DirectorySearcher - Clauses and keywords for search [Answered]RSS

• • Reply
  shoab shah

  Member

  2 Points

  58 Posts

  DirectorySearcher - Clauses and keywords for search

  Aug 14, 2016 11:59 AM|shoab shah|LINK

  Hi All,

  I am very new to working Active directory. After spending some time on web i was able to get code for getting users from active directory using DirectorySearcher class. However i am facing hard time in getting a list of all supported clauses and keywords of search.

  The only link i was able to get is https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx. But got only few keywords.

  Kindly share links / list of keywords and clauses. Below are some i found;

  1. &(objectClass=user)
  2. (objectCategory=person)
  3. (manager=...)
  4. (!msExchResourceMetaData=ResourceType:Room)
  5. (!userAccountControl:1.2.840.113556.1.4.803:=2))

  Also i tried creating a org chart using Visio and then with DirectorySearcher code. The visio files excludes virtual accounts such as feedback@abc,.com, meeting rooms, etc. but my Directory searcher code get them as wel . Kindly help.

• • Reply
  Chris Zhao

  All-Star

  17642 Points

  3510 Posts

  Re: DirectorySearcher - Clauses and keywords for search

  Aug 15, 2016 12:34 PM|Chris Zhao|LINK

  Hi Shoab,

  Examples

  The following table shows many example LDAP filters that can be useful when you query Active Directory:

