Posted on June 24, 2015 · Posted in Active Directory

Using LDAP Saved Queries in Active Directory

The Saved Queries in Active Directory Users and Computers (ADUC) console allow to create simple and complex LDAP queries by samples of Active Directory objects. These queries can be saved, edited and transferred to other computers. Using the Saved Queries, you can deal with search and sampling of AD objects by different criteria quickly and effectively. For example, Saved Queries can help you quickly: display the list of all disabled accounts in a domain, select all users of a company who have mailboxes on a given Exchange server, etc.

An important benefit of the saved LDAP queries is the opportunity to perform group operations with the objects from different OUs in Active Directory, like bulk locking/unlocking, moving, deleting of accounts, etc. It allows to get rid of some faults in the hierarchical OU structure in Active Directory by collecting all necessary objects in a flat table view.

The majority of these operations can be done using PowerShell, dsquery, vbs scripts, etc., but as a rule, it is more convenient to have the results displayed in the familiar graphic console view and doesn’t require any special skills.

Active Directory Saved Queries first appeared in Windows Server 2003 and got further support in the later Windows Server versions.

Let’s consider a typical example of using the Saved Queries in Active Directory Users and Computers. Suppose, we have to display the list of active user accounts, their departments and e-mail addresses.

Open ADUC (dsa.msc), right-click Saved Queries and select New – > Query.

Create new saved query in ADUC

In the Name box, specify the name of the saved query to be displayed in the ADUC console.

In Query root box, you can specify the container (OU), in which the query is run. By default, the search by the query criteria is performed in the whole AD domain. In our example, we’ll narrow the search scope by selecting Brasil container.

Edit query properties

Then click Define Query, and select Custom Search on Find drop down.

Custom search

Go to Advanced tab and copy the following LDAP query into Enter LDAP query box:

Advanced LDAP query

Save the changes by clicking OK.

Select the created query in ADUC console, press F5 to rebuild the list. The result of the query is displayed on the next screenshot.

Result of Saved query in Active Directory Console

To display the additional fields (e-mail address, department, etc.) open View menu in ADUC console and select Add/Remove Columns.

Add/Remove columns in ADUC

Add the necessary fields. We have added 3 additional fields: User Logon Name, E-Mail Address, Department.

Add additonal fields in Active Directory console

This result can be downloaded as a CSV or TXT file for further analysis and viewed in Excel. To do it, right-click the saved query and select Export List.

Export rusult in csv or txt file

In ADUC console, you can create a number of different saved queries to be arranged into a tree structure.

Saved query stucture

The saved queries are stored locally in the console on the computer on which they were created. (An XML file containing the settings can be found here: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\MMC\DSA) To move a saved query from one computer to another, there is a feature to import/export the queries as XML files in dsa.msc.

In the next table we give some examples of commonly used LDAP queries that can be selected in Active Directory.

Task LDAP Filter
Search of the groups with ‘admin’ keyword in the name (objectcategory=group)(samaccountname=*admin*)
Search of the accounts with ‘service’ keyword in description box (objectcategory=person)(description=*service*)
Empty Active Directory groups (with no users) (objectCategory=group)(!member=*)
Users with the setting «Password never expires» (objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
Users with the empty Profile Path box (objectcategory=person)(!profilepath=*)
Active accounts of the users that must change password (objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
All AD users, except disabled (objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Blocked AD users (objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
Users with e-mail addresses (objectcategory=person)(mail=*)
Users without e-mail addresses (objectcategory=person)(!mail=*)
Computers running Windows XP SP3 (&(objectCategory=computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))
The list of accounts never registered in the domain (the information on time of the logon to the domain can be obtained in a more convenient view in Additional Account Info tab) (&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))
User accounts created at a certain time period (in 2014) (&(&(objectCategory=user)(whenCreated>=20140101000000.0Z&<=20150101000000.0Z&)))
AD users created this year (&(&(&(objectClass=User)(whenCreated>=20150101000000.0Z))))


Related Articles