Aklımda olsunlardan bir tane daha....
Active Directory Aramaya Dair
Ref: http://support.microsoft.com/kb/827754/tr
(&(objectCategory=person)(objectClass=user))
LDAP arama filtresini kullanır ve Active Directory'deki tüm kullanıcı hesaplarının kullanıcı profili bilgileri alınır.
Bu filtre, tüm etkin ve devre dışı kullanıcı hesaplarını alır.
(&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))
Yalnızca etkin olan kullanıcı hesapları için kullanıcı profili bilgilerini almak için, yukarıdaki LDAP arama filtresini kullanın.
# Arama tabanı kutusuna, kullanıcı profillerini almak istediğiniz Active Directory nesnesinin ayırt edici adını yazın.
Arama tabanı nesnesinin DN değeri, Active Directory'de aramanıza başlatmak istediğiniz konumu tanımlar. DN örnekleri aşağıda verilmektedir:
* DC=EtkiAlanıAdı, DC=com
* CN=Users, DC=EtkiAlanıAdı, DC=com
* OU=KuruluşBirimi, DC=EtkiAlanıAdı, DC=com
# Kullanıcı filtresi kutusuna aşağıdaki LDAP arama filtresini yazın:
(&(objectCategory=person)(objectClass=user)( !(userAccountControl:1.2.840.113556.1.4.803:=2)))
Setting Search Filters
Ref: msdn
DirectoryEntry entry = new DirectoryEntry("LDAP://CN=users,DC=fabrikam,DC=com");
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = "(&(objectClass=user)(anr=test*))";
SearchResultCollection ResEnt = mySearcher.FindAll();
{
// Handle results.
}
Creating a Query Filter
Ref: msdn
Examples
The following query string will search for all objects of type "computer".
(objectCategory=computer)
The following query string will search for all objects of type "computer" with a name that begins with "desktop".
(&(objectCategory=computer)(name=desktop*))
The following query string will search for all objects of type "computer" with a name that begins with "desktop" or a name that begins with "notebook".
(&(objectCategory=computer)(|(name=desktop*)(name=notebook*)))
The following query string will search for all objects of type "user" that have a home phone number.
(&(objectCategory=user)(homePhone=*))
- Finding Objects by Class
- Finding Objects by Name
- Finding a List of Attributes To Query
- Checking the Query Filter Syntax
- How to Specify Comparison Values
Ortaya karışık
Ref: http://blogs.technet.com/b/heyscriptingguy/archive/2005/08/29/how-can-i-get-a-list-of-all-the-users-whose-passwords-never-expire.aspx
The starting point for the search. We want to search all of Active Directory, so that means starting in the root (i.e., fabrikam.com).
&
Equivalent to the AND operator in a SQL query. We need this because we’re searching for users and we’re searching for a specific value in the userAccountControl attribute. Both of these criteria must be met for an object to be returned.
(objectCategory=User)
Limits the returned data to user accounts.
(userAccountControl:1.2.840.113556.1.4.803:=65536)
Indicates that we want to return only those accounts where the userAccounControl flag for 65536 is switched on; that equates to user accounts where the password doesn’t expire. We’ll explain this werid-looking block of code in a little more detail down below.
1.2.840.113556.1.4.803 is “LDAP bit matching rule”
Name
The Active Directory attributes we want reported back. We’re asking to get back only a single attribute: Name. To report back additional attributes just tack them on to the end of Name, separating each one using commas:
Name,cn,AdsPath
Subtree
Indicates the type of search. Specifying Subtree causes the script to search all the OUs and containers found in the root of fabrikam.com. Because all the OUs and containers have to be found in the root this causes the script to search all of Active Directory.
* ----------------------------------------------------------------------------------------------------------------------------------------------
Ref: http://blogs.technet.com/b/heyscriptingguy/archive/2007/05/03/hey-scripting-guy-how-can-i-determine-the-home-directory-for-all-the-disabled-user-accounts-in-active-directory.aspx
(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2)). This, believe it or not, is our query filter, the part where we specify the criteria for the search. In this case, we have two criteria that must be met: the object must have an objectCategory equal to user, and the flag for a disabled user account (which has a value of 2) must be set. Granted, none of that is particularly obvious just from looking at the query, but it’s true. For example, the 1.2.840.113556.1.4.803 is the “LDAP bit matching rule,” something which is essentially equal to the AND keyword in a Boolean command like If objUserAccountControl AND 2.
* ----------------------------------------------------------------------------------------------------------------------------------------------
Ref: http://msdn.microsoft.com/en-us/library/ms680832.aspx
This attribute value can be zero or a combination of one or more of the following values.
Hexadecimal value Identifier (defined in iads.h) Description
0x00000001 ADS_UF_SCRIPT The logon script is executed.
