Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Using Saved Queries in ADUC MMC (Active Directory User and Computers)

March 15, 2024

Using Saved Queries in ADUC MMC (Active Directory User and Computers)

The Saved Queries in Active Directory Users and Computers (ADUC) MMC console allow you to create complex LDAP filters to select Active Directory objects. These queries can be saved, edited, and copied to other computers. You can use the Active Directory saved queries to quickly and efficiently find AD objects based on various criteria. Saved Queries can help you quickly perform common AD object administration tasks: display the list of all disabled accounts in a domain, select all users of a company who have mailboxes on a given Exchange server, etc.

When using saved LDAP queries, the administrator can perform group operations with objects from different OUs (containers) of Active Directory. For example, you can perform bulk lock/unlock/enable/disable, move, delete, and rename operations under AD objects/accounts. Such queries in the ADUC console allow you to bypass the hierarchical structure of OUs in Active Directory and collect all the necessary objects in a flat table view.

Most of the operations for finding AD objects can be done using cmdlets from the PowerShell module for Active Directory (for example, Get-ADUser, Get-ADComputer, Get-ADObject, Get-ADGroup, Search-ADAccount, etc.), the dsquery.exe tool, vbs scripts, etc. However, it is much easier for non-admin users to use the ADUC GUI to display information about AD objects.

Contents:
  • How to Create a Saved Query in the Active Directory MMC Console
  • Useful Saved Query Examples for Active Directory MMC
  • Using LDAP Filters in PowerShell

Active Directory Saved Queries were first introduced in Windows Server 2003 and got further support in the later Windows Server versions. To use saved AD queries, you must have the ADUC console installed on your computer (is a part of RSAT administration tools).

How to Create a Saved Query in the Active Directory MMC Console

Let’s take a look at a few typical examples of using saved LDAP queries in the Active Directory Users and Computers console to search objects. Suppose, we have to display the list of active user accounts, their department names, and e-mail addresses.

  1. Open the ADUC console (dsa.msc), right-click Saved Queries and select New – > Query;Create new saved query in ADUC
  2. In the Name box, specify the name of the saved query to be displayed in the ADUC console.
  3. In the Query root field, you can specify the container (OU) in which you want to search. By default, the search by the query criteria is performed across the entire AD domain. In our example, we’ll narrow the search scope by selecting Brasil container;Edit query properties
  4. Then click on the Define Query button, and select the Custom Search in Find drop-down list;Custom search
  5. Go to Advanced tab and copy the following LDAP query into Enter LDAP query box. This query selects an enabled user account (see other examples of LDAP queries in the table below):
    (&(objectcategory=person)(objectclass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))Advanced LDAP query
  6. Save the changes by clicking OK;
  7. Select the created query in ADUC console, press F5 to build the object list. As a result, a list of users will appear in the right window that matches your LDAP query;Result of Saved query in Active Directory Console
  8. To display the additional user attributes (e-mail address, department, etc.), open View menu in the ADUC console and select Add/Remove Columns;Add/Remove columns in ADUC
  9. Add the columns you want. We have added 3 additional fields: User Logon Name, E-Mail Address, Department;Add additonal fields in Active Directory console
  10. The resulting list of user accounts can be saved to a CSV or TXT file for further analysis and import into Excel. To do it, right-click on the saved query and select the Export List menu item.
    Note. You can also get data from AD using PowerShell and save it directly to an Excel file.
    Export result in csv or txt file

In the ADUC console, you can create several different saved queries and organize them in a tree structure. In this way, you can create a convenient collection of LDAP queries to quickly perform common AD administration tasks.

Saved query structure

The ADUC mmc snap-in supports several modes of building Active Directory saved queries. It is not necessary to manually specify the LDAP filter code each time. You can create your AD query with a simple graphical wizard. You simply select different attributes of AD objects and use them to search objects according to the criteria you want. For example, to list all Windows Server computer objects in a domain:

  1. Find -> Computers;
  2. Go to the Advanced tab ;
  3. Fields -> Operating System;
  4. Stars with -> specify your criteria ‘Windows Server *‘create active directory saved query in the ADUC mmc
The wildcard is * (you can specify ‘*Server*‘). Multiple search criteria can be added to your saved query.

Save the query and refresh the object list in the ADUC console. The list will show all Windows Server objects in your domain.

