[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

How do i write an LDAP query to list groups in an OU

Posted on 2008-06-19
5
Medium Priority
?
1,954 Views
Last Modified: 2012-05-05
I'm Trying to write an LDAP query in AD users and computers to return a list of groups in an OU.

I have
(objectCategory=group)(OU=WKS,OU=Bacup,OU=Pennine,OU=BBGE,DC=engineering,DC=bb,dc=wan)

But this returns an error

"The query filter "(&(objectCategory=group)(OU=WKS,OU=Bacup,OU=Pennine,OU=BBGE,DC=engineering,DC=bb,dc=wan))" is not a valid query string

Any help would be appreciated

Thanks
0
Comment
Question by:Darren_Clifford
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 21821053
1. Right click the Saved Queries folder and select New, Query.
2. Enter an appropriate Name and Description.
3. Make sure the query root is set to the domain level you want the query to pertain to.
   - In this case browse to WKS -> Bacup -> Pennine -> BBGE
4. Select the Include subcontainers check box if you want the query to search all subcontainers.
5. Click Define Query.
6. In the Find dialog box, click the Find drop-down arrow and select Custom Search.
7. On the Advanced tab, enter your LDAP query string into the Enter LDAP query box.
   - In this case (objectcategory=group)(samaccountname=*)
8. Click OK twice.

Hope this helps!
Farhan

0
 

Author Comment

by:Darren_Clifford
ID: 21821168
That works , however I want to include the OU string in the query to get to the exact ou. How can i do this?

0
 
LVL 26

Expert Comment

by:Farhan Kazi
ID: 21821396
I don't think it is possible (at least not in my knowledge).
Will it be ok if you query from command line?
Like:

DSQuery * "OU=WKS,OU=Bacup,OU=Pennine,OU=BBGE,DC=engineering,DC=bb,dc=wan" -Filter "(&(objectClass=group))" -Limit 0
 
OR
 
DSQuery * "OU=WKS,OU=Bacup,OU=Pennine,OU=BBGE,DC=engineering,DC=bb,dc=wan" -Filter "(&(objectClass=group))" -Attr Name -Limit 0

Open in new window

0
 

Author Comment

by:Darren_Clifford
ID: 21821436
What this is for is a third part application that needs to query AD . The application queries using LDAP. Hence I wanted to test the LDAP query in windows first
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 1500 total points
ID: 21822207
The OU doesn't belong in the query string. It is the -base- for the query.  What you are effectively saying is:

Search beginning at -base X- (the OU) for stuff that meets the criteria of -query string Y- (objectclass=blah, or whatever).

If you really, really, for whatever reason, insist on using the query string to do this, you'll have to do something like "(&(objectclass=group)(dn=*ou=blah,dc=blah,dc=blah"))". However, I strongly (and I mean S. T. R. O. N. G. L. Y.) advise against that, as it creates a medial search query which is dreadfully inefficient at scale.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question