Search AD for empty sAMAccountName & userPrincipalName

Question

I'm in the process of implementing a User privilege management solution and it needs to audit all users within our AD. It's currently falling over due to an account which has two blank attributes: sAMAccountName & userPrincipleName. I've tried finding this account using the following LDAP query:

(&(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(sAMAccountName=""))

But unfortunately this query fails to find anything.

What would be the best method to find this account?

Thanks in advance.

Are you really expecting to find a user account with no samAccountName? That should not occur, and the system will not allow a user account to have an empty samAccountName if you try to clear it. — Greg Askew, Jul 17 '14 at 17:38

score 4 · Accepted Answer · answered Jul 17 '14 at 15:35

4

Your filter assumes that sAMAccountName has been set to a value of "" (that is, an emptystring)

If the sAMAccountName attribute has not been set at all, your filter won't match it. Search for accounts where the attribute is not set instead:

(!sAMAccountName=*)

You could also combine the 2 statements to look for both:

(|(!sAMAccountName=*)(sAMAccountName=""))

answered Jul 17 '14 at 15:35

Mathias R. Jessen

24,907
4
62
95

Null != Empty. Good answer. – joeqwerty Jul 17 '14 at 20:57
@mathias R. Jessen, apologies for accepting the answer so late! Many thanks for your help. – JLPH Dec 16 '14 at 12:51
@JLPH better late than never ;-) Glad this helped – Mathias R. Jessen Dec 16 '14 at 13:00

Search AD for empty sAMAccountName & userPrincipalName

1 Answers1