Keywords: Active Directory | LDAP | sAMAccountName | Domain Query | Configuration Partition
Abstract: This article provides a comprehensive exploration of LDAP queries in Active Directory using sAMAccountName and domain parameters. It explains the concepts of sAMAccountName and domain in AD, presents optimized search filters including exclusion of contact objects, and details domain enumeration through configuration partitions with code examples. Additional common user query scenarios such as enabled/disabled users and locked accounts are also discussed.
LDAP Query Fundamentals
In Active Directory environments, LDAP (Lightweight Directory Access Protocol) serves as the primary method for accessing directory services. The sAMAccountName attribute represents the pre-Windows 2000 logon name used to identify user accounts. Domains in Active Directory define security boundaries, with user accounts belonging to specific domains.
Optimized Search Filters
The original query filter (&(objectCategory=Person)(sAMAccountName=BTYNDALL)) can be enhanced by adding objectClass=user to ensure only user objects are searched, excluding contacts:
(&(objectCategory=person)(objectClass=user)(sAMAccountName=BTYNDALL))Domain Enumeration Methods
In Active Directory, domain information is stored within the configuration partition. By connecting to the configuration partition and querying the partitions container, all domains in the forest can be enumerated. Below is a VBScript code example:
Set objRootDSE = GetObject("LDAP://RootDSE")
AdComm.Properties("Sort on") = "name"
AdComm.CommandText = "<LDAP://cn=Partitions," & _
objRootDSE.Get("ConfigurationNamingContext") & ">;" & _
"(&(objectcategory=crossRef)(systemFlags=3));" & _
"name,nCName,dnsRoot;onelevel"
set AdRs = AdComm.ExecuteExtracting Domain Information
Extract domain names and DNS root information from query results:
AdRs.MoveFirst
With AdRs
While Not .EOF
dnsRoot = .Fields("dnsRoot")
Set objOption = Document.createElement("OPTION")
objOption.Text = dnsRoot(0)
objOption.Value = "LDAP://" & dnsRoot(0) & "/" & .Fields("nCName").Value
Domain.Add(objOption)
.MoveNext
Wend
End WithOther Common Query Scenarios
Beyond basic user queries, LDAP supports various filtering conditions:
Users with logon name John:
(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(sAMAccountName=John))All users:
(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370))Enabled users:
(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!userAccountControl:1.2.840.113556.1.4.803:=2))Disabled users:
(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(userAccountControl:1.2.840.113556.1.4.803:=2))Locked out users:
(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(lockouttime>=1))Alternative Query Methods
Another approach for searching users utilizes sAMAccountType=805306368, specifically designed for user objects:
(sAMAccountType=805306368)Alternative query for disabled users:
(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))Alternative query for active users:
(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))Practical Application Considerations
In practical applications, usernames might be provided in "domain\username" format. Since the domain is part of the user's distinguished name (DN), partial matching searches are not supported in Microsoft AD. Therefore, domain name stripping must be handled at the application layer, or domain enumeration methods described in this article should be used to construct complete queries.
Performance Optimization Recommendations
LDAP query performance is influenced by multiple factors including filter complexity, returned attribute count, and network latency. Recommendations include:
- Use the most specific filters to minimize returned results
- Request only necessary attributes
- Leverage indexed attributes for queries
- Consider caching frequently used query results