How to Query Individual Properties of the "userAccountControl" Active Directory User property using LDAP

I was working with a customer this week who was asking me how to query Active Directory for valid, active users accounts that were not service accounts.  I made a couple of assumptions; an active account would not be disabled and only service accounts would be set to PASSWORD NEVER EXPIRES.   Initially I tried to query the valueuserAccountControl property of the user object using operators like > and < but soon realized there were too many exceptions.  I then discovered it was possible to query the individual bits of the userAccountControl property which yielded the query below.

The following LDAP query can be used in Active Directory Users and Computers to query specific details of the userAccountControl property in AD.  The query below will return all active user accounts that are not set to PASSWORD NEVER EXPIRES 


I’ll describe the query in more detail:

(objectCategory=person)(objectClass=user)(mail=*) – All user objects with a value in the mail field (no contacts)

(!userAccountControl:1.2.840.113556.1.4.803:=2) – Filters out disabled accounts

(!userAccountControl:1.2.840.113556.1.4.803:=65536) – Filters accounts set to PASSWORD NEVE EXPIRES

(!userAccountControl<=600)) – Filters out Exchange Organization Mailboxes


UAC – Smart Card Login Enforced on The User
(&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=262144) )
UAC – PWD Never Expires
UAC – CAC Enabled Accounts (no disabled accounts or password never expires)
UAC – Not CAC Enabled (no disabled accounts or password never expires)

UAC – Users with CAC enabled attributes but not enforced, exclude resource mailboxes (SN=*).

Kerberos Preauthentication Disabled


How to use the UserAccountControl flags to manipulate user account properties

How to query Active Directory by using a bitwise filter

Comments (4)

  1. Kevin says:

    (objectCategory=person)(objectClass=user) is sufficient enough to not get any "Contact" type objects, just User accounts.  No need for the "(mail=*)".

  2. Teukka says:

    You saved my day. Thank you man!

  3. Bernhard says:

    Attention:  The correct notation (per RFC-1422) for a negated filter would be


    instead of


    My LDAP server rejected your filter; other LDAP servers may or may not accept it.