Query AD for active users

Question

I want to create a script to identify AD users which are valid in an active directory via ldap. The problem is I don't know what means valid users in an active directory exactly...

Imagine we have a list of windows logins. We want to query if a user is able to login. That means the account is not expired, is not inactive, ... what else?

res = l.search_s("DC=...",
                 ldap.SCOPE_SUBTREE,
                 '(&(objectClass=user)(sAMAccountName=%s))' % sAMAccountName,
                 ['lastlogon','accountExpires', 'cn', 'mail', 'lockoutTime'])

My script becomes more and more complex with if-else-if-else. I look for a clear and transparent way to query: Is a user currently able to login?

Answer 1

After further research :

You should use :

• LastLogonTimeStamp which is the time stamp : compare to timestamp from 1year ago
• AccountExpires : value of 0 or 0x7FFFFFFFFFFFFFFF (9,223,372,036,854,775,807) indicates that the account never expires.
• lockoutTime : (lockoutTime=>0) : It is the timestamp when the account was locked, so if it's set it's locked (Search ldapwiki.com for more informations as I can't put more than 2 links in a post ;) )

---

I don't know very well ActiveDirectory, but wouldn't it be easier to make all these tests in the ldap filter?

Something like that (need to be adapted, corresponding to the attributes LDAP syntax) :

(&
  (objectClass = user)
  (sAMAccountName = %s)
  (lastlogon < dateFrom1Year)
  (!(accountExpires = *))
  ...
)