LDAP Query for Pulling lastLogonTimestamp and dateCreated attributes from AD User Account
I have the below simple LDAP query that basically goes out and looks for user account UPN's that begins with the letters "gp." Out of the "gp" accounts that it finds it only pulls active accounts and omits the disabled ones. What I"d like to do is add to the below LDAP query the syntax that will pull the lastLogonTimestamp and the dateCreated attributes as well. Is this possible? Just not having much luck doing this in ADFIND or DSQUERY.
(&(objectClass=user)(objec
(&(objectClass=user)(objec
ASKER
Hi Mike,
Yeah I just simply need to query and pull ACTIVE user accounts that begin with the letters "gp." These are the attributes that I'm needing the query to pull.
1.) sAMACCcountName
2.) displayName
3.) UPN
4.) DN Path
5.) Creation Date
6.) Last logon Timestamp
That's basically it. It seems as if it's been a bit of journey just trying to properly pull the above criteria out of ADFind or DSQuery or LDAP. So I just need the proper syntax to add to the below query pulling the attributes in that list above.
(&(objectClass=user)(objec
Yeah I just simply need to query and pull ACTIVE user accounts that begin with the letters "gp." These are the attributes that I'm needing the query to pull.
1.) sAMACCcountName
2.) displayName
3.) UPN
4.) DN Path
5.) Creation Date
6.) Last logon Timestamp
That's basically it. It seems as if it's been a bit of journey just trying to properly pull the above criteria out of ADFind or DSQuery or LDAP. So I just need the proper syntax to add to the below query pulling the attributes in that list above.
(&(objectClass=user)(objec
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Code should actually include one more property. Use this one instead.
get-qaduser -ldapfilter "(&(objectClass=user)(objectCategory=person)(!UserAccountControl:1.2.840.113556.1.4.803:=2)(userPrincipalName=gp*))" -includeallproperties| format-list samaccountname,displayname,userprincipalname,dn,createtimestamp,lastlogontimestamp
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Mkline: the quest tool does decode the data pretty nicely.
It always seems like I run into you in the AD/LDAP postings. Whenever I see one Im like gotta get it before Mkline does lol cause I know your usually on them pretty quick.
It always seems like I run into you in the AD/LDAP postings. Whenever I see one Im like gotta get it before Mkline does lol cause I know your usually on them pretty quick.
Yeah it is usually one of us or Chris Dent or Pre (forget the rest of his name).
by the way a funny note about the Quest cmdlets...I met the creator of them (Dmitri) at the MVP Summit and told him he should get the MVP for life for creating them just like Joe Richards should get for creating adfind and all his tool.
yes I'm a dork :)
by the way a funny note about the Quest cmdlets...I met the creator of them (Dmitri) at the MVP Summit and told him he should get the MVP for life for creating them just like Joe Richards should get for creating adfind and all his tool.
yes I'm a dork :)
Hey guys :)
This is for xxdcmast really, and not intended as a criticism, only with the hope it helps on the PS learning journey :)
With Get-QADUser, objectClass and objectCategory filters are automatically added, any filter you define is combined with a default filter set.
Filtering for enabled / disabled is possible with the -Enabled or -Disabled parameters. And UserPrincipalName can be defined with the parameter rather than a filter. Which takes us to:
Get-QADUser -Enabled -UserPrincipalName "gp*" -IncludedProperties lastLogonTimeStamp |
Select-Object SamAccountName, DisplayName, UserPrincipalName, DN, CreateTimeStamp, LastLogonTimeStamp
All the best,
Chris
Believe it or not your post actually just helped me out a TON. I never knew about the select-object command before now. Im a big fan of the dsquery | dsget type commands and now you just basically gave me a much more powerful version in powershell. When I was making that script I kept saying "why dont they just have something like dsget in powershell" and now I know they do.
DS tools will probably still be my goto for AD stuff but this is awesome when I need to retrieve stuff DSget wont let me.
Thanks
DS tools will probably still be my goto for AD stuff but this is awesome when I need to retrieve stuff DSget wont let me.
Thanks
ASKER
Thanks guys, great input as always!
Scott has good examples here using adfind http://blog.scottlowe.org/2006/10/11/finding-recently-created-active-directory-accounts/
the other question I'm helping with will help with pulling the attributes.
Thanks
mike