asked on
Exchange LDAP query for group membership or OU
We currently have a need to see a bunch of external contacts in the GAL for one of our companies. We currently do LDAP queries for GALs using the domain name of the email, but in this case that will not work due to having many domains.
What query can I write that will give me all the contacts, users, and distribution lists in a specific OU, or all the members of a group?
What query can I write that will give me all the contacts, users, and distribution lists in a specific OU, or all the members of a group?
DatabasesExchange
Last Comment
Chris Dent
ASKER
Question now worth 500 points
Hey,
I'm afraid that you cannot construct LDAP queries to filter based on OU. The reason being that the parent OU isn't an explicit attribute of a child object, and you're not permitted wildcards in ldap paths / distinguished names.
All members of a group on the other hand is possible, it's something like this:
(memberOf=CN=GroupName,OU=
Note that the path above must be the full path, the same wildcard restriction applies here. You can add additional statements to filter down to object type if required.
Perhaps we can have a script automatically populate an attribute on each of the accounts in question, then use that attribute for your LDAP query? It would be easy to filter on OU within a script and I'm happy to help you write that if it's any use.
Chris
Where are you trying to employ the results of this query? Could be helpful in determining a solution.
ASKER
I have the above string syntzx as well as the strings I need for the query to include users, distribution lists, and contacts. What I am having difficulty with is putting it all together. Could you post with proper syntax to combine these statements. Also, if I am missing anything else
(memberOf=CN=GroupName,OU=
(objectCategory=person)
(objectClass=user)
(objectCategory=person)
(objectClass=contact)
(objectCategory=group)
(objectCategory=msExchDyna
(memberOf=CN=GroupName,OU=
(objectCategory=person)
(objectClass=user)
(objectCategory=person)
(objectClass=contact)
(objectCategory=group)
(objectCategory=msExchDyna
I find the easiest way to combine LDAP queries is like this (you can lose the messing around as soon as you're used to how they fit together):
(& ## AND
(memberOf=CN=GroupName,OU=
(| ## OR
(& ## AND
(objectCategory=person)
(objectClass=user)
)
(& ## AND
(objectCategory=person)
(objectClass=contact)
)
(objectCategory=group)
(objectCategory=msExchDyna
)
)
Which gives us:
(&(memberOf=CN=GroupName,O
And translates to:
Is a member of group
And is either a User, or a Contact, or a Group, or a Dynamic Distribution List
Chris
ASKER
Sorry for the delay!
Strange, that isn't working. Although everything looks right.
I created a test OU right under the domain and a test group as well.
Here is what I have in the custom search box of exchange:
(&(memberOf=CN=TestGroup,O
Any idea why users in this test group would not be showing up?
Strange, that isn't working. Although everything looks right.
I created a test OU right under the domain and a test group as well.
Here is what I have in the custom search box of exchange:
(&(memberOf=CN=TestGroup,O
Any idea why users in this test group would not be showing up?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
To post:
Chris, that worked awesome. I used the path from ADSIEdit and it worked like a charm
I swear the two looked identical though except for the case of the domain. I wouldn't think that mattered, but at least it is working now.
Thanks a bunch.
Chris, that worked awesome. I used the path from ADSIEdit and it worked like a charm
I swear the two looked identical though except for the case of the domain. I wouldn't think that mattered, but at least it is working now.
Thanks a bunch.
You're welcome, glad I could help out :)
Chris
Chris