Working with Active Directory encoded LDAP values

From SambaWiki
Revision as of 15:50, 19 March 2016 by YvanM (talk | contribs) (Added LDAP filter to search disabled accounts)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Many values in Active Directory LDAP are not stored in a human-friendly format: this page is meant to provide basic tools to encode / decode theses values.

accountExpires

Expiration date/time of an account: https://msdn.microsoft.com/en-us/library/ms675098%28v=vs.85%29.aspx

#!/bin/bash

# Returns an input date in the "accountExpires" format
# Input Date format can be something like "2016-03-19 11:58 UTC+1"

inputDate="$1"

# since 1601 to 1970
interval1=$((( 0 - $(date --date=1601-01-01 +%s) )))
# since 1970 to input date
interval2=$(date --date="$inputDate" +%s)
# total * 10 000 000
echo $((( ( interval1 + interval2 ) * 10000000 )))
#!/bin/bash

# Converts an encoded "accountExpires" value to a human-readable one 

accountExpires="$1"

timeInSeconds=$((( accountExpires / 10000000 )))
interval1601to1970=$((( 0 - $(date --date=1601-01-01 +%s) )))
timeSince1970=$((( $timeInSeconds - $interval1601to1970 )))
echo $(date --date @"$timeSince1970")

userAccountControl

Contains many account properties: https://msdn.microsoft.com/en-us/library/ms680832%28v=vs.85%29.aspx

ADS_UF_ACCOUNTDISABLE

If the account is disabled or not: bit of value "2".

LDAP filter to search disabled accounts:

UserAccountControl:1.2.840.113556.1.4.803:=2