Hi everyone,
we got a strange little problem over here can't solve for ourselves, hopefully you can help us find an answer.
We are developing different applications specifically targeting the Active Directory. Next to some other applications, we have an AD Inspector, that lets you "inspect" your Active Directory with specific queries and gives you the results as a report, e.g. All empty groups, locked accounts, disabled account, accounts that have not logged on within the last 30 days and some more.
There are also two queries called "User created within the last 30 days" and "User with never expiring password". The first one gets all user with the "whenCreated" attribute withing the last 30 days, the second one gets all users where the PASSWORD_NEVER_EXPIRES flag is set in the "userAccountControl" attribute.
Normally this works fine but we have a test system where those queries don't yield results. First of all the idea was that there's something wrong with our search query, so we tested them directly with the "Find" in the AD console. Simplified it's this:
This is the user I created today around lunch time, so the query "show me every user that was created after 11:00 AM today" works. I also set the user's password to never expire, the corresponding query also works fine:
Again, next to some other users, the newly created user is found here.
The problem is, we're doing the exact same search within our code with the LdapConnection.SearchRequest function, but it yields no results. Since it could still be a problem on our side, we tested querying the the objects with Powershell, since it uses similar (or even the same) libraries as .NET. And it really is the same problem, the query yields no results:
So our problem child was the newly created account. So what does Powershell say if we query the attributes directly from the object?
So the Powershell and our .NET function seem to get no results for these queries because they seem to think those attributes are empty. But they aren't. As you can see in first two screenshots, a direct query against these attributes yields the expected results.
So this is where we stand and we have no clue why this is the case. Some additional facts:
- Domain Controller is Windows 2012R2 on a VM
- Powershell/our application are executed directly on the VM
- It is the only domain in the forest and there are no other Domain Controllers (so no GC or replication issues)
- the Domain Configuration is pretty much out of the box with a bulk of dummy data (pretty big, users > 10000)
- a Schema was extended for some new attribute needed for our software
- this is the only case where we've noticed this (on two test machines with almost the same configuration), the queries seem to run fine in our other test domain
- this is only for "some" created object, the query runs fine only for some users.
12 users created since January 1st 2014 according to Powershell. But it gets weirder (if this isn't weird enough)! Because the user import from another domain when setting up this test Domain Controller was done in November 2014, and all users have the right date in their "whenCreated" attribute. But it doesn't show up in this result either. On the other hand, if you run the same query in the AD console:
So, to summarize: The query in the PS shows us only 12 users - all of them manually created (or by default like Administrator) in the year 2014. All other objects, created either via import in 2014 or manually in 2015, are not shown in the PS or in .NET
It seems so freaky :D We really have no idea what could cause this problem. Maybe there's some AD guru out there who knows what's going on here. Since it seems to run fine on our other domain, the problem is not to pressing, but it would be great to know what the cause is.
Thanks if you stuck with me to the end and 1000 thanks if you find the solution!
Regards,
Steve.