We are using LDAPSoft Ad browser for list out AD service accounts. We try to filter the service accounts, those are all password never expire. We tried below query and returning 0 results(We clicked sub tree option check box to list out child nodes). And could see the UserPasswordExpiryTimeComputed value as null. Please help us to solve the issue.
SELECT from OU=AAA,OU=VVV,OU=VVV,DC=DDD,DC=COM where msDS-UserPasswordExpiryTimeComputed NOT NULL
Thanks for advance.
The msDS-UserPasswordExpiryTimeComputed attribute is a constructed attribute, meaning that it is calculated at the time you request it. The values are not stored. Because of this, you cannot use constructed attributes in queries. You can only read them from an account you have already found.
When an account is set so that the password never expires, the userAccountControl attribute is updated. This is a bit flag, meaning that every bit in the binary representation of the value is an on/off flag with a different meaning.
The setting you're looking for is ADS_UF_DONT_EXPIRE_PASSWD, which is shown in the documentation as a hex value of 0x00010000. That is a binary value of 1 0000 0000 0000 0000. So when the 17th bit is 1 the password never expires. When the 17th bit is 0, the password expires. However, you can use the decimal equivalent of 65536 in the query.
I usually use LDAP query notation, which would look like this:
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
That will find all user accounts where the password is set to never expire. That weird number is described here as the object identifier (OID) LDAP_MATCHING_RULE_BIT_AND. That is the bitwise AND operator, which checks if a certain bit is set.
I haven't tested this, but in SQL notation, you would likely use &, which is the bitwise AND operator, like this:
WHERE userAccountControl & 65536 = 65536