The saved queries are stored locally on the computer on which they were created. The XML file containing the settings is located here: C:\Users\%USERNAME%\AppData\Roaming\Microsoft\MMC\DSA). To transfer AD-saved queries between computers, there is a feature to import/export the queries as XML files in dsa.msc (Export Query Definition/Import Query Definition).aduc export definition to the xml file

Useful Saved Query Examples for Active Directory MMC

The following table contains examples of commonly used LDAP queries to select Active Directory objects. You can save them to your ADUC console for daily use.

Saved ADUC QueryLDAP Filter
Search for  ‘admin‘ keyword in the user name(objectcategory=group)(samaccountname=*admin*)
Search for user accounts with ‘service’ keyword in the description field(objectcategory=person)(description=*service*)
List empty Active Directory groups (with no users)(objectCategory=group)(!member=*)
Users with the “Password never expires” option enabled(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
Users who have not changed their password for more than 3 months(&(sAMAccountType=805306368)(pwdLastSet<=132161330597286610))
Find users who have “Sales” in the department field(&(objectCategory=person)(objectClass=user)(department=*sales*))
Users with the empty Profile Path attribute(objectcategory=person)(!profilepath=*)
Active user accounts with expired passwords(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
All AD users, except disabled(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Locked AD user accounts(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
Users with e-mail addresses(objectcategory=person)(mail=*)
Users without e-mail addresses(objectcategory=person)(!mail=*)
Users hidden from the Exchange Address Book (GAL):(&(sAMAccountType=805306368)(msExchHideFromAddressLists=TRUE))
The list of accounts never logged on to the domain (the information on last logon time can be obtained in a more convenient view in the Additional Account Info tab in AD)(&(objectCategory=person)(objectClass=user)(|(lastLogonTimestamp=0)(!(lastLogonTimestamp=*)))
User accounts created in a specific period (in 2019)(&(&(objectCategory=user)(whenCreated>=20190101000000.0Z&<=20200101000000.0Z&)))
AD users created this year(&(&(&(objectClass=User)(whenCreated>=20200101000000.0Z))))
Computers running Windows 10(&(objectCategory=computer)(operatingSystem=Windows 10*))
Computers running a specific Windows 10 build (for example Windows 10 1909 have build number 18363)(&(&(objectCategory=computer)(operatingSystem=Windows 10*)(operatingSystemVersion=*18363*)))
Find all Windows Server 2016 except domain controllers(&(&(objectCategory=computer)(!(primaryGroupId=516)))(operatingSystem=Windows Server 2016*))
All Microsoft SQL servers(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))
All Exchange distribution groups(&(objectCategory=group)(!groupType:1.2.840.113556.1.4.803:=2147483648))
Find an AD object with a specific SID(objectSID=S-1-5-21-87654321-12345678-5566443311-1231)

Using LDAP Filters in PowerShell

You can use the above LDAP filters to find AD objects in the PowerShell console. Most cmdlets from the PowerShell Active Directory module have a special LdapFilter parameter. You need to specify your LDAP query in this parameter. For example:

Get-ADUser -LdapFilter "(&(objectCategory=person)(objectClass=user)(department=*Sales department*))"| ft -a DisplayName,department

Get-ADUser, Get-ADComputer, and Get-ADGroup cmdlets are specialized cmdlets and used to find objects of a certain type – users, computers, or groups. If you don’t know the type of AD object you want, or if you need information about all types of objects, use the more common Get-ADObject cmdlet. For example, to search for an object by SID:

Get-ADObject -LdapFilter "(objectSID=S-1-5-21-87654321-12345678-5566443311-1231)" -Properties * -SearchBase “OU=DE,DC=woshub,DC=com"| ft -a DisplayName,Title

0 comment
3
Facebook Twitter Google + Pinterest
Active DirectoryPowerShell
previous post
Selecting the Number of vCPUs and Cores for a Virtual Machine
next post
Unable to Add/Remove Role: Windows Server Requires Restart

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Get-ADDomainController: Getting Domain Controllers Info via PowerShell

July 8, 2022

Repairing the Domain Trust Relationship Between Workstation and...

May 16, 2024

Backing Up Active Directory with Windows Server Backup

November 26, 2024

Unable to Access SYSVOL and NETLOGON folders from...

May 10, 2023

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

Generating Strong Random Password with PowerShell

January 31, 2020

Configuring Password Policy in Active Directory Domain

March 12, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Using WMI Filters to Target Group Policies in Active Directory
  • How to Set a User Thumbnail Photo in Active Directory
  • Using Managed Service Accounts (MSA and gMSA) in Active Directory
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • Restoring Active Directory Domain Controller from a Backup
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top