LDAP query to retrieve all users in some groups or under some OU?

[Jéjé]

Hi,

I want to create a query in my 2003 AD.
I want to list all the users which are member of a particular set of groups,
like all members of the groups which contain the word "Sales"

if I can't do this by security group membership, can I do this by OU?
All user under all OU which contain the word "sales"

I have try this:
(&(objectCategory=person)(objectClass=user)(dn=*sales*))
without success.

I have also a group called "All sales security group" which contain all the
sales groups I want to identify.

thanks for your help.

Jerome.

[Bill Nitz]

Jerome,
If you want to search for all users who are in a group with the word
'sales' in it, you'd do this:
(&(objectClass=user)(memberof=*sales*))

If you want to search for all users who are in a group with the word
'sales' in it, OR are in a group with the word 'marketing' in it, you'd
do this:
(&(|(memberof=*marketing*)(memberof=*sales*))(objectClass=User))

When you want to search a particular container only, just make sure
you've set your base DN properly when you search - i.e.
OU=Sales,DC=your,DC=domain,DC=com.

Bill

[Joe Kaplan (MVP - ADSI)]

Sorry, but that won't work. memberOf is a distinguished name attribute.
You can't search it with a wildcard search. It must be an exact match.

Joe K.

"Bill Nitz" <wcn...@gmail.com> wrote in message
news:1109768720.8...@f14g2000cwb.googlegroups.com...

[Bill Nitz]

Yep, you're right. I've never bothered to test that. member and
memberOf can use a wildcard-only search, but not with a string (i.e.
member=*).

Sorry for the misinformation.

[Joe Kaplan (MVP - ADSI)]

No biggie. Happens to me all the time :). Unfortunately, I don't know a
very good way to do what he's asking or I would have chimed in.

Joe K.

"Bill Nitz" <wcn...@gmail.com> wrote in message

news:1109781107.8...@f14g2000cwb.googlegroups.com...

[Jéjé]

well, thanks for your feedback.

I'll use another method i think

"Joe Kaplan (MVP - ADSI)" <joseph....@removethis.accenture.com> wrote
in message news:%23Ww2pZ1...@TK2MSFTNGP15.phx.gbl...

[Joe Richards [MVP]]

> if I can't do this by security group membership, can I do this by OU?
> All user under all OU which contain the word "sales"

adfind (www.joeware.net) will do this, but it does it by filtering the records
after they are returned, there is no way to query with a wildcard DN value as
JoeK mentions.

As for doing it through the groups, you could retrieve all groups that match
your criteria

&(objectcategory=group)(name=*sales*)

then take the returned DNs and form an OR query so that it ends up looking like

&(objectcategory=person)(objectclass=user)(|(memberof=somedn)(memberof=somedn2)(memberof=somedn3)(etc))

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

[Jéjé]

this syntax appear to not work:
&(objectcategory=person)(objectclass=user)(|(memberof=somedn)(memberof=somedn2)(memberof=somedn3)(etc))

only 1 memberof return the list of user, but with 2 memberof (with the |
(or) syntax) nothing returned.
The user appear only in 1 of the 2 groups.

"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message
news:e1U4j0ZI...@TK2MSFTNGP09.phx.gbl...

[Jéjé]

oups

I have retyped entirely the query, and now the same syntax works fine, the
only difference :
a carriage return in the query!

without CR the query works, with a CR the query doesn't works!

"Jéjé" <willgart_A_@hotmail_A_.com> wrote in message
news:edcq4QDJ...@TK2MSFTNGP10.phx.gbl...

[ptwilliams]

Yep, you can't have Carriage Returns in the middle of LDAP queries ;-)

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

[Eric - ARUP]

I am very curoius why you cant just search against 'memberOf=' and what the
logic is behind this not working. The reason I ask is of you run the query
tool in AD users and computers and tell it to run a custom query based on
user and member of it actually build the query behind the scene as
(&(objectCategory=user)(memberOf=admins))

So is the query tool shipped from MS bugged?

e-

[Joe Kaplan (MVP - ADSI)]

Have you tried that query? It won't return anything as is:

(&(objectCategory=user)(memberOf=admins))

It would have to be:

(&(objectCategory=user)(memberOf=CN=Domain
Admins,CN=whatever,DC=etc,DC=com))

memberOf is a DN-syntax attribute and must be an exact match.

Also, remember that this query won't return users that are members of that
group via nesting.

Joe K.

"Eric - ARUP" <Eric...@discussions.microsoft.com> wrote in message
news:99A3FA4F-23D4-4498...@microsoft.com...

[Eric - ARUP]

Ok i think i got it, thanks. Here is the part that throws me.

I had to change CN=whatever to be 'OU=Security Groups', or in this case the
place where the group 'domain admins' was located. Which threw me off cause
the objectCategory was user so i thought i had to search the CN that had my
users in it. Which was a different place.

thanks for the follow up help Joe.

e-

[Joe Kaplan (MVP - ADSI)]

The search root for the query determines where in the tree you search. The
search scope determines how deep in the tree you go. Subtree searches the
current container and all descendants, one level is just the current
container and base is the current object defined by the search root itself.
The filter is executed against the objects within scope of the query and
will determine if that object matches.

Hopefully that helps make some sense. I think file system analogies are the
most useful for learning LDAP searches since most people are pretty familiar
with how the work. The only problem is that file system files don't really
have a good analogy for attributes, unless you count the basics like last
modified date.

The good thing about LDAP is that it is 10X simpler than SQL as the data is
not relational and there are many fewer options. However, it is a little
weird getting used to. :)

Joe K.

"Eric - ARUP" <Eric...@discussions.microsoft.com> wrote in message

news:1F27AAC1-D224-43BA...@microsoft.com...

[felipe.th...@gmail.com]

Does this still happen in the current versions of microsoft? ????