  Query	LDAP Filter
  All user objects	(&(objectCategory=person)(objectClass=user))
  All user objects (Note 1)	(sAMAccountType=805306368)
  All computer objects	(objectCategory=computer)
  All contact objects	(objectClass=contact)
  All group objects	(objectCategory=group)
  All organizational unit objects	(objectCategory=organizationalUnit)
  All container objects	(objectCategory=container)
  All builtin container objects	(objectCategory=builtinDomain)
  All domain objects	(objectCategory=domain)
  Computer objects with no description	(&(objectCategory=computer)(!(description=*)))
  Group objects with a description	(&(objectCategory=group)(description=*))
  Users with cn starting with "Joe"	(&(objectCategory=person)(objectClass=user)  (cn=Joe*))
  Object with description "East\West Sales"  (Note 2)	(description=East\5CWest Sales)
  Phone numbers in form (xxx) xxx-xxx	(telephoneNumber=(*)*-*)
  Groups with cn starting with  "Test" or "Admin"	(&(objectCategory=group)  (|(cn=Test*)(cn=Admin*)))
  All users with both a first and last name.	(&(objectCategory=person)(objectClass=user)  (givenName=*)(sn=*))
  All users with direct reports but no  manager	(&(objectCategory=person)(objectClass=user)  (directReports=*)(!(manager=*)))
  All users with specified email address	(&(objectCategory=person)(objectClass=user)  (|(proxyAddresses=*:jsmith@company.com)  (mail=jsmith@company.com)))
  All users with Logon Script: field occupied	(&(objectCategory=person)(objectClass=user)(scriptPath=*))
  Object with Common Name "Jim * Smith"  (Notes 3, 19)	(cn=Jim \2A Smith)
  Objects with sAMAccountName that begins  with "x", "y", or "z"	(sAMAccountName>=x)
  Objects with sAMAccountName that begins with "a" or any number or symbol except "$"	(&(sAMAccountName<=a)(!(sAMAccountName=$*)))
  All users with "Password Never Expires" set  (Note 4)	(&(objectCategory=person)(objectClass=user)  (userAccountControl:1.2.840.113556.1.4.803:=65536))
  All disabled user objects (Note 4)	(&(objectCategory=person)(objectClass=user)  (userAccountControl:1.2.840.113556.1.4.803:=2))
  All enabled user objects (Note 4)	(&(objectCategory=person)(objectClass=user)  (!(userAccountControl:1.2.840.113556.1.4.803:=2)))
  All users not required to have a password  (Note 4)	(&(objectCategory=person)(objectClass=user)  (userAccountControl:1.2.840.113556.1.4.803:=32))
  All users with "Do not require kerberos  preauthentication" enabled	(&(objectCategory=person)(objectClass=user)  (userAccountControl:1.2.840.113556.1.4.803:=4194304))
  Users with accounts that do not expire  (Note 5)	(&(objectCategory=person)(objectClass=user)  (|(accountExpires=0)  (accountExpires=9223372036854775807)))
  Users with accounts that do expire (Note 5)	(&(objectCategory=person)(objectClass=user)  (accountExpires>=1)  (accountExpires<=9223372036854775806))
  Accounts trusted for delegation  (unconstrained delegation)	(userAccountControl:1.2.840.113556.1.4.803:=524288)
  Accounts that are sensitive and not trusted  for delegation	(userAccountControl:1.2.840.113556.1.4.803:=1048576)
  All distribution groups (Notes 4, 15)	(&(objectCategory=group)  (!(groupType:1.2.840.113556.1.4.803:=2147483648)))
  All security groups (Notes 4, 19)	(groupType:1.2.840.113556.1.4.803:=2147483648)
  All built-in groups (Notes 4, 16, 19)	(groupType:1.2.840.113556.1.4.803:=1)
  All global groups (Notes 4, 19)	(groupType:1.2.840.113556.1.4.803:=2)
  All domain local groups (Notes 4, 19)	(groupType:1.2.840.113556.1.4.803:=4)
  All universal groups (Notes 4, 19)	(groupType:1.2.840.113556.1.4.803:=8)
  All global security groups (Notes 17, 19)	(groupType=-2147483646)
  All universal security groups (Notes 17, 19)	(groupType=-2147483640)
  All domain local security groups  (Notes 17, 19)	(groupType=-2147483644)
  All global distribution groups (Note 19)	(groupType=2)
  All objects with service principal name	(servicePrincipalName=*)
  Users with "Allow Access" on "Dial-in"  tab of ADUC  (Note 6)	(&(objectCategory=person)(objectClass=user)  (msNPAllowDialin=TRUE))
  Users with "Control access though  NPS Network Policy" on "Dial-in" tab of ADUC	(&(objectCategory=person)(objectClass=user)  (!(msNPAllowDialin=*)))
  All groups created after March 1, 2011	(&(objectCategory=group)  (whenCreated>=20110301000000.0Z))
  All users that must change their password  at next logon	(&(objectCategory=person)(objectClass=user)  (pwdLastSet=0))
  All users that changed their password since  April 15, 2011 (CST) (Note 7)	(&(objectCategory=person)(objectClass=user)  (pwdLastSet>=129473172000000000))
  All users with "primary" group  other than "Domain Users"	(&(objectCategory=person)(objectClass=user)  (!(primaryGroupID=513)))
  All computers with "primary" group  "Domain Computers"	(&(objectCategory=computer)  (primaryGroupID=515))
  Object with GUID  "90395F191AB51B4A9E9686C66CB18D11"  (Note 8)	(objectGUID=\90\39\5F\19\1A\B5\1B\4A\9E\96  \86\C6\6C\B1\8D\11)
