LDAP filter syntax for time based attributes - Active Directory

AD uses 2 types of data to represent time in attributes:

Type 1: stored as long integer, LastLogonTimeStamp, pwdLastSet falls under this category

Convert the value you want to use to long integer.

    $longIntTimeValue=(Get-Date).AddDays(-60).ToFileTimeUtc()

    $ldapfilter="(lastLogonTimeStamp<=$longIntTimeValue)"

Type 2: store as LDAP date type. For example, whenCreated/whenChanged. Use below filter to query

    YYYY MM DD HH mm ss.s Z

    Where Z signals end of the value and is mandatory

    example

    (whenCreated>=20221130000000.0Z)

To make a ldap filter in powershell from datetime object

    $date.ToString("yyyyMMddHHmmss") + ".0Z"

How to track any attribute change

1. Assumption #1: DS Access enabled in Group Policy
2. Assumption #2: audit is enabled on the obejct you want to track ( SACL entries)
3. run "repadm /showobjmeta DCName DN_of_object"
4. Check the change time and origin DC of the attribute
5. Check event id 4662 for that time point on the origin DC
6. You may see several 4662 events
7. You should see Subject, Object, and Operation info in the event, and look for operation type "Write Property"
8. In "properties" section, it list only GUID of the property, so you will have to match it up to AD schema here
9. Obviously step 8 is near to impossible as there are a few hundreds attributes and you don't want to check them one by one
10. So you can also just search the GUID from schema context. The query string will look like something like this "schemaIDGUID=#($U@()&%)@" BUT YOU CANNOT USE THE GUID FROM THE EVENT VIREW! You have to convert it first
11. How to convert a GUID reported in event viewer to a LDAP query filter: this page. Life is hard, isn't it?!

Attributes used in ANR (Ambiguous Name Resolution)

• GivenName
• Surname
• displayName
• LegacyExchangeDN
• msExchMailNickname
• RDN
• physicalDeliveryOfficeName
• proxyAddress
• sAMAccountName

How to run an ANR search:

(anr=John Doe)

(anr=J D)

(anr=J Doe) etc....