Handy LDAP Queries - Active Directory and Quest Active Roles

                 Every now and again, you may need to use LDAP to query Active Directory or Quest in order to pull out some information. Below i've listed a couple of simple LDAP queries which can be used to source out various things:

all user accounts which currently have an Expired Password:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(|(userAccountControl:1.2.840.113556.1.4.803:=8388608)(pwdLastSet<=130123548000000000))(!pwdLastSet=0))

all user accounts which have a password set to Never Expire:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))

all user accounts which have not logged on for 60 days:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(lastLogonTimestamp<=130149468000000000)(!lastLogonTimestamp=*)))

all user accounts which are enabled but locked out:
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(lockoutTime>=1))

all user accounts which are disabled:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

all user accounts which have a city set as London:
(l=London*)

all user accounts in which the last name starts with 'robot':
(sn=robot*)

          If you ever find yourself trying to convert an Active Directory Query into a LDAP Query, it's well worth opening the Active Directory Administrative Center. Here you can do a Global Search and choose all the categories/filters you're interested in and then, when you've got it working as you want it to, simply click on the 'Convert to LDAP' button and ADAC will convert your query into LDAP.