Help and Support
 

powered byLive Search

How to query Active Directory by using a bitwise filter

View products that this article applies to.
Article ID:269181
Last Review:February 8, 2006
Revision:3.0
This article was previously published under Q269181

SUMMARY

Some attributes on Active Directory objects are composed of bitwise flags. You may need to query for objects using a bitwise operator to return only objects that match a particular bit being set. Use the Lightweight Directory Access Protocol (LDAP) Matching Rule controls to do this.

Back to the top

MORE INFORMATION

The format of the LDAP Matching Rule has the following syntax:
attributename:ruleOID:=value
where attributename is the LDAPDisplayName of the attribute, ruleOID is the object ID (OID) for the matching rule control, and value is the decimal value you want to use for comparison. You need to convert from hexadecimal to decimal.

The value of ruleOID can be one of the following:
1.2.840.113556.1.4.803 - This is the LDAP_MATCHING_RULE_BIT_AND rule. The matching rule is true only if all bits from the property match the value. This rule is like the bitwise AND operator.
1.2.840.113556.1.4.804 - This is the LDAP_MATCHING_RULE_BIT_OR rule. The matching rule is true if any bits from the property match the value. This rule is like the bitwise OR operator.
An example is when you want to query Active Directory for user class objects that are disabled. The attribute that holds this information is the userAccountControl attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this: 
(UserAccountControl:1.2.840.113556.1.4.803:=2)
 The following Microsoft Visual Basic sample script uses the above bitwise comparison filter: 
Set oNSP = GetObject("LDAP://Win2000Server/rootdse")
Set oConfig = GetObject("LDAP://Win2000Server/" & oNSP.get("DefaultNamingContext"))

Set oConn = CreateObject("ADODB.Connection")
oConn.Provider = "ADSDSOObject"
oConn.Open ""

strQuery = "<" & oConfig.ADsPath & ">;(&(objectCategory=person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2));name,objectClass;subtree"

Set oRS = oConn.Execute(strQuery)
While Not oRS.EOF
  MsgBox oRS.Fields("name") 
  oRS.MoveNext
Wend

MsgBox "done"

Set oConn = Nothing
Set oRS = Nothing
Set oConfig = Nothing
Set oNSP = Nothing

Back to the top

REFERENCES

For more information on how to use the LDAP Matching Rule, see the Platform Software Development Kit (SDK). This information is found in the Contents at: 

Networking and Directory Services
  Active Directory, ADSI, and Directory Services
     Active Directory
        Using Active Directory
           Searching the Active Directory
             Creating a Query Filter
                 How to Specify Comparison Values
For more information on how to use the LDAP Matching Rule, see the samples included in the Platform SDK. These samples are located in the \Microsoft PlatformSDK\Samples\NetDs\ADSI\Samples\ActiveDir\Attributes and SDK\Samples\NetDs\ADSI\Samples\ActiveDir\GetSchemaInfo folders.

Back to the top

APPLIES TO
Microsoft Active Directory Service Interfaces 2.5

Back to the top

Keywords: 
kbhowto kbmsg KB269181

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.