How to Use AdFind for Powerful Active Directory Searching Active Directory (AD) administrators often need to query domain data quickly without the overhead of heavy graphical interfaces. While PowerShell is a common choice, AdFind remains one of the most powerful, lightweight, and fast command-line utilities for searching Active Directory. Created by Microsoft MVP Joe Richards, this free tool excels at extracting precise data using standard LDAP filters.
This guide covers how to set up AdFind and leverage its syntax for advanced Active Directory querying. Getting Started with AdFind
AdFind is a portable executable, meaning it requires no installation. You can download it directly from Joeware.net and run it from any command prompt on a domain-joined machine. Basic Syntax Structure
The power of AdFind lies in its switches. The standard syntax follows this blueprint: adfind [switches] [-b base-dn] [-f filter] [attributes] Use code with caution.
Switches: Controls the output format, connection settings, and server targets.
-b (Base DN): Specifies where in the directory tree to start the search.
-f (LDAP Filter): Defines the search criteria using standard LDAP syntax.
Attributes: Limits the output to specific object properties (e.g., samAccountName, mail). Essential AdFind Command Examples
By default, AdFind targets the current domain of the logged-in user. Here are practical examples for common administrative tasks. 1. Finding a Specific User
To locate a user by their logon name and return their email address and account status: adfind -f “samAccountName=jdoe” mail userAccountControl Use code with caution. 2. Listing All Domain Controllers
To quickly identify all domain controllers within your current forest: adfind -sc dclist Use code with caution.
(Note: -sc invokes built-in shortcuts, saving you from writing complex LDAP strings for common queries.) 3. Querying by Object Class
To find all computer objects in a specific Organizational Unit (OU):
adfind -b “OU=Workstations,DC=domain,DC=local” -f “objectClass=computer” name Use code with caution. 4. Finding Disabled User Accounts
AdFind can evaluate bitwise flags like userAccountControl (UAC) to find disabled accounts using the standard LDAP matching rule identifier (1.2.840.113556.1.4.803):
adfind -f “(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))” samAccountName Use code with caution. Advanced Searching and Output Controls
Raw Active Directory data can be overwhelming. AdFind includes switches designed to filter, format, and export your results cleanly. High-Utility Formatting Switches
-bit: Decodes bitmask attributes (like UserAccountControl) into human-readable text.
-csv: Outputs data in a comma-separated values format, perfect for documentation or Excel.
-dn: Returns only the Distinguished Names of the matching objects, stripping out all other attributes.
-c: Counts the number of objects that match your filter without displaying the objects themselves. Exporting Data for Reports
To export a list of all active users and their departments to a CSV file, combine the CSV switch with standard command-line redirection:
adfind -f “(&(objectCategory=person)(objectClass=user))” samAccountName department -csv > user_report.csv Use code with caution. Best Practices for Efficient Queries
Be Specific with Base DNs: Searching from the root domain (DC=domain,DC=local) forces AdFind to look through every object. If you know the target resides in a specific geography or department, define that OU with the -b switch to reduce domain controller load.
Leverage Shortcut Switches: Run adfind -?? to view the full list of built-in shortcuts (-sc). Shortcuts exist for finding expired passwords, locked accounts, and empty groups.
Quote Your Filters: Always wrap your LDAP filters in double quotes to prevent the command prompt from misinterpreting special characters like & and |.
To help tailor more advanced LDAP filters for your environment, let me know:
What specific object types or attributes are you trying to report on?
Do you need to target a specific domain controller or remote domain?
Leave a Reply