One of the great things about AD is that you can organize your resources in OUs and then further into sub OUs. It keeps things clean and organized. The downside of this is that your resources are all over the place and sometimes you have to click around to find them. You can use the "Find" function within the MMC, but it is limited in its power. This is where Windows 2003 AD's saved queries can really make your job a lot easier. Saved queries are essentially filters that will only show the data you define.
Part 1 of this series will take you into very basic saved queries to get your feet wet. Further articles will go into more advanced queries. Let's get started.
So let's say you have a complex OU structure with computers all over the place. We could create a very simplistic query to display only computers within your domain and it will go through each OU and find all the computers and show you them all in one view. This is a huge time saver. What else can be done…
We can expand the scenario from above. Let's say we don't want all the computers in the domain. Just the ones under a certain OU structure, and only the ones that are Windows XP computers. As you can see, this is getting a lot more useful.
So enough talk, how is this done…
Example 1 - All computers within a domain
- Load Active Directory Users and Computers.
- Right Click Saved Queries.
- Select New, Query.
- Give it a name like All Computers.
- Leave the Query root at your root of the domain i.e. ..\yourdomain.
- Click Define Query.
- Click the Computers tab under Common Queries.
- Select the drop down beside the Name and select: "Has a value".
- Click OK and OK again to save the query.
This will save the query on your profile. Now each time you select that query it will display all the computers within your domain. As with most MMC based GUIs the data can become stale. To refresh the data, just press F5 or the refresh button on the tool bar to re-query the data.
Example 2 - All Windows XP computers under the Sales OU.
- Perform Steps 1 to 3 from example 1.
- Give it a name like: Windows XP, Sales OU.
- Click Browse beside Query root and select your Sales OU.
- Click Define Query.
- Under the Find dropdown, select Computers as opposed to Common Queries.
- Click the Advanced tab.
- Click the Field dropdown and select Operating System.
- Leave the Condition field at "starts with".
- Enter Windows XP in the value field.
- Click Add.
- Click OK and OK again.
Now we have a query that shows us all the XP computers under the sales OU. If you wanted to look for all Windows 2003 servers you could substitute the value of Windows Server 2003 in step 9 above and you now have a query that only shows Windows 2003 servers.
Let's go through one more scenario using users for example. Suppose your company has a user policy to make sure all users have to change their passwords. You may have the policy set on the domain, but users might be bypassing the policy by having their password never expire.. Once again, traditional methods would have us clicking around looking one by one, a very time consuming process. The saved query once again will make our job much easier.
Example 3 - Users with non expiring passwords.
- Perform Steps 1 to 3 from example 1.
- Give it a name like: Users - Non Expiring Passwords
- Leave the Query root as default.
- Click Define Query.
- Under the Users tab, click the Non expiring passwords check box
- Click OK and OK again.
Now we have a list of all the users that have non-expiring passwords. We can also make everyone compliant quickly by using batch processing to select only these users and remove the non-expring password option. You can also leave the query in place for auditing users to ensure all users conform to your password policy.
As you can see, saved queries can offer various views of resources within the domain. We only touched on what can be done. Subsequent articles will dive deeper into advanced and custom queries. Play around and get used to making queries and see what other queries you can find.
Hope this helps.