In order to configure and use server query do the following.
Go to Active Directory Users and Computers:
- Right click the Saved Queries folder and select New, Query.
- Enter an appropriate Name and Description.
- Make sure the query root is set to the domain level you want the query to pertain to.
- Select the Include subcontainers check box if you want the query to search all subcontainers.
- Click Define Query.
- In the Find dialog box, click the Find drop-down arrow and select Custom Search.
- On the Advanced tab, enter your LDAP query string into the Enter LDAP query box.
- Click OK twice.
- Active Directory Saved Queries Templates
Find Groups that contains the word admin
(objectcategory=group)(samaccountname=*admin*)
Find users who have admin in description field
(objectcategory=person)(description=*admin*)
Find all Universal Groups
(groupType:1.2.840.113556.1.4.803:=8)
Empty Groups with No Members
(objectCategory=group)(!member=*)
Finds all groups defined as a Global Group, a Domain Local Group, or a Universal Group
(groupType:1.2.840.113556.1.4.804:=14)
Find all User with the name Bob
(objectcategory=person)(samaccountname=*Bob*)
Find user accounts with passwords set to never expire
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
Find all users that never log in to domain
(&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))
Find user accounts with no log on script
(objectcategory=person)(!scriptPath=*)
Find user accounts with no profile path
(objectcategory=person)(!profilepath=*)
Finds non disabled accounts that must change their password at next logon
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Finds all disabled accounts in active directory
(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Finds all locked out accounts
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
Finds Domain Local Groups
(groupType:1.2.840.113556.1.4.803:=4)
Finds all Users with Email Address set
(objectcategory=person)(mail=*)
Finds all Users with no Email Address
(objectcategory=person)(!mail=*)
Find all Users, Groups or Contacts where Company or Description is Contractors
(|(objectcategory=user)(objectcategory=group)(objectcategory=contact))(|(description=North*)(company=Contractors*))
Find all Users with Mobile numbers 712 or 155
(objectcategory=user)(|(mobile=712*)(mobile=155*))
Find all Users with Dial-In permissions
(objectCategory=user)(msNPAllowDialin=TRUE)
Find All printers with Color printing capability
Note: server name must be changed
(&(&(&(uncName=*Servername*)(objectCategory=printQueue)(printColor=TRUE))))
Find Users Mailboxes Overriding Exchange Size Limit Policies
(&(&(&objectCategory=user)(mDBUseDefaults=FALSE)))
Find all Users that need to change password on next login.
(&(objectCategory=user)(pwdLastSet=0))
Find all Users that are almost Locked-Out
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)
Find all Computers that do not have a Description
(objectCategory=computer)(!description=*)
Find all users with Hidden Mailboxes
(&(objectCategory=person)(objectClass=user)(msExchHideFromAddressLists=TRUE))
Find all Windows 2000 SP4 computers
(&(&(&(objectCategory=Computer)(operatingSystem=Windows 2000 Professional)(operatingSystemServicePack=Service Pack 4))))
Find all Windows XP SP2 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))))))))
Find all Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))
Find all Vista SP1 computers
(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1)))))
Find All Workstations
(sAMAccountType=805306369)
Find all 2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))
Find all 2003 Servers – DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))
Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))
Related Blogs
- Related Blogs on Active Directory
- History of Active Directory
- Whitepaper: VMware and VSS: Application Backup and Recovery
You may also like -
Delegate user to edit custom fields in user properties (phone numbers , stree etc..)1. Run Active Directory Users and Computers.2. Right-click the container holding the users (or the domain name if you want to delegate all) and ... 
Exchange 2003 Event log ID:8206 with 0x80150856 ErrorIt happens after SP 2 Installation.Users started to receive meetings directly to their calendars without accepting .I used Microsoft ExBPA in order to see ... 
Add custom field to ADUC- Employee IDHow to add Employee ID to Active Directory Users and Computers1. Open ADSI Edit2. Expand the CN=Configuration node and go to CN=DisplaySpecifiers, CN=409. Select ... 
How to export CSV list of BlackBerry Users from BES serverIn order to export Black Berry users you will need 3d party software. I use Query Expres So download Query Expres Run it. Select ... 
Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))
Above does not find any Windows 2008 Servers. This does:
(&(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server* 2008*)))))
Finds all disabled accounts in active directory
(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Above is not working (finds all except disabled). It should be:
(&(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))
Rainer,
Thank you for the fix
Very helpful list! Here are some others i use often:
List all Distribution Groups
(&(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2)))(objectCategory=ms-Exch-Dynamic-Distribution-List)(objectClass=msExchDynamicDistributionList)))
List all Security Groups (my security Groups have the “sec-” prefix convention, many other people use this is something similarly identifiable).
(&(objectCategory=group)(name=sec-*))
Adding few more
2008 Servers – Domain Controler quiery
(&(&(&(&(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server* 2008*)))))
Disabled Computer Acounts
(&(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2)))
Enabled Computer Acounts
(&(&(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))))
Thanks ..
Verry good list.
Adding mine
SQL Servers (running on Windows 2003) (please verify in your environment)
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server 2003))
SQL Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*)(operatingSystem=Windows Server*))
Exchange Servers (running on Windows 2003) (please verify in your environment)
(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server 2003))
Exchange Servers any Windows Server OS
(&(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*))
Windows Vista SP1
(&(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1))
Windows Server 2008 Enterprise
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008 Enterprise)(operatingSystemServicePack=Service Pack 1))
Windows Server 2008 (all versions)
(&(objectCategory=computer)(operatingSystem=Windows Server® 2008*))
Greeting AD Developer!
Thanks a lot for current article! I have one more issue. It is required the following:
Find all accounts in AD which have no changed their passwords more thank 6 months for example.
Many thanks.