users\%USERNAME%\AppData\Roaming\Microsoft\MMC\DSA

      Reply

  4. Do you know where these queries are saved? I would like to move my queries to another machine. Right now I must export each one. There must be a better way.

    Reply

    1. C:\Users\%USERNAME%\AppData\Roaming\Microsoft\MMC\DSA

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s