Aidan Garnish

Collaboration Not Competition

MOSS Profile Search LDAP Query that Removes Disabled and Service Accounts

The usual LDAP query to import user profiles from AD into MOSS is:


The downside of this query is that you are also going to get your service accounts and any disabled accounts imported as well. This creates a lot of unnecessary clutter in people searches and greatly reduces the effectiveness of the people search scope.

To remove these accounts use the following:

  • (!userAccountControl:1.2.840.113556.1.4.803:=2) - removes disabled accounts
  • (!userAccountControl=65536) - removes accounts with password set to never expire

So the new LDAP query is:


For more ADSI userAccountControl flags go here:

Credit for this goes to Suman Chakrabarti's blog

Add comment