VAMT - LDAP query to exclude disabled objects

Lanky Doodle 206 Reputation points


I did an AD scan and it's included Disabled Computer objects - when we decommission computer we leave them Disabled for a period of time before deleting them.

Is it possible to do an LDAP query to exclude Disabled computer objects? I've never used the LDAP query in VAMT before.


Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,149 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Karl Fasick 6 Reputation points

    Update with the answer

    Finally constructed a working query pasted exactly this (but with my DC.domain.local)


    Key was to know to search for words "ldap url syntax" so I could find the descriptions of explaining what would go between the question marks if they were given, or just the question marks next to each other if not, and the fact that the word 'sub' is for the scope.


    becomes this after deleting the dn, attributes, and putting sub in for scope, and (filter)

    ldap://dc01.mydomain.local/??sub?(filter between parenthesis)

    Previous reploy

    VAMT is the specific problem here for me - I also have a working LDAP query very similar that I can paste into DSA.msc or PowerShell Get-ADObject and they work great but I cannot get them to work in the VAMT GUI

    e.g. this works in PowerShell

       Get-ADObject -LDAPFilter '(&(objectClass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(lastLogonTimestamp>=133000000000000000))'  

    but pasting the same text from between the single quotes above into the LDAP filter box in VMAT Discover Products GUI says invalid LDAP filter:


    ( lastLogonTimeStamp happens to be about a few months back ~2022-06-18 )

    1 person found this answer helpful.

  2. JimmySalian-2011 39,426 Reputation points


    What type of deployment options you are using? You can filter the disabled computers from the scope and only allow inscope computers/servers for the License.
    Also you can setup the firewall so the disabled servers cannot communicate via the network, block the ports?


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
    Please don't forget to upvote and Accept as answer if the reply is helpful

    0 comments No comments

  3. Gary Reynolds 9,206 Reputation points

    This LDAP filter will return all computers, including servers, that are not disabled.



  4. Limitless Technology 38,861 Reputation points


    Thank you for your question and reaching out. I can understand you are having query related to LDAP.

    To exclude disabled computer accounts from an AD Auto Detection Query you can add the following to your query filter: (!(userAccountControl:1.2.840.113556.1.4.803:=2))

    For example, the default query filter would be:



    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments