Solved

How do i write an LDAP query to list groups in an OU

Posted on 2008-06-19
5
1,941 Views
Last Modified: 2012-05-05
I'm Trying to write an LDAP query in AD users and computers to return a list of groups in an OU.

I have
(objectCategory=group)(OU=WKS,OU=Bacup,OU=Pennine,OU=BBGE,DC=engineering,DC=bb,dc=wan)

But this returns an error

"The query filter "(&(objectCategory=group)(OU=WKS,OU=Bacup,OU=Pennine,OU=BBGE,DC=engineering,DC=bb,dc=wan))" is not a valid query string

Any help would be appreciated

Thanks
0
Comment
Question by:Darren_Clifford
  • 2
  • 2
5 Comments
 
LVL 26

Expert Comment

by:farhankazi
ID: 21821053
1. Right click the Saved Queries folder and select New, Query.
2. Enter an appropriate Name and Description.
3. Make sure the query root is set to the domain level you want the query to pertain to.
   - In this case browse to WKS -> Bacup -> Pennine -> BBGE
4. Select the Include subcontainers check box if you want the query to search all subcontainers.
5. Click Define Query.
6. In the Find dialog box, click the Find drop-down arrow and select Custom Search.
7. On the Advanced tab, enter your LDAP query string into the Enter LDAP query box.
   - In this case (objectcategory=group)(samaccountname=*)
8. Click OK twice.

Hope this helps!
Farhan

0
 

Author Comment

by:Darren_Clifford
ID: 21821168
That works , however I want to include the OU string in the query to get to the exact ou. How can i do this?

0
 
LVL 26

Expert Comment

by:farhankazi
ID: 21821396
I don't think it is possible (at least not in my knowledge).
Will it be ok if you query from command line?
Like:

DSQuery * "OU=WKS,OU=Bacup,OU=Pennine,OU=BBGE,DC=engineering,DC=bb,dc=wan" -Filter "(&(objectClass=group))" -Limit 0
 

OR
 

DSQuery * "OU=WKS,OU=Bacup,OU=Pennine,OU=BBGE,DC=engineering,DC=bb,dc=wan" -Filter "(&(objectClass=group))" -Attr Name -Limit 0

Open in new window

0
 

Author Comment

by:Darren_Clifford
ID: 21821436
What this is for is a third part application that needs to query AD . The application queries using LDAP. Hence I wanted to test the LDAP query in windows first
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 21822207
The OU doesn't belong in the query string. It is the -base- for the query.  What you are effectively saying is:

Search beginning at -base X- (the OU) for stuff that meets the criteria of -query string Y- (objectclass=blah, or whatever).

If you really, really, for whatever reason, insist on using the query string to do this, you'll have to do something like "(&(objectclass=group)(dn=*ou=blah,dc=blah,dc=blah"))". However, I strongly (and I mean S. T. R. O. N. G. L. Y.) advise against that, as it creates a medial search query which is dreadfully inefficient at scale.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now