Windows Tip Sheet

Save a Query, Save Some Time

Hunt down wanted Active Directory objects quick and easy.

• By Don Jones
• 10/12/2004

One cool new feature in Win2003’s Active Directory Users and Computers (ADUC) tool is Saved Queries. The basic idea behind these things is that domains can have oodles and oodles of objects floating around, and they can be pretty well-hidden thanks to complex organizational unit (OU) hierarchies. Saved Queries lets you search for specific objects in the domain, starting at any point you like, and displays the resulting objects in a nice, easy-to-see flat list.

Not Just for 2003 Domains!
And before you think that I’m just trying to boost Microsoft’s stock by pushing Win2003, let’s be clear: This feature works just dandy in a Win2000 AD domain. You just need to install the 2003 version of AdminPak.msi, and you have to have at least one Win2003 domain controller in your domain. Everything else can be Win2000, and you can even have WinNT 4.0 BDCs still hanging around, if that’s what you’re into.

The correct version of ADUC will display a Saved Queries folder above the currently connected domain. First, make sure you’re connected to a 2003 DC, if necessary: Right-click the domain and select “Connect to Domain Controller…” from the context menu. Now you can right-click “Saved Queries” and create a new query (or, if you’re into organization, create a new folder; Saved Queries lets you create multiple queries and organize them into a hierarchy of folders). You’ll start by specifying a name for your query, as well as its root. The default root is the entire domain, which means the query will search the whole domain. You can limit the query to a specific OU and its children by simply selecting that OU.

Then, click “Define Query.” This is the fun part: From the Find menu, you can select the type of object you’re looking for: Computers, Users, Contacts, Shared Folders, Groups, Printers, OUs—you name it. You can even specify a custom search for other types of objects. An easy way to play with Saved Queries, however, is just to select “Common Queries.” For example, selecting “Common Queries” lets you search for all users with non-expiring passwords, or all disabled accounts (which should be candidates for deletion after a period of time).

For a more advanced query, select “Users, Contacts, and Groups” from the Find drop-down. Then click the Advanced tab. From Field, select User > Department. For the Condition, specify “Starts with” and for the Value type “Research.” Click Add to add the criteria, and you’ll have a query that displays all members of the Research department, regardless of where they work or what OU they might be hiding in. Of course, this assumes that you’ve populated the “Department” field of your user’s properties. Saved Queries definitely makes it worthwhile to start populating those things; you can easily run reports of all users reporting to a particular manager, and so forth.

Saved Queries are stored on your local machine, not in AD. You can right-click a query to export its definition to an XML file, which you can easily share with other admins. They just need to right-click the Saved Queries folder to find an Import option that’ll read in your XML query definition, making it available on their machine as well.

Micro Tips Saved Queries lets you query users who haven’t logged on in a certain number of days (it’s part of the “Common Queries” section for users). However, keep in mind that this relies on a user attribute, which is only replicated in an all-2003 domain. Prior versions of Windows have this attribute, but they don’t replicate it, meaning only the DC that last authenticated a user has the correct “Last Login” value. Win2003 DCs (and the Win2003 admin tools) support multiple object selection. So you can, for example, select the results of your Saved Queries and disable them all at once. As with Saved Queries, you have to have the 2003 ADUC tool, and you have to connect to a 2003 DC, but the feature will otherwise work in a 2000 AD domain.

More Resources:
• You can write really advanced free-form queries: Here’s an example that finds locked-out user accounts:
http://www.windowsdevcenter.com/pub/a/windows/2004/06/22/
locked_accounts.html
• Find other new features of Win2003, including its Feature Packs, in Microsoft Windows Server 2003 Delta Guide, Second Edition: http://www.deltaguideseries.com
• Microsoft TechNet article on Saved Queries and other new 2003 features:
http://www.microsoft.com/technet/community/columns/profwin/
pw0503.mspx