LDAP in ADAC vs Get-ADUser -LDAPFilter

I posted this elsewhere but still need (mental) help.

If I use the following LDAP string in Active Directory Admin Center > Global Search > Convert to LDAP


I get 160’ish users returned.
DomainMode: Windows2016Domain

If I use this same ldap query in Powershell Desktop 5.1.14393.5066, or Pwsh Core 7.2.1, I get 9 hits

get-aduser -LDAPFilter "(&(!memberOf=CN=TLD_ExpiredUsers,OU=groups,OU=TLD-HQ,DC=domain-corp,DC=com)(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" | select-object Name | Measure-Object -Property Name

I would have thought the userAccountControl property is a global one, but now I’m not sure.

Visually in ADAC the results for all returned records is “User account control: 0x202” and via Get-ADUser, the userAccountControl property is empty.

My original LDAP query came from Active Directory Users and Computers, saved search > New > advanced tab > common queries > “Disabled accounts” and I built it up from there using Using LDAP Saved Queries for Active Directory

I’ve casually surveyed
How Active Directory Searches Work
Use the UserAccountControl flags to manipulate user account properties
Active Directory: Get-ADUser Default and Extended Properties

Thank you for your valuable Time.


Hi TeamEVQ, welcome to the forum!

I can’t reproduce this. I’ve tried in 3 different environments and I get the same results in ADAC and powershell.

You don’t show where you pull and/or check this property. By default Get-ADUser returns a handful of properties, none of them are useraccountcontrol. If you want to pull additional properties you need to specify as part of the command.

get-aduser -LDAPFilter "(&(!memberOf=CN=TLD_ExpiredUsers,OU=groups,OU=TLD-HQ,DC=domain-corp,DC=com)(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -Properties UserAccountControl
1 Like

Thanks Doug:
appending my snippet…with
-Properties whenchanged,enabled,useraccountcontrol,PasswordExpired | select whenchanged,enabled,useraccountcontrol,PasswordExpired | ft
we get

 whenchanged           enabled useraccountcontrol PasswordExpired
-----------           ------- ------------------ ---------------
12/9/2018 1:53:36 PM    False                514           False
6/18/2021 5:34:59 PM    False                514           False
9/28/2021 3:45:00 PM    False                514           False
4/1/2022 5:58:44 PM     False                514           False
10/29/2021 2:43:09 PM   False                514           False
4/25/2022 8:24:18 PM    False                514           False 

Thanks for the assist!

Is this what you expected?

No sir.
I desire those 160 from using

Well, “progress”
run as Admin… :man_facepalming:

Get-ADUser -LDAPFilter "(&(!memberOf=CN=EVQ_ExpiredUsers,OU=groups,OU=EVQ-HQ,DC=evoque-corp,DC=com)(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -Properties whenchanged,enabled,useraccountcontrol,PasswordExpired | select name,whenchanged,enabled,useraccountcontrol,PasswordExpired | ft

spews a workable result with values in all requested Properties.

Irony rules my Life and keeps me Humble.

Thanks Doug!

1 Like

Just as a tip for the next time … when you format code the 3 backticks should be on a line on their own - not togehter with the code. :wink:

The easiest way to accomplish is to use the icon for preformatted text </>.

1 Like