Active Directory Queries Everyone Should Have

Posted: May 1, 2014 in Systems
Tags: ,

Most of these are pretty simple and should be setup and reviewed on a regular basis by Administrators responsible for Active Directory environments.  Here is an easy way to save the queries in AD.

Capture

Admin Groups

1. Right click Saved Queries–>Select New Query–>Type a Name and select the Domain, Include all Subcontainers

2. Select Define Query–>Advanced Tab

3. Add Field = Member Of, Condition Is (exactly), Value = CN=Administrators,CN=Builtin,DC=<type domain name>,DC=com

4. Save

Disabled Accounts

1. Right click Saved Queries–>Select New Query–>Type a Name and select the Domain, Include all Subcontainers

2. Select Define Query–>Check “Disabled Accounts”

3. Save

Non-Expiring Pwd

1. Right click Saved Queries–>Select New Query–>Type a Name and select the Domain, Include all Subcontainers

2. Select Define Query–>Check “Non Expiring Passwords”

3. Save

Accounts Locked Out

1. Right click Saved Queries–>Select New Query–>Type a Name and select the Domain, Include all Subcontainers

2. Select Define Query–>Advanced Tab

3. Select Custom Search at the top and enter the following LDAP query

(&(&(&(objectCategory=person)(objectClass=user)(lockoutTime:1.2.840.113556.1.4.804:=4294967295))))

4. Save

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s