Retrieving only enabled accounts on active directory

Question

I'd like to send a search string to Microsoft's Active Directory (using Java) that says "give me all the users who have an enabled account."

Currently, I have:

String search_string = "(& (objectClass=user) )";

but, of course, this only give me the users on AD. I'd like to also get only those who are active. It's in Java, but I don't think it matters for LDAP.

Answer 1

Here is as far as I understand the Active-Directory critaria to check if an account is active or not.

How to use the UserAccountControl flags to manipulate user account properties gives you the state of an account, you may be interested in :

• ACCOUNTDISABLE (2)
• LOCKOUT (16)

To use this field in a filter you can use LDAP_MATCHING_RULE_IN_CHAIN OID, as discribed in Microsoft article Search Filter Syntax.

(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.804:=18)))

Answer 2

In order to get the enabled users you must check the userAccountControl attribute and specifically its second bit, which corresponds to ACCOUNTDISABLE flag. MS KB 305144.

This can be done with LDAP filter like this:

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

Check this article about Filtering for Bit Fields for details on how this work.

Also you should know that computer accounts are inherited from the user type, so you should add a condition in you filter, to filter them out. You also may want to check the bit for NORMAL_ACCOUNT flag (512), to filter other kind of accounts.

I do not know what do you mean by active users, so I cannot help you there.