0x00000002 ADS_UF_ACCOUNTDISABLE The user account is disabled.
0x00000008 ADS_UF_HOMEDIR_REQUIRED The home directory is required.
0x00000010 ADS_UF_LOCKOUT The account is currently locked out.
0x00000020 ADS_UF_PASSWD_NOTREQD No password is required.
0x00000040 ADS_UF_PASSWD_CANT_CHANGE The user cannot change the password.
Note You cannot assign the permission settings of PASSWD_CANT_CHANGE by directly modifying the UserAccountControl attribute. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
:
0x00000080 ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED The user can send an encrypted password.
0x00000100 ADS_UF_TEMP_DUPLICATE_ACCOUNT This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.
0x00000200 ADS_UF_NORMAL_ACCOUNT This is a default account type that represents a typical user.
0x00000800 ADS_UF_INTERDOMAIN_TRUST_ACCOUNT This is a permit to trust account for a system domain that trusts other domains.
0x00001000 ADS_UF_WORKSTATION_TRUST_ACCOUNT This is a computer account for a computer that is a member of this domain.
0x00002000 ADS_UF_SERVER_TRUST_ACCOUNT This is a computer account for a system backup domain controller that is a member of this domain.
0x00004000 N/A Not used.
0x00008000 N/A Not used.
0x00010000 ADS_UF_DONT_EXPIRE_PASSWD The password for this account will never expire.
0x00020000 ADS_UF_MNS_LOGON_ACCOUNT This is an MNS logon account.
0x00040000 ADS_UF_SMARTCARD_REQUIRED The user must log on using a smart card.
0x00080000 ADS_UF_TRUSTED_FOR_DELEGATION The service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service.
0x00100000 ADS_UF_NOT_DELEGATED The security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
0x00200000 ADS_UF_USE_DES_KEY_ONLY Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
0x00400000 ADS_UF_DONT_REQUIRE_PREAUTH This account does not require Kerberos pre-authentication for logon.
0x00800000 ADS_UF_PASSWORD_EXPIRED The user password has expired. This flag is created by the system using data from the Pwd-Last-Set attribute and the domain policy.
0x01000000 ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network
* ----------------------------------------------------------------------------------------------------------------------------------------------
Ref: http://msdn.microsoft.com/en-us/library/aa772300.aspx
ADS_USER_FLAG_ENUM Enumeration
typedef enum {
ADS_UF_SCRIPT = 1, // 0x1
ADS_UF_ACCOUNTDISABLE = 2, // 0x2
ADS_UF_HOMEDIR_REQUIRED = 8, // 0x8
ADS_UF_LOCKOUT = 16, // 0x10
ADS_UF_PASSWD_NOTREQD = 32, // 0x20
ADS_UF_PASSWD_CANT_CHANGE = 64, // 0x40
ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 128, // 0x80
ADS_UF_TEMP_DUPLICATE_ACCOUNT = 256, // 0x100
ADS_UF_NORMAL_ACCOUNT = 512, // 0x200
ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048, // 0x800
ADS_UF_WORKSTATION_TRUST_ACCOUNT = 4096, // 0x1000
ADS_UF_SERVER_TRUST_ACCOUNT = 8192, // 0x2000
ADS_UF_DONT_EXPIRE_PASSWD = 65536, // 0x10000
ADS_UF_MNS_LOGON_ACCOUNT = 131072, // 0x20000
ADS_UF_SMARTCARD_REQUIRED = 262144, // 0x40000
ADS_UF_TRUSTED_FOR_DELEGATION = 524288, // 0x80000
ADS_UF_NOT_DELEGATED = 1048576, // 0x100000
ADS_UF_USE_DES_KEY_ONLY = 2097152, // 0x200000
ADS_UF_DONT_REQUIRE_PREAUTH = 4194304, // 0x400000
ADS_UF_PASSWORD_EXPIRED = 8388608, // 0x800000
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 16777216 // 0x1000000
} ADS_USER_FLAG_ENUM;
Constants
ADS_UF_SCRIPT
The logon script is executed. This flag does not work for the ADSI LDAP provider on either read or write operations. For the ADSI WinNT provider, this flag is read-only data, and it cannot be set for user objects.
ADS_UF_ACCOUNTDISABLE
The user account is disabled.
ADS_UF_HOMEDIR_REQUIRED
The home directory is required.
ADS_UF_LOCKOUT
The account is currently locked out.
ADS_UF_PASSWD_NOTREQD
No password is required.
ADS_UF_PASSWD_CANT_CHANGE
The user cannot change the password. This flag can be read, but not set directly. For more information and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password.
ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED
The user can send an encrypted password.
