You are currently offline, waiting for your internet to reconnect

Your browser is out-of-date

You need to update your browser to use the site.

Update to the latest version of Internet Explorer

How to query Active Directory by using a bitwise filter

Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Some attributes on Active Directory objects are composed of bitwise flags. You may need to query for objects using a bitwise operator to return only objects that match a particular bit being set. Use the Lightweight Directory Access Protocol (LDAP) Matching Rule controls to do this.
More information
The format of the LDAP Matching Rule has the following syntax:
where attributename is the LDAPDisplayName of the attribute, ruleOID is the object ID (OID) for the matching rule control, and value is the decimal value you want to use for comparison. You need to convert from hexadecimal to decimal.

The value of ruleOID can be one of the following:
  • 1.2.840.113556.1.4.803 - This is the LDAP_MATCHING_RULE_BIT_AND rule. The matching rule is true only if all bits from the property match the value. This rule is like the bitwise AND operator.
  • 1.2.840.113556.1.4.804 - This is the LDAP_MATCHING_RULE_BIT_OR rule. The matching rule is true if any bits from the property match the value. This rule is like the bitwise OR operator.
An example is when you want to query Active Directory for user class objects that are disabled. The attribute that holds this information is the userAccountControl attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this:
The following Microsoft Visual Basic sample script uses the above bitwise comparison filter:
Set oNSP = GetObject("LDAP://Win2000Server/rootdse")Set oConfig = GetObject("LDAP://Win2000Server/" & oNSP.get("DefaultNamingContext"))Set oConn = CreateObject("ADODB.Connection")oConn.Provider = "ADSDSOObject"oConn.Open ""strQuery = "<" & oConfig.ADsPath & ">;(&(objectCategory=person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2));name,objectClass;subtree"Set oRS = oConn.Execute(strQuery)While Not oRS.EOF  MsgBox oRS.Fields("name")   oRS.MoveNextWendMsgBox "done"Set oConn = NothingSet oRS = NothingSet oConfig = NothingSet oNSP = Nothing				
For more information on how to use the LDAP Matching Rule, see the Platform Software Development Kit (SDK). This information is found in the Contents at:

Networking and Directory Services  Active Directory, ADSI, and Directory Services     Active Directory        Using Active Directory           Searching the Active Directory             Creating a Query Filter                 How to Specify Comparison Values 				
For more information on how to use the LDAP Matching Rule, see the samples included in the Platform SDK. These samples are located in the\Microsoft PlatformSDK\Samples\NetDs\ADSI\Samples\ActiveDir\Attributes and SDK\Samples\NetDs\ADSI\Samples\ActiveDir\GetSchemaInfo folders.

Article ID: 269181 - Last Review: 06/19/2014 08:34:00 - Revision: 4.0

  • kbhowto kbmsg KB269181
"">var varCustomerTracking = 1; var Route = "76500"; var Ctrl = ""; document.write(" d')[0].appendChild(m);" onload="var m=document.createElement('meta');'ms.dqp0';m.content='false';document.getElementsByTagName('head')[0].appendChild(m);" src=""> >