How can I create a filter in Active Directory to show only 'Enabled' Computer Accounts

Question

Please note: I am referring to COMPUTER accounts. Not USER accounts.

In Active Directory, it is easy to create a filter to show only Disabled Computer Accounts by ticking the box "Disabled Accounts" in the Query setup windows as per below.

This creates the following query:

(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))

How can I create a filter to do the exact opposite? I.e. I want to see only ENABLED accounts.

score 4 · Answer 1 · answered Jul 31 '15 at 06:07

4

The query is a simple LDAP-Query, so you can use the negation operator: just place a ! in front of the item, and the outcome will be negated. So in your case:

(&(objectCategory=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))

I tested this query in my AD. Without the exclemation mark, i get only 4 computer accounts which are disabled. With the exclemation mark, i get all the other computer accounts, except the ones that are disabled.

answered Jul 31 '15 at 06:07

Tobias

1,236
1
13
25

You may need to wrap the `!` Operator in an additional set of `( )` to work! At least Apache Directory Studio complains about incorrect filter syntax. This should work `(&(objectCategory=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))` – itshorty Jan 23 '20 at 07:33

How can I create a filter in Active Directory to show only 'Enabled' Computer Accounts

1 Answers1