Virtual search properties

Adaxes defines so called virtual search properties that simplify creating criteria. These properties are not physically stored in your directory, but are calculated or derived in some way. For example, the AccountDisabled property lets you search for all disabled accounts in Active Directory and Microsoft Entra domains using the same criteria expression: {accountDisabled -eq $true}.

If your directory schema has a property with a name identical to an Adaxes virtual search property, add an underscore _ character as a prefix to use the property from the schema.

{_accountDisabled -eq $true}

Here's the full list of available virtual search properties.

General

  • Property

  • Description

  • mailEnabled

  • The user or group is mail-enabled. Can be true or false.

    For example, to search for all mail-enabled objects, use the following criteria expression: {mailEnabled -eq $true}.

  • mailboxType

  • Mailbox type.

    For example, to search for accounts with shared mailboxes, use the following criteria expression: {mailboxType -eq "shared"}.

     Possible values
    • any – Any mailbox
    • none – No mailbox
    • remote – Remote mailbox
    • local – On-premises mailbox
    • user – User mailbox
    • shared – Shared mailbox
    • remote user – Remote user mailbox
    • remote shared – Remote shared mailbox
    • local user – On-premises user mailbox
    • local shared – On-premises shared mailbox
  • computerType

  • Computer type.

    For example, to search for all domain controllers, use the following criteria expression: {computerType -eq "dc"}.

     Possible values
    • server – Server
    • workstation – Workstation
    • dc – Domain controller
    • rodc – Read-only domain controller
  • groupType

  • Group type.

    For example, to search for distribution groups, use the following criteria expression: {groupType -eq "distribution"}.

     Possible values
    • security – Security group
    • distribution – Distribution group
    • microsoft 365 – Microsoft 365 group
    • system – System group
    • local security – Local security group
    • local distribution – Local distribution group
    • global security – Global security group
    • global distribution – Global distribution group
    • universal security – Universal security group
    • universal distribution – Universal distribution group
    • local – Local group
    • global – Global group
    • universal – Universal group
    • mail-enabled – Mail-enabled group
    • mail-enabled security – Mail-enabled security group
    • mail-enabled distribution – Mail-enabled distribution group
  • objectType

  • Object type.

    Only available in criteria items that are applied to the wildcard (*) object type.

  • directoryType

  • The type of the directory where the object is located. Can be either on-premises or azure.

    For example, to search for accounts from Microsoft Entra domains, use the following criteria expression: {directoryType -eq "azure"}.

User accounts

All of the properties in this category can be either true or false.

  • Property

  • Description

  • accountDisabled

  • The user account is disabled.

    For example, to search for enabled accounts, use the following criteria expression: {accountDisabled -eq $false}.

  • lockout

  • The user account is locked.

    For example, to search for locked user accounts, use the following criteria expression: {lockout -eq $true}.

  • smartCardRequired

  • Smart card required for interactive logon.

  • passwordNotRequired

  • No password is required.

  • passwordNeverExpires

  • The user's password never expires.

  • changePasswordAtLogon

  • The user must change password at next logon.

  • reversiblePasswordEncryption

  • The user's password is stored using reversible encryption.

  • homeDirectoryRequired

  • The home folder is required.

  • trustedForDelegation

  • The account (user or computer) is trusted for Kerberos delegation.

  • notDelegated

  • The security context of the user isn't delegated to a service even if the service account is set as trusted for Kerberos delegation.

  • useDesKeyOnly

  • The principal is restricted to use only Data Encryption Standard (DES) encryption types for keys.

  • doNotRequirePreAuthentication

  • The account doesn't require Kerberos pre-authentication for logging on.

  • trustedToAuthenticateForDelegation

  • The account is enabled for Kerberos delegation.

  • mnsLogonAccount

  • An MNS logon account.

  • temporaryDuplicateAccount

  • A temporary duplicate account.

  • pacMustNotBeIncluded

  • The Privilege Attribute Certificate (PAC) must not be included when the Key Distribution Center (KDC) is issuing a service ticket for the account.

  • guest

  • A guest user account.

Group membership

  • Property

  • Description

  • members

  • A multi-valued property containing the distinguished names (DNs) of all group members, direct and indirect (due to group nesting).

    For example, this property can be used to search for all groups where a specific user is a member, directly or indirectly. The criteria expression for this is {members -eq "CN=John Smith,CN=Users,DC=example,DC=com"}.

  • directMembers

  • A multi-valued property containing the DNs of all direct group members.

  • memberOf

  • A multi-valued property containing the DNs of all groups the object is a member of, directly and indirectly (due to group nesting).

    For example, this property can be used to search for all direct and indirect members of a specific group. The criteria expression for this is {memberOf -eq "CN=My Group,OU=Groups,DC=example,DC=com"}.

  • directMemberOf

  • A multi-valued property containing the DNs of all groups the object is a direct member of.

  • membershipType

  • Group membership type.

     Possible values
    • assigned – assigned membership
    • rule-based – rule-based membership

    Only eq and ne comparison operators can be used with this property.

Object owners and managers

  • Property

  • Description

  • subordinates

  • A multi-valued property containing the distinguished names (DNs) of all direct and indirect subordinates of a user.

    For example, this property can be used to search for all managers of a specific user, including managers of their managers. The criteria expression for this is {subordinates -eq "CN=John Smith,CN=Users,DC=example,DC=com"}.

  • allManagers

  • A multi-valued property containing the DNs of all direct and indirect managers of a user.

    For example, this property can be used to search for all direct and indirect subordinates of a specific user. The criteria expression for this is {allManagers -eq "CN=John Smith,CN=Users,DC=example,DC=com"}.

  • owners

  • A multi-valued property containing the DNs of all owners of an object (direct, indirect, primary, secondary).

    For example, this property can be used to search for all groups that are directly or indirectly managed by a specific user. The criteria expression for this is {owners -eq "CN=John Smith,CN=Users,DC=example,DC=com"}.

  • directOwners

  • A multi-valued property containing the DNs of all direct owners of an object.

  • managedByPrimary

  • A multi-valued property containing the DNs of all direct and indirect primary (specified in the managedBy property) owners of an object.

    For example, this property can be used to search for all groups managed by a specific user, either directly or by being a member of another group specified as the owner. The criteria expression for this is {managedByPrimary -eq "CN=John Smith,CN=Users,DC=example,DC=com"}.

  • directManagedByPrimary

  • The DN of the direct primary (specified in the managedBy property) owner of an object.

  • managedObjects

  • A multi-valued property containing the DNs of all objects directly or indirectly managed by a user or a group.

    For example, this property can be used to search for all owners of a specific group, either directly or by being a member of another group specified as the owner. The criteria expression for this is {managedObjects -eq "CN=My Group,OU=Groups,DC=example,DC=com"}.

  • directManagedObjects

  • A multi-valued property containing the DNs of all objects directly managed by a user or a group.

    For example, this property can be used to search for all primary (specified in the managedBy property) and secondary owners of a specific group. The criteria expression for this is {directManagedObjects -eq "CN=My Group,OU=Groups,DC=example,DC=com"}.

  • managedObjectsPrimary

  • A multi-valued property containing the DNs of all objects where a user or a group is the primary owner.

  • directManagedObjectsPrimary

  • A multi-valued property containing the DNs of all objects where a user or a group is a direct primary owner (specified in the managedBy property).

Requirements

Minimum required version: 2023

See also