Active Directory Query not working (user member/not member of group) : Microsoft, Windows Server 2003 R2, Active Directory

May 17, 2008 01:26am pdt

1. KCTS 421,222
2. LauraEHu... 314,971
3. Chris-Dent 136,127
4. oBdA 121,700
5. tigermatt 103,030
6. martin_b... 98,358
7. Jay_Jay70 93,861
8. toniur 93,817
9. mattee76 88,690
10. PlaceboC6 78,254
11. Netman66 72,368
12. Sembee 70,394
13. ryansoto 64,180
14. ChiefIT 61,672
15. RobSampson 60,645

1. KCTS 1,119,735
2. LauraEHu... 935,151
3. Jay_Jay70 420,548
4. toniur 368,040
5. oBdA 327,268
6. Sembee 318,473
7. Netman66 290,576
8. Chris-Dent 261,204
9. tigermatt 194,993
10. kamalgopi 170,528
11. Pber 161,830
12. TechSoEasy 157,616
13. aissim 155,199
14. leew 154,362
15. strongline 125,990

05.09.2008 at 02:41AM PDT, ID: 23388772 | Points: 250

	[x] Attachment Details

Active Directory Query not working (user member/not member of group)

Zones: Windows 2003 Active Directory, Windows 2003 Server

Tags: Microsoft, Windows Server 2003 R2, Active Directory

Hello, glad for any help on this:

I want to query for users who are NOT a member of a particular group. However the query does not display the expected result:

I created a new query on "Users, Contacts and Groups",
and on the Advanced tab I selected
FIELD: User->Member Of,
CONDITION: either "Is (exactly)" or "Is not"
VALUE: "CN=UNI Deny external Email,OU=Distribution_Lists,OU=_Our_Groups,DC=intranet,DC=ourdomain,DC=net"

QUERY ROOT: ...\intranet

I tried the value with and without full path and w/ and w/o quotation marks.
If condition is "Is (exactly)", no results are displayed,
if condition is "Is not", all users are displayed

This is what the query string looks like that is created by the GUI:
(&(&(|(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)(!objectSid=*))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14)))(objectCategory=user)(!memberOf="CN=UNI Deny external Email,OU=Distribution_Lists,OU=_Our_Groups,DC=intranet,DC=ourdomain,DC=net")))

The group definitely has members.

I have found similar threads on Experts-Exchange, but no joy.
As I am not familiar with VBScript, this is not an option for me.

Thanks for your help

By the way, I am a beginner with regards to LDAP queries, not sure whether I am missing something basic. A query on workstations that I created works, though :-)

Start your free trial to view this solution

Question Stats

Zone: OS

Question Asked By: avatura

Question Asked On: 05.09.2008

Participating Experts: 1

Points: 250

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

05.09.2008 at 05:15AM PDT, ID: 21531966

Rank: Sage

LauraEHunterMVP:

You're going to need to script this, full stop. An LDAP memberOf query is not going to chase nested memberships, such as where a user is a member of a group which is a member of the group you're looking for. The functionality simply isn't there.

Use one of the VBScript samples that have been pre-written for your use here: http://www.rlmueller.net/freecode1.htm (I usually go with #6.) Each example returns a TRUE if a user is a member of a group, or FALSE if they are not.

05.09.2008 at 05:44AM PDT, ID: 21532150

avatura:

Thanks for your quick answer, but this is not a nested membership, all users are direct members of that group, but the query will still not work

05.09.2008 at 05:49AM PDT, ID: 21532204

Rank: Sage

LauraEHunterMVP:

If you're willing to make the operational assumption that you will never need to query for nested memberships (I wouldn't, but that's me), the appropriate query would be as follows: (all one line, text will wrap.)

"(&(objectcategory=person)(objectclass=user)(!memberOf="CN=UNI Deny external Email,OU=Distribution_Lists,OU=_Our_Groups,DC=intranet,DC=ourdomain,DC=net"))

05.13.2008 at 01:48AM PDT, ID: 21553192

avatura:

Well, if I ever need to query for nested memberships, I can still look into the scripting option.

For now, I only need to know which users are not in that particular group, and unfortunately your query string does not give me any result either. The result list is empty, also if I remove the ! (NOT).

I am sure this is some basic mistake I am making. I have tried other groups too, they cannot be queried either.

20080236-EE-VQP-29 / EE_QW_2_20070628