Finding UNIX-Enabled Accounts in Active Directory MMC

In UNIX/Linux integration scenarios, it’s useful to know which accounts have been UNIX-enabled, i.e., have had the UID number, NIS domain, login shell, and home directory attributes configured.

It’s certainly very possible to do this with command-line tools such as AdFind or DsQuery, but users may also find it useful to have a saved query available within the Active Directory Users & Computers console for easy reference.

The way to do this is define a custom query using this string:


If you add just this text and nothing else in the “Find Custom Search” dialog box (the Advanced tab), then the console will automatically add ampersands and additional parentheses to turn it into a “proper” LDAP query that will show you any account that has a UID number configured. Certainly, additional fields like loginShell or unixHomeDirectory could be added as well, but this query will probably be sufficient for most instances.

I started not to publish this, but figured if I couldn’t remember the exact syntax then someone else might not be able to remember the syntax either. This one is as much for me as it is for others.

Tags: , , ,

  1. Sandu Mihai’s avatar

    Well, it is not related to the post, I am sorry for off-topic, but the post that this reply is related is Comment Closed.

    You did stumble apon a strange VMWare problem, related to rights on /var/run/vmware.
    I stumbled upon the same, and the problem was not related to rights on this directory, but on the subdirectory made by vmware in this directory. VMWare will make a subdirectory for each user you add to the sistem (and that has a VM active). The problem arises when you delete then recreate the same user. If you do that, VMWare won’t delete /var/run/ directory, and when you will create a new VM you will hit the ‘rights problem’ since /var/run/ exists but is ‘owned’ by the ‘old version of ‘ (the UID of owned is the old UID for the user).

  2. tom’s avatar

    Found this site looking for the syntax; glad you posted it! You mentioned dsquery… here is a sample of the syntax in case anyone is looking for it:

    dsquery * domainroot -filter “(&(objectCategory=Person)(objectClass=User)(uidNumber=*))” -attr uid uidNumber gidNumber unixHomeDirectory loginShell

    This returns related information for all UNIX enabled accounts in AD.



Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>