LDAP Query

LDAP Query

Post by Joe Richar » Fri, 03 Sep 2004 08:58:42


This is actually an Exchange question, not an adsi question. The AL's are
handled by the RUS, it doesn't really do things with LDAP queries though it
would make you think so. You do not have the option to specify that you want
things out of specific OUs, you can only specify based on specific attributes on
the objects.

joe
 
 
 

LDAP Query

Post by TWFyY » Thu, 01 Jun 2006 01:11:02

This should be simple but I'm having difficulties setting up a query.

I need to return all users that are part of a specific Global Security
Group. I tried to use the Member Of and specific my group name in there but
no results is returned.

any ideas?

 
 
 

LDAP Query

Post by MVP - AD » Thu, 01 Jun 2006 01:36:24

Did you specify the filter with the full DN:

(memberOf=CN=mygroup,OU=somecontainer,DC=somedomain,DC=com)

memberOf is a DN syntax attribute and thus requires a full DN. No partial
string matches can be used on this type of attribute.

Note also that this won't unwind nested membership; only direct members will
be found this way. It also won't find objects that might be a member of
this group as their primary group.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.yqcomputer.com/
 
 
 

LDAP Query

Post by TWFyY » Thu, 01 Jun 2006 01:45:02

cool, so how do I apply this to the "Active Directory Users and Computers"
Saved Queries?

Here is my current query and our domain is cmamdm.

(&(&(&(|(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)(!objectSid=*))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14))))(objectCategory=user)(memberOf=IT)))

Marc
 
 
 

LDAP Query

Post by MVP - AD » Thu, 01 Jun 2006 03:43:38

I have no idea. I don't really use ADUC very much. This filter isn't
actually valid though:

(&(&(&(|(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)(!objectSid=*))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14))))(objectCategory=user)(memberOf=IT)))

The memberOf clause at the end has the exact same problem. If ADUC is
returning something with that query, it is because it is actually
substituting in a value into the real query it is using. That would be
evil. :) Sniff the wire traffic to find out (unless it is channel
encrypted...).

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.yqcomputer.com/
 
 
 

LDAP Query

Post by Richard Mu » Thu, 01 Jun 2006 04:11:39

Hi,

I'm not sure I can follow your query. First, the clause:

(&(objectCategory=person)(!objectSid=*))

is looking for user/contact objects with no value assigned to objectSid,
which I think will return contacts. If this clause is necessary, I would use
(objectClass=contact). As for this clause:

(!samAccountType:1.2.840.113556.1.4.804:=3)

You are OR'ing sAMAccountType with 3. This has no meaning to me. You'll have
to explain what this does. As for:

(groupType:1.2.840.113556.1.4.804:=14)

You are OR'ing GroupType with 14, which again has no meaning to me. I
believe your query is searching for all members of a group called "IT". You
need to find the Distinguished Name of this group. I would suggest a query
similar to:

(memberOf=cn=IT,ou=Sales,dc=MyDomain,dc=com)

This will return all members whether users, contacts, groups, or computers.
If you want only user members, use:

(&(sAMAccountType=805306368)(memberOf=cn=IT,ou=Sales,dc=MyDomain,dc=com))

or

(&(objectCategory=person)(objectClass=user)(memberOf=cn=IT,ou=Sales,dc=MyDomain,dc=com))

If you want only group members use:

(&(objectCategory=group)(memberOf=cn=IT,ou=Sales,dc=MyDomain,dc=com))

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.yqcomputer.com/
 
 
 

LDAP Query

Post by Richard Mu » Thu, 01 Jun 2006 05:05:35

i,

I found documentation that the following will query for all groups:

(&(!groupType:1.2.840.113556.1.4.803:=1)(groupType:1.2.840.113556.1.4.804:=14))

The first clause omits built-in groups. My guess is that the second clause
is equivalent to:

(|(groupType:1.2.840.113556.1.4.803:=2)(groupType:1.2.840.113556.1.4.803:=4)(groupType:1.2.840.113556.1.4.803:=8))

which returns global, local, and universal groups (bit masks &H02, &H04, and
&H08 respectively and 2+4+8=14). I don't see how this is any more efficient
than:

(objectCategory=group)

and in your case you AND this with (objectCategory=group), so it is
redundant. Similar logic means that:

(!sAMAccountType:1.2.840.113556.1.4.804:=3)

would be equivalent to:

(!(|(sAMAccountType:1.2.840.113556.1.4.803:=1)(sAMAccountType:1.2.840.113556.1.4.803:=2)))

I found one example query that used this, but I don't know what it means.
Whatever is intended, I think there must be more straightforward ways. I
believe you just want all direct members of a group.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"Richard Mueller" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...