Posts RSS Comments RSS 117 Posts and 170 Comments till now

A collection of LDAP Filter Info

I often find myself googling for LDAP filter info. This time I decided to post the resulting set of websites I hit for this info.

NOTE: MS release the Specs for Active Directory’s LDAP Compliance here. GREAT DOC!
http://download.microsoft.com/download/d/c/8/dc83e0b8-fc2c-4af4-bd27-45b5963ad98d/AD%20LDAP%20Compliance.doc

Blog Entry on LDAP Filters
————————-
http://bsonposh.com/modules/wordpress/?p=78

LDAP Filter Articles
——————-
query Active Directory by using a bitwise filter
http://support.microsoft.com/kb/269181

Search Filter Syntax
http://msdn2.microsoft.com/en-us/library/aa746475.aspx

Mastering the LDAP search filter
http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1191071,00.html

userAccountControl
——————-
UserAccountControl flags
http://support.microsoft.com/kb/305144

User-Account-Control Attribute (Windows)
http://msdn2.microsoft.com/en-us/library/ms680832.aspx

tshell :: Mar.27.2008 :: Active Directory, HowTo, Powershell :: 1 Comment »

AD Replication Metadata (when did that change?)

There was a discussion on the NG about determining when a user was disabled. The initial request was to determine this based on whenChanged, but I thought that could be invalid as you can easily change an account after it was disabled. I can not think of a way to be sure, but the best way I can think of is to use the replication metadata on the attribute userAccountControl (the second bit is what determines if its disabled or not.) While it is possible to change the useraccountcontrol after a user is disabled it is unlikely.

More info for UserAccountControl bits
http://support.microsoft.com/kb/305144

Of course the next question was how do you check the Replication Metadata for an attribute on and AD object?

Enter Get-ADObjectREplicationMetadata.ps1

This uses

System.DirectoryServices.ActiveDirectory.DirectoryContext
- http://msdn2.microsoft.com/en-us/library/system.directoryservices.activedirectory.directorycontext.aspx
System.DirectoryServices.ActiveDirectory.DomainController
- http://msdn2.microsoft.com/en-gb/library/system.directoryservices.activedirectory.domaincontroller.aspx

  1. # Get-ADObjectREplicationMetadata.ps1
  2. # Brandon Shell (www.bsonposh.com)
  3. # Purpose: Get attribute(s) Replication Metadata from a Domain controller.
  4. Param($Domain,$objectDN,$property)
  5. # Sets Context to Domain for System.DirectoryServices.ActiveDirectory.DomainController
  6. $context = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain",$domain)
  7. # .NET Class that returns a Domain Controller for Specified Context
  8. $dc = [System.DirectoryServices.ActiveDirectory.DomainController]::findOne($context)
  9. # GetReplicationMetadata returns metadate from the DC for the DN specified.
  10. $meta = $dc.GetReplicationMetadata($objectDN)
  11. if($property){$meta | %{$_.$Property}}else{$meta}

This will return either all the metadata or just the metadata for a specific attribute. I should note that if you do not specify an attribute it returns all of them. You should expect to parse these as each attribute has a child object with the data in it.

All Attributes. The value can be found by .PropertyName

  1. PS# .\Get-ADObjectMetaData.ps1 ‘my.lab.domain’ ‘CN=TestUser,DC=my,dc=lab,dc=domain’
  2.  
  3. Name                           Value
  4. —-                           —–
  5. countrycode                    System.DirectoryServices.ActiveDirectory.AttributeMetadata
  6. cn                             System.DirectoryServices.ActiveDirectory.AttributeMetadata
  7. mail                           System.DirectoryServices.ActiveDirectory.AttributeMetadata
  8. scriptpath                     System.DirectoryServices.ActiveDirectory.AttributeMetadata
  9. ntsecuritydescriptor           System.DirectoryServices.ActiveDirectory.AttributeMetadata
  10. accountexpires                 System.DirectoryServices.ActiveDirectory.AttributeMetadata
  11. displayname                    System.DirectoryServices.ActiveDirectory.AttributeMetadata
  12. profilepath                    System.DirectoryServices.ActiveDirectory.AttributeMetadata
  13. primarygroupid                 System.DirectoryServices.ActiveDirectory.AttributeMetadata
  14. unicodepwd                     System.DirectoryServices.ActiveDirectory.AttributeMetadata
  15. objectclass                    System.DirectoryServices.ActiveDirectory.AttributeMetadata
  16. objectcategory                 System.DirectoryServices.ActiveDirectory.AttributeMetadata
  17. instancetype                   System.DirectoryServices.ActiveDirectory.AttributeMetadata
  18. homedrive                      System.DirectoryServices.ActiveDirectory.AttributeMetadata
  19. samaccounttype                 System.DirectoryServices.ActiveDirectory.AttributeMetadata
  20. homedirectory                  System.DirectoryServices.ActiveDirectory.AttributeMetadata
  21. whencreated                    System.DirectoryServices.ActiveDirectory.AttributeMetadata
  22. useraccountcontrol             System.DirectoryServices.ActiveDirectory.AttributeMetadata
  23. msmqsigncertificates           System.DirectoryServices.ActiveDirectory.AttributeMetadata
  24. dbcspwd                        System.DirectoryServices.ActiveDirectory.AttributeMetadata
  25. title                          System.DirectoryServices.ActiveDirectory.AttributeMetadata
  26. samaccountname                 System.DirectoryServices.ActiveDirectory.AttributeMetadata
  27. supplementalcredentials        System.DirectoryServices.ActiveDirectory.AttributeMetadata
  28. userparameters                 System.DirectoryServices.ActiveDirectory.AttributeMetadata
  29. givenname                      System.DirectoryServices.ActiveDirectory.AttributeMetadata
  30. description                    System.DirectoryServices.ActiveDirectory.AttributeMetadata
  31. lmpwdhistory                   System.DirectoryServices.ActiveDirectory.AttributeMetadata
  32. pwdlastset                     System.DirectoryServices.ActiveDirectory.AttributeMetadata
  33. msnpallowdialin                System.DirectoryServices.ActiveDirectory.AttributeMetadata
  34. codepage                       System.DirectoryServices.ActiveDirectory.AttributeMetadata
  35. name                           System.DirectoryServices.ActiveDirectory.AttributeMetadata
  36. ntpwdhistory                   System.DirectoryServices.ActiveDirectory.AttributeMetadata
  37. userprincipalname              System.DirectoryServices.ActiveDirectory.AttributeMetadata
  38. admincount                     System.DirectoryServices.ActiveDirectory.AttributeMetadata
  39. objectsid                      System.DirectoryServices.ActiveDirectory.AttributeMetadata
  40. sn                             System.DirectoryServices.ActiveDirectory.AttributeMetadata
  41. msmqdigests                    System.DirectoryServices.ActiveDirectory.AttributeMetadata
  42. logonhours                     System.DirectoryServices.ActiveDirectory.AttributeMetadata
  43. lastlogontimestamp             System.DirectoryServices.ActiveDirectory.AttributeMetadata

Here is a specific Attribute

  1. PS# .\Get-ADObjectMetaData.ps1 ‘my.lab.domain’ ‘CN=TestUser,DC=my,dc=lab,dc=domain’ ‘useraccountcontrol’
  2.  
  3. Name                        : userAccountControl
  4. Version                     : 8
  5. LastOriginatingChangeTime   : 9/15/2005 1:45:32 PM
  6. LastOriginatingInvocationId : eeaeb6f9-8422-dddd-as34-04d7bd779285
  7. OriginatingChangeUsn        : 47264036
  8. LocalChangeUsn              : 49555172
  9. OriginatingServer           : dc.my.lab.domain

tshell :: Dec.21.2007 :: Active Directory, HowTo, Powershell, Scripting :: No Comments »

The Power of -f. The Format Operator

This is from a NG post discussing the -f Operator… I thought it was a pretty good description. Compliments to Kiron.

Q: What is the -f operator

A: PowerShell’s Format Operator ‘-f’ is equivalent to .Net’s Composite
Formatting. The syntax is:
{index[,alignment][:formatString]} -f listOfValues

Composite Formatting
http://msdn2.microsoft.com/en-us/library/txafckwd(vs.71).aspx

Quoting from about_operator:
Format Operator “-f”
The format operator provides support for formatting strings via the .NET
string object format method. On the left hand side of the operator is the
format string and on the right hand of the operator is the collection of
objects to be formatted.
The following example shows some of the capabilities of the format operator.
PS> “{0} {1,-10} {2:N}” -f 1,”hello”,[math]::pi
1 hello 3.14

Some samples:

  1. # the ‘|’ is for demonstrating the alignment
  2. "{0:(###) ###-####}" -f 2224445555 # phone number
  3. "{0:hh:mm:ss tt}" -f (get-date) # time, 12 hour format
  4. "{0:HH:mm:ss}" -f (get-date) # time, 24 hour format
  5. "{0:p4}" -f (1/3) # percent with four decimal places
  6. "{0:c2}" -f (1724.87 * 12) # currency with two decimal places
  7. "|{0,22:c2}|" -f (1724.87 * 12) # right aligned currency with two decimal places
  8. "|{0,-22:n2}|" -f (13/57) # left aligned number with two decimal places
  9. "{0:MM dd yy}" -f (get-date) # date, custom short format
  10. "{0:MMMM yyyy}" -f (get-date) # date, ‘month year’ format
  11. 0..15 | % {"{0:0##}" -f $_} # filled number format
  12. 0..15 | % {"|{0,33}|" -f "Number $_"} # right aligned string
  13. 0..15 | % {"|{0,-33}|" -f "Number $_"} # left aligned string
  14. 0..15 | % {"|{0,33}|  |{0,-33}|" -f "Number $_"} # right & left aligned string

Suggested Reading.

Standard Numeric Format Strings
http://msdn2.microsoft.com/en-us/library/dwhawy9k.aspx

Custom Numeric Format Strings
http://msdn2.microsoft.com/en-us/library/0c899ak8.aspx

Standard DateTime Format Strings
http://msdn2.microsoft.com/en-us/library/az4se3k1.aspx

Custom DateTime Format Strings
http://msdn2.microsoft.com/en-us/library/8kb3ddd4.aspx

Enumeration Format Strings
http://msdn2.microsoft.com/en-us/library/c3s1ez6e.aspx

Check out this blog from the PowerShell Team
http://blogs.msdn.com/powershell/archive/2006/06/16/634575.aspx

tshell :: Aug.27.2007 :: .NET, Format, Powershell, Scripting :: No Comments »