Working with Active Directory encoded LDAP values
From SambaWiki
Many values in Active Directory LDAP are not stored in a human-friendly format: this page is meant to provide basic tools to encode / decode theses values.
accountExpires
Expiration date/time of an account: https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx
#!/bin/bash # Returns an input date in the "accountExpires" format # Input Date format can be something like "2016-03-19 11:58 UTC+1" inputDate="$1" # since 1601 to 1970 interval1=$((( 0 - $(date --date=1601-01-01 +%s) ))) # since 1970 to input date interval2=$(date --date="$inputDate" +%s) # total * 10 000 000 echo $((( ( interval1 + interval2 ) * 10000000 )))
#!/bin/bash # Converts an encoded "accountExpires" value to a human-readable one accountExpires="$1" timeInSeconds=$((( accountExpires / 10000000 ))) interval1601to1970=$((( 0 - $(date --date=1601-01-01 +%s) ))) timeSince1970=$((( $timeInSeconds - $interval1601to1970 ))) echo $(date --date @"$timeSince1970")
userAccountControl
Contains many account properties: https://msdn.microsoft.com/en-us/library/ms680832%28v=vs.85%29.aspx
ADS_UF_ACCOUNTDISABLE
If the account is disabled or not: bit of value "2".
LDAP filter to search disabled accounts:
UserAccountControl:1.2.840.113556.1.4.803:=2