Have you ever been in Active Directory Users and Computers and wanted to do a search on only those user accounts that have been disabled or those that have passwords that don't expire? If you are using Windows 2000 Server as your domain controllers, then you have a right to be frustrated with this limitation. However, if you have at least one Windows Server 2003 domain controller helping run the Active Directory, you no longer need to develop your own custom queries. You can use a new built-in feature to query for disabled user accounts. The new feature -- called Saved Queries -- allows you to query user, group and computer security-related information, as well as other key attributes related to these objects.
Creating a saved query
The Saved Queries option is available in Active Directory Users and Computers as the first node in the left pane. By right-clicking on the node, you will have the option to create a new query, as shown in Figure 1.
Figure 1. Create a new query under Active Directory Users and Computers.
Possible queries come predefined
Each new query requires that you specify which attributes you want to target for the objects in your query. To define these attributes, click the Define Query button, as shown in Figure 1. This will open the Find Common Queries dialog box, as shown in Figure 2.
Figure 2. The Find Common Queries dialog box lets you pick your object attributes.
As you can see, there are three main categories of objects that you can query: Users, Computers and Groups. For each of these objects, there is an option to query based on the Name or Description of the object. The use of wildcards here makes the query powerful and flexible.
In addition to querying on Name and Description, there are some other common queries predefined for the users and computers. For users, you can choose from the predefined, common queries:
Disabled accounts This will display all user accounts that have been disabled throughout the entire Active Directory structure.
Non-expiring passwords It is very difficult to determine which user accounts have passwords that do not expire without some form of query. This query will quickly display all of these accounts.
Days since last logon This allows you to provide a variable number of days to determine which users have not logged in. It is excellent for finding stale accounts that have not been disabled or accounts that are not logging off at the end of the day.
For the computer accounts, you have a predefined query for viewing disabled accounts. Like the user accounts, this will display all of the computer accounts throughout the domain that have been disabled for one reason or another.
By using the Saved Queries feature in Active Directory Users and Computers on a Windows Server 2003 domain controller, you can extend your documentation, administration and auditing capabilities. Here, we looked at the predefined queries, but you can also develop your own custom queries. This extends the Saved Queries feature to the entire Active Directory database. The interface helps you build your own queries, so you don't need to be a wiz at LDAP.
Derek Melber provides customized training for auditors, security professionals and network administrators. His book series on auditing Windows security is available at The IIA Bookstore. Online training is also available, which coincides with the books. E-mail Derek at firstname.lastname@example.org.