  Object beginning with GUID  "90395F191AB51B4A"  (Note 8)	(objectGUID=\90\39\5F\19\1A\B5\1B\4A*)
  Object with SID "S-1-5-21-73586283  -152049171-839522115-1111" (Note 9)	(objectSID=S-1-5-21-73586283-152049171  -839522115-1111)
  Object with SID "010500000000000515000  0006BD662041316100943170A3257040000"  (Note 9)	(objectSID=\01\05\00\00\00\00\00\05\15  \00\00\00\6B\D6\62\04\13\16\10\09\43\17\0A\32  \57\04\00\00)
  All computers that are not  Domain Controllers (Note 4)	(&(objectCategory=computer)  (!(userAccountControl:1.2.840.113556.1.4.803:=8192)))
  All Domain Controllers (Note 4)	(&(objectCategory=computer)  (userAccountControl:1.2.840.113556.1.4.803:=8192))
  All Domain Controllers (Notes 14, 19)	(primaryGroupID=516)
  All servers	(&(objectCategory=computer)  (operatingSystem=*server*))
  All member servers (not DC's) (Note 4)	(&(objectCategory=computer)  (operatingSystem=*server*)  (!(userAccountControl:1.2.840.113556.1.4.803:=8192)))
  All direct members of specified group	(memberOf=cn=Test,ou=East,dc=Domain,dc=com)
  All users not direct members of  a specified group	(&(objectCategory=person)(objectClass=user)  (!(memberOf=cn=Test,ou=East,dc=Domain,dc=com)))
  All groups with specified direct member  (Note 19)	(member=cn=Jim Smith,ou=West,  dc=Domain,dc=com)
  All members of specified group, including  due to group nesting (Note 10)	(memberOf:1.2.840.113556.1.4.1941:=  cn=Test,ou=East,dc=Domain,dc=com)
  All groups specified user belongs to,  including due to group nesting (Notes 10, 19)	(member:1.2.840.113556.1.4.1941:=  cn=Jim Smith,ou=West,dc=Domain,dc=com)
  Objects with givenName "Jim*" and sn  "Smith*", or with cn "Jim Smith*" (Note 11)	(anr=Jim Smith)
  All attributes in the Schema container  replicated to the GC (Notes 6, 12)	(&(objectCategory=attributeSchema)  (isMemberOfPartialAttributeSet=TRUE))
  All operational (constructed) attributes in  the Schema container (Notes 4, 12)	(&(objectCategory=attributeSchema)  (systemFlags:1.2.840.113556.1.4.803:=4))
  All attributes in the Schema container not  replicated to other Domain Controllers  (Notes 4, 12)	(&(objectCategory=attributeSchema)  (systemFlags:1.2.840.113556.1.4.803:=1))
  All objects where deletion is not allowed  (Notes 4)	(systemFlags:1.2.840.113556.1.4.803:=2147483648)
  Attributes whose values are copied when  the object is copied (Notes 4, 12)	(searchFlags:1.2.840.113556.1.4.803:=16)
  Attributes preserved in tombstone object  when object deleted (Notes 4, 12)	(searchFlags:1.2.840.113556.1.4.803:=8)
  Attributes in the Ambiguous Name  Resolution (ANR) set (Notes 4, 12)	(searchFlags:1.2.840.113556.1.4.803:=4)
  Attributes in the Schema that are  indexed (Notes 4, 12)	(searchFlags:1.2.840.113556.1.4.803:=1)
  Attributes marked confidential in  the schema (Notes 4, 12)	(searchFlags:1.2.840.113556.1.4.803:=128)
  Attributes in the RODC filtered attribute  set, or FAS (Notes 4, 12)	(searchFlags:1.2.840.113556.1.4.803:=512)
  All site links in the Configuration  container (Note 13)	(objectClass=siteLink)
  The nTDSDSA objects associated with  all Global Catalogs. This will identify all DC's  that are GC's. (Note 4)	(&(objectCategory=nTDSDSA)  (options:1.2.840.113556.1.4.803:=1))
  The nTDSDSA object associated with the  PDC Emulator. This will identify the DC  with the PDC Emulator FSMO role (Note 18).	(&(objectClass=domainDNS)(fSMORoleOwner=*))
  The nTDSDSA object associated with the  RID Master. This will identify the DC  with the RID Master FSMO role (Note 18).	(&(objectClass=rIDManager)(fSMORoleOwner=*))
  The nTDSDSA object associated with the  Infrastructure Master. This will identify the DC  with this FSMO role (Note 18).	(&(objectClass=infrastructureUpdate)  (fSMORoleOwner=*))
  The nTDSDSA object associated with the  Schema Master. This will identify the DC with  the Schema Master FSMO role (Note 18).	(&(objectClass=dMD)(fSMORoleOwner=*))
  The nTDSDSA object associated with the  Domain Naming Master. This will identify the  DC with this FSMO role (Note 18).	(&(objectClass=crossRefContainer)  (fSMORoleOwner=*))
  All Exchange servers in the Configuration  container (Note 13)	(objectCategory=msExchExchangeServer)
  All objects protected by AdminSDHolder	(adminCount=1)
  All trusts established with a domain	(objectClass=trustedDomain)
  All Group Policy objects	(objectCategory=groupPolicyContainer)
  All service connection point objects	(objectClass=serviceConnectionPoint)
  All Read-Only Domain Controllers  (Notes 4, 19)	(userAccountControl:1.2.840.113556.1.4.803:=67108864)

  reference: http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx 

  Best Regards,

  Chris

• • Reply
  shoab shah

  Member

  2 Points

  58 Posts

  Re: DirectorySearcher - Clauses and keywords for search

  Aug 16, 2016 06:41 AM|shoab shah|LINK

  Thank you Chris!