none
C# Search Active Directory by whenChanged? RRS feed

  • Question

  • I am trying to figure out how to make a query against AD to find users that have a whenChanged date in between some specific date/time. I can do basic AD queries using with a directory entry or principalContext search but I can't figure out how to get users based on extended properties.

    I see exmaples of how to do with in powershell but that doesn't help me in C#. Is this even possible?

    Thursday, March 23, 2017 7:12 PM

All replies

  • This blog post has a section showing how to use System.DirectoryServices to query AD:

    https://blogs.msdn.microsoft.com/kaevans/2011/07/04/querying-active-directory/

    The filter you specify would be a standard LDAP syntax filter. The standard filter to retrieve all user objects in AD is:

    (&(objectCategory=person)(objectClass=user))

    This would be assigned to the Filter parameter (as in the blog post I linked) as a quoted string. The whenCreated attribute is in GeneralizedTime syntax, which is a string in the form YYYYMMDDhhmmss.0Z. For example, today (March 23, 2017) at 1:15:23 pm UTC would be "20170323131523.0Z". This allows us to use the ">=" and "<=" operators (greater than or equal to and less than or equal to) to filter on values after and/or before specified dates. You would add a clause in parentheses for each new condition in the filter, all of which are added using the "&" AND operator. For all user objects created after January 1, 2017, and before March 1, 2017, the LDAP syntax filter would be:

    (&(objectCategory=person)(objectClass=user)(whenCreated>=20170101000000.0Z)(whenCreated<=20170301000000.0Z))

    This Wiki documents LDAP syntax filters, and the operators allowed ("<" and ">" are not allowed):

    https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

    And this Wiki documents all you need to know about GeneralizedTime attributes, like whenCreated:

    https://social.technet.microsoft.com/wiki/contents/articles/28222.active-directory-generalized-time-attributes.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, March 23, 2017 9:31 PM
  • thank you Richard. That was helpful. I was able to get kind of far but I see I was missing category which helped filter things down more.

    So the next thing I am stuck on is trying to filter out people that either have a property that is equal to something specific OR they don't have a value for that property at all. 

    When I add something like (&(property=whatever)(!(property=Nul)) it seems to work but not. someone will show up in the list that has property=whatever but it acts as if the property just doesn't exist now even though if I remove this clause that same person shows up and this time that property has a value.

    Friday, March 24, 2017 1:24 PM
  • To filter on users that have a value assigned to an attribute, use the "*" wildcard character:

    (property=*)

    This will retrieve all users that have any value assigned. To filter on users that do not have a value, use:

    (!(property=*))

    The "!" is the Not character. The expression Nul or Null is not recognized.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, March 24, 2017 2:26 PM