Filtering out Active Directory Locked Out Users?

[nvahalik]

Based on Q269181, you can specify a filter attribute like this:

attributename:ruleOID:=value

Which turns into something like this:

Code:

(userAccountControl:1.2.840.113556.1.4.803:=2)

userAccountControl is the attribute used to store information about the user's password account information.
1.2.840.113556.1.4.803 is LDAP_MATCHING_RULE_BIT_AND so it should match every account that has only the value specified.
2 is the value for an account being locked out. This is a decimal bit-mask value specified in Q305144:

Code:

ACCOUNTDISABLE   	0x2    	2 # Account is disabled
NORMAL_ACCOUNT    	0x0200	512 # Account is normal
DONT_EXPIRE_PASSWORD	0x10000	65536 # Account Password never expires

So in theory, by adding something like:

Code:

(!(userAccountControl:1.2.840.113556.1.4.804:=2))

Should filter so that only active accounts that are not locked out will be returned by the ldap search. (...804) is the OR operation.

I haven't been able to find a combination that works, though. Has anyone else?