Difference between revisions of "Working with Active Directory encoded LDAP values"

(Page creation: expiresAccount attribute in bash)
 
(Added LDAP filter to search disabled accounts)
Line 3: Line 3:
 
= accountExpires =
 
= accountExpires =
  
https://msdn.microsoft.com/en-us/library/windows/desktop/ms675098%28v=vs.85%29.aspx
+
Expiration date/time of an account: https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx
  
 
  <nowiki>
 
  <nowiki>
Line 31: Line 31:
 
timeSince1970=$((( $timeInSeconds - $interval1601to1970 )))
 
timeSince1970=$((( $timeInSeconds - $interval1601to1970 )))
 
echo $(date --date @"$timeSince1970")</nowiki>
 
echo $(date --date @"$timeSince1970")</nowiki>
 +
 +
= userAccountControl =
 +
 +
Contains many account properties: https://msdn.microsoft.com/en-us/library/ms680832%28v=vs.85%29.aspx
 +
 +
== ADS_UF_ACCOUNTDISABLE ==
 +
 +
If the account is disabled or not: bit of value "2".
 +
 +
LDAP filter to search disabled accounts:
 +
UserAccountControl:1.2.840.113556.1.4.803:=2

Revision as of 15:50, 19 March 2016

Many values in Active Directory LDAP are not stored in a human-friendly format: this page is meant to provide basic tools to encode / decode theses values.

accountExpires

Expiration date/time of an account: https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx

#!/bin/bash

# Returns an input date in the "accountExpires" format
# Input Date format can be something like "2016-03-19 11:58 UTC+1"

inputDate="$1"

# since 1601 to 1970
interval1=$((( 0 - $(date --date=1601-01-01 +%s) )))
# since 1970 to input date
interval2=$(date --date="$inputDate" +%s)
# total * 10 000 000
echo $((( ( interval1 + interval2 ) * 10000000 )))
#!/bin/bash

# Converts an encoded "accountExpires" value to a human-readable one 

accountExpires="$1"

timeInSeconds=$((( accountExpires / 10000000 )))
interval1601to1970=$((( 0 - $(date --date=1601-01-01 +%s) )))
timeSince1970=$((( $timeInSeconds - $interval1601to1970 )))
echo $(date --date @"$timeSince1970")

userAccountControl

Contains many account properties: https://msdn.microsoft.com/en-us/library/ms680832%28v=vs.85%29.aspx

ADS_UF_ACCOUNTDISABLE

If the account is disabled or not: bit of value "2".

LDAP filter to search disabled accounts:

UserAccountControl:1.2.840.113556.1.4.803:=2