JSI Tip 9815. How can I filter an Active Directory query using a bitwise flag?

When you compose an LDAP (Lightweight Directory Access Protocol) query, or a DSQUERY query, or an Adfind.exe query, you can filter your query based upon the values of attributes that you specify, like (sAMAccountName=Jerry).

If the attribute is a bitwise flag, like userAccountControl, you can use the attributename:ruleOID:=value syntax, where:

attributename is the LDAPDisplayName of the attribute, like userAccountControl.ruleOID       is 1.2.840.113556.1.4.803 for the LDAP_MATCHING_RULE_BIT_AND rule, which is TRUE if all bits match the value,              or 1.2.840.113556.1.4.804 for the LDAP_MATCHING_RULE_BIT_OR rule, which is TRUE if any bits match the value.value         is the decimal value that represents the bits to match.

If I wanted to run a DSQUERY that displays a users distinguishedName, and userPrincipalName if the user account is disabled, I would use:

dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2))" -attr distinguishedName userPrincipalName -limit 0

If I wanted to display a users sAMAccountName if their account is disabled OR locked out OR their password is expired, I would use

dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.804:=8388626))" -attr sAMAccountName -limit 0

The meaning of the bits in userAccountControl are:

NOTE: See How can I decode the userAccountControl attribute?

NOTE: See How can I filter an Active Directory query by testing an attribute to be NOT EQUAL?

NOTE: See How can I filter an Active Directory query by testing an attribute to be this OR that?

NOTE: See What operators can I use when filtering an Active Directory query?