I get 160’ish users returned.
DomainMode: Windows2016Domain
If I use this same ldap query in Powershell Desktop 5.1.14393.5066, or Pwsh Core 7.2.1, I get 9 hits
get-aduser -LDAPFilter "(&(!memberOf=CN=TLD_ExpiredUsers,OU=groups,OU=TLD-HQ,DC=domain-corp,DC=com)(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" | select-object Name | Measure-Object -Property Name
I would have thought the userAccountControl property is a global one, but now I’m not sure.
Visually in ADAC the results for all returned records is “User account control: 0x202” and via Get-ADUser, the userAccountControl property is empty.
My original LDAP query came from Active Directory Users and Computers, saved search > New > advanced tab > common queries > “Disabled accounts” and I built it up from there using Using LDAP Saved Queries for Active Directory
I can’t reproduce this. I’ve tried in 3 different environments and I get the same results in ADAC and powershell.
You don’t show where you pull and/or check this property. By default Get-ADUser returns a handful of properties, none of them are useraccountcontrol. If you want to pull additional properties you need to specify as part of the command.
Thanks Doug:
appending my snippet…with -Properties whenchanged,enabled,useraccountcontrol,PasswordExpired | select whenchanged,enabled,useraccountcontrol,PasswordExpired | ft
we get
No sir.
I desire those 160 from using (&(!memberOf=CN=TLD_ExpiredUsers,OU=groups,OU=TLD-HQ,DC=domain-corp,DC=com)(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
in ADAC