Invalid search Filter in Active Directory

Question

I am using DirectorySearcher to make an LDAP request in Active Directory, but I keep having an ArgumentException thrown because of an invalid filter. Most probably because of a wrong form of accountExpires attribute from Active Directory. I would like to find all expired accounts using LDAP, but how can I convert DateTime.Now to accountExpires format? This is what I've done and it raises an exception. if I take out the accountExpires attribute, it doesn't create any problem :

search.Filter = "(&(objectCategory=person)"+
                   "(!(objectClass=contact))"+
                   "(accountExpires>0)"+
                   "(accountExpires<=129383640000000000)"+
                  ")";

I don't really know how to convert dates to accountExpires format, and I believe the problem to come from a wrong date format.

Any ideas?

Answer 1

Your filter seems to be not compatible with LDAP filter syntax, the negation should be placed on the condition, not as a condition :

(objectClass!=contact) should be written : (!(objectClass=contact))

It doesn't seem to me that the syntax of the accountExpires conditions are wrong, your conditions mean that the account has an expiration date set and should be "syntaxically" valid.

If what you want to achieve is to filter accounts which do have an expiration date and which this date is not "never", you could use this syntax : (according to ldapwiki.com/wiki/AccountExpires )

(!(|(accountExpires=0x7FFFFFFFFFFFFFFF)(accountExpires=0)))

or

(!(|(accountExpires=9223372036854775807)(accountExpires=0)))

Answer 2

That must be because of improper way of passing string, try closing double quotes after each line.

search.Filter = "(&(objectCategory=person)"+
                       "(objectClass!=contact)"+
                       "(accountExpires>0)"+
                       "(accountExpires<=129383640000000000)"+
                      ")";