Querying AD DS 64-bit integer (date time as ticks) using LDP (or anything else)

I hacked together a .NET command line application for a customer yesterday that basically resets the password of all users within scope to two random passwords.  Such functionality was required because we’d P2V’d a production DC into the lab.  I made a silly omission in my code that resulted in me not succinctly printing failures which meant I had to query Active Directory Domain Services (AD DS) for all users who’s pwdLastSet value was not today.  Obviously pwdLastSet, as well as other attributes such as lastLogon, lastLogonTimestamp, lockoutTime, etc. are 64-bit integer values that represent the number of 100 nanosecond intervals since 01/01/1601 (for more info. see FILETIME). 

So, how do we query the DS for said value?  Quite easily actually.  We just use numeric operators such as =, <=, >=.  The snag is in getting a textual representation of a meaningful date such as 10/08/2011 into a 64-bit integer value that you can paste into LDP, DSQUERY or ADFIND.

I whipped up the following for this purpose.  This is nothing special, but will at least remind me how to convert from System.DateTime to Int64 if nothing else…

    [Parameter(Mandatory = $false)]
    [String]$DateTime = [System.DateTime]::UtcNow.AddDays(-1).ToString("yyyy-MM-ddThh:mm:ss")
    [System.DateTime]$dtval = [System.DateTime]::Parse($DateTime);
    [Int64]$ticks = $dtval.ToFileTime();
    [String]$ldapFilter = [String]::Format("(&(objectCategory=person)(objectClass=user)(pwdLastSet<={0}))", $ticks);
    Write-Host "`nLDAP filter: $ldapFilter`n`n";
    Write-Host "`nUnable to convert $DateTime into FileTime!`n`n";

The resultant LDAP filter was pasted into LDP and did the job admirably.


About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in Active Directory, Scripting, Troubleshooting and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s