Location: Articles




Adventnet Sky


LDAP tips #3: Searching for Computers

By Tony Murray on Thursday, September 25, 2008 10:57 PM

This article is the third in a series providing tips for common LDAP searches.

This article is the third in a continuing series covering tips for LDAP searches against Active Directory. See also:
Compared to searching for users and groups, finding computers in AD is relatively straightforward. Here are two examples using ADFIND.EXE that find all computer objects within the default domain.
adfind -default -f "(objectcategory=computer)" 1.1
adfind -default -f "(samaccounttype=805306369)" 1.1
Note that I have not used the objectClass attribute to perform the filter. This is because while both objectCategory and sAMAccountType are indexed attributes objectClass is not (by default). Filtering the search using objectClass would return the same results, but would generate a higher performance hit on the Domain Controller processing the request.
Computer objects have some helpful attributes, as shown in the table below.
Attribute Name
Example values
Windows VistaTM Ultimate
Windows Server 2003
Windows Server® 2008 Standard
Note that some of the attribute values contain trade mark or copyright symbols.  
5.2 (3790)
6.0 (6001);
Shows the version and then the build number in brackets
Service Pack 1
Service Pack 2
The attribute value always has a dollar sign ($) as the last character
For a comprehensive list of Windows operating system version numbers see: http://en.wikipedia.org/wiki/Microsoft_Windows
The operatingSystem attribute can contain trademark (TM) and registered trademark (®) symbols. This is because the syntax of the attribute is Unicode string and allows non-ASCII characters. From an LDAP search perspective the fact that these symbols are included makes the filter less straightforward. The symbols must be included when searching on the full value of the attribute. For example, the following search will return all computer objects matching the Windows Server 2008 Standard operating system.
adfind -default -f "(&(objectcategory=computer)(operatingSystem=Windows Server® 2008 Standard))" 1.1
The same search omitting the registered trademark symbol will return no results.
You can work around the requirement to include the symbol by using a wildcard character as part of your search, e.g.
adfind -default -f "("(&(objectcategory=computer)(operatingSystem=*2008 Standard))" 1.1
Be aware when searching using operatingSystemVersion as part of a filter that different operating systems can have the same values. The following search would return both Windows Server 2008 and Windows Vista computer objects.
adfind -default -f "(&(objectcategory=computer)(operatingsystemversion=6.0 (6001)))" 1.1
Note that ADFIND tolerates the use of round brackets within the filter. If you are working with a different LDAP client that requires them to be escaped, use \28 to replace the left bracket and \29 to replace the right, as follows:
(&(objectcategory=computer)(operatingsystemversion=6.0 \286001\29))
There is nothing special to not about the use of operatingSystemServicePack in a filter, apart from the fact that you cannot use the short form (e.g. SP1, SP2, etc.). The following example shows the correct syntax.
adfind -default -f "(&(objectcategory=computer)(operatingSystemServicePack=Service Pack 1))" 1.1
Be aware when using operatingSystem, operatingSystemVersion and operatingSystemServicePack that these values are only automatically populated when the computer joins the domain. Computer objects can obviously be created independently of the domain join. Note too that the object’s information within AD will only be current as long as the computer remains active and joined to the domain. The point here is that Active Directory is not an authoritative source of information for OS, version and service pack levels. If you need the information to be 100% accurate you will need to query the computers themselves, using WMI for example.
When using the sAMAccountName as part of a filter, remember to add the dollar sign ($) to the computer name. Here’s an example.
adfind -default -f "(&(objectcategory=computer)(samaccountname=easternex1$))" 1.1
As an alternative you could use the name attribute, which does not contain the dollar sign, as follows:
adfind -default -f "(&(objectcategory=computer)(name=easternex1))" 1.1
As you can see, there is nothing too challenging when working with LDAP searches for computer objects. Just be aware of the Unicode characters when using search filters and don’t rely on OS, version and SP information in AD to be authoritative.
Copyright 2014 ActiveDir.org
Terms Of Use