Updated: Feb 13
Article No :: KB00019
Dear Admins, this article is the part-2 of the LDAP query series. For Part 1, please click here. Below are some LDAP queries which will help Windows Administrators to perform their day-to-day tasks efficiently. They are beneficial while fetching reports from Active Directory. One can use these queries in multiple ways i.e. via ADUC (Active Directory Users and Computer Console), within Powershell or via any system tools like SCCM, Hyena (www.systemtools.com) etc.
1) Knowledge of LDAP, Windows & Active Directory infra.
2) Knowledge of Scripting and logics.
3) Have access to run the LDAP queries.
Note: Please test these queries in the test environment, before executing in the production environment.
LDAP Queries for User Accounts
1) To find all the User accounts
2) To find all the User accounts with "Blank or Empty Password"
3) To find all the User accounts, with "User cannot change Password" attribute enabled.
4) To find all Locked User accounts.
5) To find all the User accounts, whose "Password Never Expire" enabled.
6) To find the disabled User Accounts
7) To find the User Accounts don't have an email address.
8) To find all the User Accounts whose "Primary group" is not "Domain Users"
9) To find all the User Accounts that "Never logged on".
10) To find all the mailbox enabled accounts with Outlook Web Access (OWA) disabled
11) To find all the mailbox enabled User Accounts
12) To find all the Mail-Enabled Contacts.
13) To find all the User Accounts whose department is sales.
14) To find all the User Accounts created after 1st-Jan-2020.
Below are some commonly used Active Directory attributes for user accounts.
Apart from the above attributes, we have other attributes as well like City, Country, Mobile no, etc. You can use them as per your requirement.
The next and last part will cover the LDAP Attributes of Groups.