Creating a saved query
The Saved Queries option is available in Active Directory Users and Computers as the first node in the left pane. By right-clicking on the node, you will have the option to create a new query, as shown in Figure 1.
Figure 1. Create a new query under Active Directory Users and Computers.
Possible queries come predefined
Each new query requires that you specify which attributes you want to target for the objects in your query. To define these attributes, click the Define Query button, as shown in Figure 1. This will open the Find Common Queries dialog box, as shown in Figure 2.
Figure 2. The Find Common Queries dialog box lets you pick your object attributes.
As you can see, there are three main
In addition to querying on Name and Description, there are some other common queries predefined for the users and computers. For users, you can choose from the predefined, common queries:
Disabled accounts This will display all user accounts that have been disabled throughout the entire Active Directory structure.
Non-expiring passwords It is very difficult to determine which user accounts have passwords that do not expire without some form of query. This query will quickly display all of these accounts.
Days since last logon This allows you to provide a variable number of days to determine which users have not logged in. It is excellent for finding stale accounts that have not been disabled or accounts that are not logging off at the end of the day.
For the computer accounts, you have a predefined query for viewing disabled accounts. Like the user accounts, this will display all of the computer accounts throughout the domain that have been disabled for one reason or another.
By using the Saved Queries feature in Active Directory Users and Computers on a Windows Server 2003 domain controller, you can extend your documentation, administration and auditing capabilities. Here, we looked at the predefined queries, but you can also develop your own custom queries. This extends the Saved Queries feature to the entire Active Directory database. The interface helps you build your own queries, so you don't need to be a wiz at LDAP.
Derek Melber provides customized training for auditors, security professionals and network administrators. His book series on auditing Windows security is available at The IIA Bookstore. Online training is also available, which coincides with the books. E-mail Derek at firstname.lastname@example.org.
This was first published in April 2005