Windows Tip Sheet
Save a Query, Save Some Time
Hunt down wanted Active Directory objects quick and easy.
One cool new feature in Win2003’s Active Directory Users and
Computers (ADUC) tool is Saved Queries. The basic idea behind these
things is that domains can have oodles and oodles of objects floating
around, and they can be pretty well-hidden thanks to complex organizational
unit (OU) hierarchies. Saved Queries lets you search for specific
objects in the domain, starting at any point you like, and displays
the resulting objects in a nice, easy-to-see flat list.
Not Just for 2003 Domains!
And before you think that I’m just trying to boost Microsoft’s
stock by pushing Win2003, let’s be clear: This feature works
just dandy in a Win2000 AD domain. You just need to install the
2003 version of AdminPak.msi, and you have to have at least one
Win2003 domain controller in your domain. Everything else can be
Win2000, and you can even have WinNT 4.0 BDCs still hanging around,
if that’s what you’re into.
The correct version of ADUC will display a Saved Queries folder
above the currently connected domain. First, make sure you’re
connected to a 2003 DC, if necessary: Right-click the domain and
select “Connect to Domain Controller…” from the
context menu. Now you can right-click “Saved Queries”
and create a new query (or, if you’re into organization, create
a new folder; Saved Queries lets you create multiple queries and
organize them into a hierarchy of folders). You’ll start by
specifying a name for your query, as well as its root. The default
root is the entire domain, which means the query will search the
whole domain. You can limit the query to a specific OU and its children
by simply selecting that OU.
Then, click “Define Query.” This is the fun part: From
the Find menu, you can select the type of object you’re looking
for: Computers, Users, Contacts, Shared Folders, Groups, Printers,
OUs—you name it. You can even specify a custom search for
other types of objects. An easy way to play with Saved Queries,
however, is just to select “Common Queries.” For example,
selecting “Common Queries” lets you search for all users
with non-expiring passwords, or all disabled accounts (which should
be candidates for deletion after a period of time).
For a more advanced query, select “Users, Contacts, and Groups”
from the Find drop-down. Then click the Advanced tab. From Field,
select User > Department. For the Condition, specify “Starts
with” and for the Value type “Research.” Click
Add to add the criteria, and you’ll have a query that displays
all members of the Research department, regardless of where they
work or what OU they might be hiding in. Of course, this assumes
that you’ve populated the “Department” field of
your user’s properties. Saved Queries definitely makes it
worthwhile to start populating those things; you can easily run
reports of all users reporting to a particular manager, and so forth.
Saved Queries are stored on your local machine, not in AD. You
can right-click a query to export its definition to an XML file,
which you can easily share with other admins. They just need to
right-click the Saved Queries folder to find an Import option that’ll
read in your XML query definition, making it available on their
machine as well.
| Saved Queries lets you query users
who haven’t logged on in a certain number
of days (it’s part of the “Common Queries”
section for users). However, keep in mind that this
relies on a user attribute, which is only replicated
in an all-2003 domain. Prior versions of Windows
have this attribute, but they don’t replicate
it, meaning only the DC that last authenticated
a user has the correct “Last Login”
Win2003 DCs (and the Win2003 admin tools)
support multiple object selection. So you can,
for example, select the results of your Saved
Queries and disable them all at once. As with
Saved Queries, you have to have the 2003 ADUC
tool, and you have to connect to a 2003 DC, but
the feature will otherwise work in a 2000 AD domain.
• You can write really advanced free-form queries: Here’s
an example that finds locked-out user accounts:
• Find other new features of Win2003, including its Feature
Packs, in Microsoft Windows Server 2003 Delta Guide, Second Edition:
• Microsoft TechNet article on Saved Queries and other new
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.