tknudsen-qec
asked on
LDAP "memberOf" queries
For the sake of this inquiry, I'm currently executing LDAP queries in ADUC.
This works, and returns most or all staff:
(&(objectCategory=user)(me
I can pick random staff from the resultset, open their "member of" lists and confirm they're part of one or many groups each.
On the other hand, none of these produce any results:
(&(objectCategory=user)(me
(&(objectCategory=user)(me
(&(objectCategory=user)(me
(&(objectCategory=user)(me
What am I doing wrong?
Thx
This works, and returns most or all staff:
(&(objectCategory=user)(me
I can pick random staff from the resultset, open their "member of" lists and confirm they're part of one or many groups each.
On the other hand, none of these produce any results:
(&(objectCategory=user)(me
(&(objectCategory=user)(me
(&(objectCategory=user)(me
(&(objectCategory=user)(me
What am I doing wrong?
Thx
ASKER
Thanks for the quick reply farazhkhan
I want to confirm that works for me. How can I determine the distinguished name of a given group?
When I look at the groups in ADUC, I see only see the "normal" names (for instance BKMISW) along with its "Type" (Security Group - Domain Local) and "Description" "Baker Lake MIS (Write)"
Thanks kindly again
I want to confirm that works for me. How can I determine the distinguished name of a given group?
When I look at the groups in ADUC, I see only see the "normal" names (for instance BKMISW) along with its "Type" (Security Group - Domain Local) and "Description" "Baker Lake MIS (Write)"
Thanks kindly again
ASKER
I don't know if it helps, but the "root" directory when I look at Active Directory Users and Computers is
[X01.XYZ.NU.CA]
The "Canonical name of object" as seen in properties is:
"XYZ.NU.CA/Baker Lake/Groups/BKMISW"
I gather some form of the above needs to be used as the "distinguished name"?
Apologies for my lack of expertise; I'm trying to confirm your answer "works" for me.
Thanks
tk
[X01.XYZ.NU.CA]
The "Canonical name of object" as seen in properties is:
"XYZ.NU.CA/Baker Lake/Groups/BKMISW"
I gather some form of the above needs to be used as the "distinguished name"?
Apologies for my lack of expertise; I'm trying to confirm your answer "works" for me.
Thanks
tk
I've found it much easier to use VB scripting to perform these AD queries. VBSedit is a free tool which has access to the AD object model with easy to use drop down lists for various AD field/parameter names etc. Also includes many in-built sample scripts so that you don't even need to do any coding to start.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just one other thing worth noting when querying group membership -
The user's primary group does not show in memberof. It is referenced by the primaryGroupID attribute on the user which refers to the RID of the group. Nor is the user list as a 'member' in the group itself.
This isn't such a huge problem if you've left all users with Domain Users as their primary group. Just keep it in mind that they won't appear in these member/memberof queries.
If you've changed the users' primary group let us know cos a simple LDAP query will not find these group memberships.
The user's primary group does not show in memberof. It is referenced by the primaryGroupID attribute on the user which refers to the RID of the group. Nor is the user list as a 'member' in the group itself.
This isn't such a huge problem if you've left all users with Domain Users as their primary group. Just keep it in mind that they won't appear in these member/memberof queries.
If you've changed the users' primary group let us know cos a simple LDAP query will not find these group memberships.
ASKER
Faraz,
Thanks kindly sir, this worked correctly as advertised.
mkline71, using the adfind link you provided, I was able to identify the precise dn I needed in order to confirm Faraz's answer (CN=BKMISW,OU=Groups,OU=Ba
tk
Thanks kindly sir, this worked correctly as advertised.
mkline71, using the adfind link you provided, I was able to identify the precise dn I needed in order to confirm Faraz's answer (CN=BKMISW,OU=Groups,OU=Ba
tk
MemberOf is a distinguished name attribute (syntax 2.5.5.1). They can only
be found via an exact match in an LDAP filter. No wild cards are allowed.
If you put in the full distinguished name of the group in question, it will
work.
Courtesy: http://www.winvistatips.com/ldp-search-memberof-t681860.html
Regards,
Faraz H. Khan