Using Saved Queries

The resource has been there for quite some time, but it was added covertly with little fan fair. The tool that I am talking about exists within Windows Server 2003 Active Directory. The tool is named Saved Queries. The saved queries tool allows you to query important security related information about all three of the important objects that are stored within Active Directory: users, groups, and computers.

The tool is very easy to use and is tucked neatly in the Active Directory Users and Computers console, which is the primary tool used to administer these objects. There is even an option to expand your query to all types of objects stored within Active Directory. These additional objects might include: shared folders, the domain itself, organizational units (OUs), printers, and trusts to other domains. If you are fairly adept at Lightweight Directory Access Protocol (LDAP) query strings, you can customize your own LDAP query string to dig just about anything out of Active Directory that you desire.

Where will you find Saved Queries

You will find the Saved Queries option where you typically administer and view Active Directory objects, which is in the Active Directory Users and Computers. If you don’t use the Active Directory Users and Computers in lieu of a third party tool, you might want to check the other tool to see if it has a similar feature.

To access the Active Directory Users and Computers and then the Saved Query node, follow these steps:

  1. Select Start | Administrative Tools | Active Directory Users and Computers
  2. On the left pane, you will see the Saved Queries Node
  3. Selecting this node on a default installation will not display any information on the right pane

As you can clearly see, the tool is easy to find, but not regularly used or even seen most of the time. One reason it is not used often, from my experience, is due to the fact that there are no default queries. I find that administrators and auditors have not created any queries because they are still using their existing tools to get these jobs done. There is no harm in that, but this built-in tool is free and extremely powerful.

Creating a Query

To create a query, you only need to be at the Saved Queries node within the Active Directory Users and Computers console. By right clicking on the Saved Queries node, you have the option to create a new query. This action will open up the New Query dialog box, which is where you will have the opportunity to configure this specific query.

There are no limits to the number of queries that you can create. You will need to name the query, so it is easy to identify within a list of all of the other queries that you make. There is also a description field, which allows you to be more verbose with the details of the query itself, again helping you to pinpoint a single query within a list of other queries. Figure 1 illustrates what the New Query dialog box looks like.

Figure 1: New Query dialog box within Active Directory Users and Computers.

There are three other options that you need to understand as you create your new query. All three options can be seen in Figure 1. The first is the definition of the Query root. This is an important setting for the query, because it can narrow down what you are searching through within Active Directory. To configure this setting, you will need to select the Browse button next to the text box indicating the query root. What you see by pressing the Browse button is a container view of Active Directory, as shown in Figure 2.

Figure 2: Container view of Active Directory allowing you to select the Query root.

A good example of when you might want to narrow down the scope is for a targeted query. Let’s assume that you want to find all of the user accounts, for the sales employees only, that are disabled. For this query, you can find the Sales OU within the Active Directory view shown in Figure 2 and select this as your query root.

The next option that is important to configure is the check box that allows you to include or exclude subcontainers. This goes hand in hand with the Query root configuration, in that the Query root configuration initiates the starting place for the query and the check box for the subcontainers determines if the query goes beyond this initial container.

The third option is the query definition itself. This is where the power of the query is stored. As you can see by default there is no query defined. We will need to go in and define a query. If you select the Define Query button, you will be presented with the Find Common Queries dialog box, as shown in Figure 3.

Figure 3: Dialog box that allows you to define the LDAP query for a saved query.

As you can see from the options in the Find Common Queries dialog box shown in Figure 3, the most common queries are to find information about user, computer, and group accounts.

Queries for Users

The interface for the common user queries provide you with five configuration settings. These settings are only the tip of the iceberg for tracking down user accounts that meet a certain criteria. You can see these settings in Figure 3.

  • Name – This setting allows you to look for a specific user name or use a Boolean search such as: starts with, ends with, is (exactly), etc.
  • Description – This setting is similar to the Name field, except it allows you to take advantage of the description entry for user accounts, if you have taken the time to fill that information out.
  • Disabled accounts – The interface within Active Directory Users and Computers shows you disabled accounts with a red X. However, trying to track down these users from all of the OUs can be timely and boring. This check box allows you to gather all user accounts that have been disabled within the context of the query root.
  • Non expiring passwords – This setting allows you to dig into each user account and find out whether the account has been configured to not require the password to expire. It is common for Admin, IT staff, and service accounts to be configured this way.
  • Days since last logon – This setting specifies the number of days that users within the query root last logged on to the domain.

Queries for Computers

You will typically want to find computers based on name, location, status or operating system. The common queries for computers provides you the ability to search on most of these variables, as shown in Figure 4.

Figure 4: Dialog box showing the interface for the common computer queries.

The first two settings are identical to the user settings that we just reviewed for Name and Description. The final setting, Disabled Accounts, allows you to quickly find those computer accounts that are disabled under the query root definition.

If you want to find computers based on operating system, you would need to do a custom search. Custom searches can be performed by selecting the drop down list next to the Find box, as shown in Figure 4. Then, you will just select the Custom Search option, which will take you to the Find Custom Search dialog box.  

Queries for Groups

I think we can all admit that groups are rather boring to administer and the Saved Queries interface proves that for us. With querying for groups, you only have two options, as you can see in Figure 5.

Figure 5: Dialog box showing the interface for the common group queries.

You can only perform searches on the group name (or some variation of the name) and the group description. If you want to search on the other attributes that you have defined for a group, you will need to perform a custom search, which was described in the previous section.

Running the Query

After you make your query definitions for users, computers, groups, or custom searches, you only need to save the query. This is as easy as selecting the OK button until the query dialog box is gone. This should take you back to the list of queries displayed under the Saved Queries node in Active Directory Users and Computers.

Once here, you just need to right click on the query that you are interested in and select the Refresh menu option. This will run the query, displaying the resulting users, groups, or computers that meet the query you have defined. If you want to get a print out of the objects that meet your query, you can right click on the query and select the Export List menu option. This allows you to push the output to a standard text file.


The Saved Queries option in Active Directory Users and Computers is not used as much as it should be, but Microsoft did slip it in under the radar on us. As you can see, the default queries can save you a bunch of time, allowing you to gather lists of objects based on detailed search criteria. If the criteria that is listed in the common queries is not enough, you can always perform a custom search or custom LDAP query.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top