Active Directory LDAP Queries

Active Directory Users and Computers (2003 version) provides a feature called Saved Queries that takes advantage of LDAP queries to find objects in Active Directory that might meet a specific condition. When I am working with customers, I am often surprised how little use this feature gets, particularly when customers come to me with concerns about policy violations or specific needs to aggregate or group users to more quickly administer the environment. 

My goal with this post certainly isn't to provide a tutorial on writing LDAP queries. But I thought I would share a few I've used over the years to simplify work at various engagements and encourage some of you to share your own queries and what they were used for.

• Audit Personnel With Mailboxes Overriding Size Limit Policies
  (&(&objectCategory=user)(mDBUseDefaults=FALSE))
• Find mail-enabled disabled Users with Missing Master Account SIDs
  (&(msExchUserAccountControl=2)(!msExchMasterAccountSID=*))
• Find Subnets that are not associated with sites
  (&(objectClass=subnet)(!siteObject=*))
• Find Mail-Enabled Groups Linked to 5.5 Expansion Servers (see KB831603 for why this might be helpful)
  (&(&(objectCategory=group)(!msExchExpansionServerName==*)))
• Find all Global Distribution Groups
  (&(|(groupType=2))(LegacyExchangeDN=*))
• Find all Universal Distribution Groups
  (&(|(groupType=8))(LegacyExchangeDN=*))

Note that the subnets search won't work in ADU&C. You have to use the ADSIEDIT.MSC snap in.