Working with Active Directory encoded LDAP values: Difference between revisions
From SambaWiki
(Page creation: expiresAccount attribute in bash) |
(Added LDAP filter to search disabled accounts) |
||
Line 3: | Line 3: | ||
= accountExpires = |
= accountExpires = |
||
https://msdn.microsoft.com/en-us/library |
Expiration date/time of an account: https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx |
||
<nowiki> |
<nowiki> |
||
Line 31: | Line 31: | ||
timeSince1970=$((( $timeInSeconds - $interval1601to1970 ))) |
timeSince1970=$((( $timeInSeconds - $interval1601to1970 ))) |
||
echo $(date --date @"$timeSince1970")</nowiki> |
echo $(date --date @"$timeSince1970")</nowiki> |
||
= userAccountControl = |
|||
Contains many account properties: https://msdn.microsoft.com/en-us/library/ms680832%28v=vs.85%29.aspx |
|||
== ADS_UF_ACCOUNTDISABLE == |
|||
If the account is disabled or not: bit of value "2". |
|||
LDAP filter to search disabled accounts: |
|||
UserAccountControl:1.2.840.113556.1.4.803:=2 |
Revision as of 15:50, 19 March 2016
Many values in Active Directory LDAP are not stored in a human-friendly format: this page is meant to provide basic tools to encode / decode theses values.
accountExpires
Expiration date/time of an account: https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx
#!/bin/bash # Returns an input date in the "accountExpires" format # Input Date format can be something like "2016-03-19 11:58 UTC+1" inputDate="$1" # since 1601 to 1970 interval1=$((( 0 - $(date --date=1601-01-01 +%s) ))) # since 1970 to input date interval2=$(date --date="$inputDate" +%s) # total * 10 000 000 echo $((( ( interval1 + interval2 ) * 10000000 )))
#!/bin/bash # Converts an encoded "accountExpires" value to a human-readable one accountExpires="$1" timeInSeconds=$((( accountExpires / 10000000 ))) interval1601to1970=$((( 0 - $(date --date=1601-01-01 +%s) ))) timeSince1970=$((( $timeInSeconds - $interval1601to1970 ))) echo $(date --date @"$timeSince1970")
userAccountControl
Contains many account properties: https://msdn.microsoft.com/en-us/library/ms680832%28v=vs.85%29.aspx
ADS_UF_ACCOUNTDISABLE
If the account is disabled or not: bit of value "2".
LDAP filter to search disabled accounts:
UserAccountControl:1.2.840.113556.1.4.803:=2