ADS_UF_TEMP_DUPLICATE_ACCOUNT
This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. Also known as a local user account.
ADS_UF_NORMAL_ACCOUNT
This is a default account type that represents a typical user.
ADS_UF_INTERDOMAIN_TRUST_ACCOUNT
This is a permit to trust account for a system domain that trusts other domains.
ADS_UF_WORKSTATION_TRUST_ACCOUNT
This is a computer account for a Windows 2000 Professional or Windows 2000 Server that is a member of this domain.
ADS_UF_SERVER_TRUST_ACCOUNT
This is a computer account for a system backup domain controller that is a member of this domain.
ADS_UF_DONT_EXPIRE_PASSWD
When set, the password will not expire on this account.
ADS_UF_MNS_LOGON_ACCOUNT
This is an Majority Node Set (MNS) logon account. With MNS, you can configure a multi-node Windows cluster without using a common shared disk.
ADS_UF_SMARTCARD_REQUIRED
When set, this flag will force the user to log on using a smart card.
ADS_UF_TRUSTED_FOR_DELEGATION
When set, the service account (user or computer account), under which a service runs, is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, set this flag on the userAccountControl property of the service account.
ADS_UF_NOT_DELEGATED
When set, the security context of the user will not be delegated to a service even if the service account is set as trusted for Kerberos delegation.
ADS_UF_USE_DES_KEY_ONLY
Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
Active Directory Client Extension: Not supported.
ADS_UF_DONT_REQUIRE_PREAUTH
This account does not require Kerberos preauthentication for logon.
Active Directory Client Extension: Not supported.
ADS_UF_PASSWORD_EXPIRED
The user password has expired. This flag is created by the system using data from the password last set attribute and the domain policy. It is read-only and cannot be set. To manually set a user password as expired, use the NetUserSetInfo function with the USER_INFO_3 (usri3_password_expired member) or USER_INFO_4 (usri4_password_expired member) structure.
Active Directory Client Extension: Not supported.
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
The account is enabled for delegation. This is a security-sensitive setting; accounts with this option enabled should be strictly controlled. This setting enables a service running under the account to assume a client identity and authenticate as that user to other remote servers on the network.
Active Directory Client Extension: Not supported.
* ----------------------------------------------------------------------------------------------------------------------------------------------
THE FOLLOWİNG EXAMPLE SHOWS HOW TO ENABLE A USER ACCOUNT.
DirectoryEntry usr = new DirectoryEntry("LDAP://CN=New User,CN=users,DC=fabrikam,DC=com");
int val = (int) usr.Properties["userAccountControl"].Value;
usr.Properties["userAccountControl"].Value = val & ~(int)ActiveDs.ADS_USER_FLAG.ADS_UF_ACCOUNTDISABLE;
usr.CommitChanges();
THE FOLLOWİNG EXAMPLE SHOWS HOW TO DİSABLE A USER ACCOUNT.
DirectoryEntry usr = new DirectoryEntry("LDAP://CN=Old User,CN=users,DC=fabrikam,DC=com");
int val = (int) usr.Properties["userAccountControl"].Value;
usr.Properties["userAccountControl"].Value = val | (int)ActiveDs.ADS_USER_FLAG.ADS_UF_ACCOUNTDISABLE;
usr.CommitChanges();
AD Properties
General Property Page
First Name givenName
Last Name sn
Initials initials
Description description
Office physicalDeliveryOfficeName
Telephone Number telephoneNumber
Telephone: Other otherTelephone
E-Mail mail
Web Page wwwHomePage
Web Page: Other url
Account Property Page
UserLogon Name userPrincipalName
User logon name (pre-Windows 2000) sAMAccountname
Logon Hours logonHours
Log On To logonWorkstation
Account is locked out userAccountControl
User must change password at next logon pwdLastSet
User cannot change password N/A
Other Account Options userAccountControl
Account Expires accountExpires
Address Property Page
Street streetAddress
P.O.Box postOfficeBox
City l
State/Province st
Zip/Postal Code postalCode
Country/Region c, co, and countryCode
Member Of Property Page
Member of memberOf
Set Primary Group primaryGroupID
Organization Property Page
Title title
Department department
Company company
Manager:Name manager
Direct Reports directReports
Profile Property Page
Profile Path profilePath
Logon Script scriptPath
Home Folder: Local Path homeDirectory
Home Folder: Connect homeDrive
Home Folder: To homeDirectory
Telephone Property Page
Home homePhone
Home: Other otherTelephone
Pager pager
Pager: Other pagerOther
Mobile mobile
Mobile: Other otherMobile
Fax facsimileTelephoneNumber
Fax: Other otherFacsimileTelephoneNumber
IP phone ipPhone
IP phone: Other otherIpPhone
Notes info
