How to query Active Directory by using a bitwise filter
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Some attributes on Active Directory objects are composed of bitwise flags. You may need to query for objects using a bitwise operator to return only objects that match a particular bit being set. Use the Lightweight Directory Access Protocol (LDAP) Matching Rule controls to do this.
The format of the LDAP Matching Rule has the following syntax:
is the LDAPDisplayName of the attribute, ruleOID
is the object ID (OID) for the matching rule control, and value
is the decimal value you want to use for comparison. You need to convert from hexadecimal to decimal.
The value of ruleOID
can be one of the following:
- 1.2.840.113522.214.171.1243 - This is the LDAP_MATCHING_RULE_BIT_AND rule. The matching rule is true only if all bits from the property match the value. This rule is like the bitwise AND operator.
- 1.2.840.1135126.96.36.1994 - This is the LDAP_MATCHING_RULE_BIT_OR rule. The matching rule is true if any bits from the property match the value. This rule is like the bitwise OR operator.
An example is when you want to query Active Directory for user class objects that are disabled. The attribute that holds this information is the userAccountControl
attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl
with the UF_ACCOUNTDISABLED bit set would resemble this:
The following Microsoft Visual Basic sample script uses the above bitwise comparison filter:
Set oNSP = GetObject("LDAP://Win2000Server/rootdse")Set oConfig = GetObject("LDAP://Win2000Server/" & oNSP.get("DefaultNamingContext"))Set oConn = CreateObject("ADODB.Connection")oConn.Provider = "ADSDSOObject"oConn.Open ""strQuery = "<" & oConfig.ADsPath & ">;(&(objectCategory=person)(objectClass=User)(userAccountControl:1.2.840.1135188.8.131.523:=2));name,objectClass;subtree"Set oRS = oConn.Execute(strQuery)While Not oRS.EOF MsgBox oRS.Fields("name") oRS.MoveNextWendMsgBox "done"Set oConn = NothingSet oRS = NothingSet oConfig = NothingSet oNSP = Nothing
For more information on how to use the LDAP Matching Rule, see the Platform Software Development Kit (SDK). This information is found in the Contents at:
Networking and Directory Services Active Directory, ADSI, and Directory Services Active Directory Using Active Directory Searching the Active Directory Creating a Query Filter How to Specify Comparison Values
For more information on how to use the LDAP Matching Rule, see the samples included in the Platform SDK. These samples are located in the\Microsoft PlatformSDK\Samples\NetDs\ADSI\Samples\ActiveDir\Attributes and SDK\Samples\NetDs\ADSI\Samples\ActiveDir\GetSchemaInfo folders.
Article ID: 269181 - Last Review: 06/19/2014 08:34:00 - Revision: 4.0