How-To Technical

Saved Queries feature in Active Directory

This post focuses on custom queries that  allow you to perform additional tasks in Active Directory

Microsoft in Active Directory Users and Computers (ADUC) is a wonderful tool and is very useful when it comes to managing user / and computer accounts in your Domain.  It also has another feature which doesn’t get used often.  The feature I refer to is the ability to use Lightweight Directory Access Protocol (LDAP) queries, saving them for later use.  These queries can be exported and shared by other administrators to find out day to day info such as expired user account, users with accounts locked out, etc.  You can locate this in ADUC under Saved Queries


Go to Active Directory Users and Computers:
Right click the Saved Queries folder and select New, Query.
Enter an appropriate Name and Description.
Make sure the query root is set to the domain level you want the query to pertain to.
Select the Include sub-containers check box if you want the query to search all sub-containers.
Click Define Query.
In the Find dialog box, click the Find drop-down arrow and select Custom Search.
On the Advanced tab, enter your LDAP query string into the Enter LDAP query box.
Click OK twice.

Here are some saved queries I have used

Users that have been given dial-in permissions

Users whose accounts are disabled

Users that must change password at next logon

List all groups that start with IN or SA

Find all Universal Groups

I think you get the idea at this point.
Here are some more saved queries I happen to find out there while Google Searching


Find Groups that contains the word admin

Find users who have admin in description field

Find all Universal Groups

Empty Groups with No Members

Finds all groups defined as a Global Group, a Domain Local Group, or a Universal Group

Find all User with the name Bob

Find user accounts with passwords set to never expire

Find all users that never log in to domain

Find user accounts with no log on script

Find user accounts with no profile path

Finds non disabled accounts that must change their password at next logon

Finds all disabled accounts in active directory

Finds all locked out accounts

Finds Domain Local Groups

Finds all Users with Email Address set

Finds all Users with no Email Address

Find all Users, Groups or Contacts where Company or Description is Contractors

Find all Users with Mobile numbers 712 or 155

Find all Users with Dial-In permissions

Find All printers with Color printing capability
Note: server name must be changed

Find Users Mailboxes Overriding Exchange Size Limit Policies

Find all Users that need to change password on next login.

Find all Users that are almost Locked-Out
Notice the “>=” that means “Greater than or equal to”.

Find all Computers that do not have a Description

Find all users with Hidden Mailboxes

Find all Windows 2000 SP4 computers
(&(&(&(objectCategory=Computer)(operatingSystem=Windows 2000 Professional)(operatingSystemServicePack=Service Pack 4))))

Find all Windows XP SP2 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 2))))))))

Find all Windows XP SP3 computers
(&(&(&(&(&(&(&(objectCategory=Computer)(operatingSystem=Windows XP Professional)(operatingSystemServicePack=Service Pack 3))))))))

Find all Vista SP1 computers
(&(&(&(&(sAMAccountType=805306369)(objectCategory=computer)(operatingSystem=Windows Vista*)(operatingSystemServicePack=Service Pack 1)))))

Find All Workstations

Find all 2003 Servers Non-DCs
(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2003*)))

Find all 2003 Servers – DCs
(&(&(&(samAccountType=805306369)(primaryGroupID=516)(objectCategory=computer)(operatingSystem=Windows Server 2003*))))

Find all Server 2008
(&(&(&(&(samAccountType=805306369)(!(primaryGroupId=516)))(objectCategory=computer)(operatingSystem=Windows Server 2008*))))