-
Title
How to locate objects in Active Directory that are missing attributes -
Description
Sometimes it is desirable to search for objects in AD that are missing attributes. For example, a QAS enabled computer object might be missing it's UPN and it would be beneficial to see how many machines are in this state.
-
Resolution
vastool search can be used to perform ldap queries against AD and return lists of objects based on criteria.
Example # 1. This search will find all computer objects that are not Windows based and are missing the userprincipalname attribute value and return a list of names.
/opt/quest/bin/vastool -u host/ search '(&(objectclass=computer) (!(operatingSystem=windows*))(!(userprincipalname=*)))' samaccountname=*
The samaccountname value can be left off the end to return a list with all attributes included.
For users missing userprincipalname this search could be used.
/opt/quest/bin/vastool -u host/ search '(&(objectclass=user) (!(userprincipalname=*)))' samaccountname=*
-
Additional Information
A detailed description of LDAP search filter syntax is beyond the scope of this document. For more information see RFC2254