Solved

How to write LDAP query for users not in a specific group

Posted on 2008-10-29
6
4,442 Views
Last Modified: 2013-12-24
I'm trying to write a LDAP query for users NOT in any group starting with a particular word.  For example, I'd like to see all users who are not in a group that starts with the word Travel.

I would like to use LDAP query within Active Directory or a separate VB Script.
0
Comment
Question by:TravelSmith
  • 3
  • 2
6 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 22839254
Hi!

Try to create the follwing custom query in Active Directory User and Computers:
(&(objectCategory=user)(!memberOf=CN=Travel,OU=Test,DC=test,DC=local))

Substitute "CN=Travel,OU=Test,DC=test,DC=local" with proper LDAP distinguished name for your group.

HTH

Toni
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22840035

You can't use wildcards for group names when searching member or memberOf. That makes "any group starting with a particular word" impossible within the context of an LDAP query I'm afraid. That kind of check would have to be done in code, performed against a data set returned from a query against AD.

The nearest you'll get is a query for "not a member" of a specific group as Toni has demonstrated above.

Chris
0
 

Author Comment

by:TravelSmith
ID: 22845708
Can I list multiple groups?  If so how should it be separated in the code?  (semicolon?)
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22845860

Yes, and not quite :)

You would use either AND (&) or OR (|). e.g.

AND: (&(objectCategory=user)(&(!memberOf=CN=Travel,OU=Test,DC=test,DC=local)(!memberOf=CN=Group2,OU=Test,DC=test,DC=local)))

Translates to: Object is a User AND is NOT in Travel AND is NOT in Group2

OR: (&(objectCategory=user)(|(!memberOf=CN=Travel,OU=Test,DC=test,DC=local)(!memberOf=CN=Group2,OU=Test,DC=test,DC=local)))

Translates to: Object is a User AND is NOT in Travel OR is NOT in Group2

AD Users and Computers has a maximum length for query so if your group paths are long you might run into that.

If you're not too familiar with LDAP queries I find it best to break them down like this:

(&
  (objectCategory=user)
  (|
    (!memberOf=CN=Travel,OU=Test,DC=test,DC=local)
    (!memberOf=CN=Group2,OU=Test,DC=test,DC=local)
  )
)

Statements at the same level are evaluated together, each level will return True or False, always start with the highest level (in this case, the two memberOf expressions).

If that makes any sense at all ;)

Chris
0
 

Author Comment

by:TravelSmith
ID: 22845962
The AND query works great!  Thank you so much!!
0
 

Author Closing Comment

by:TravelSmith
ID: 31511308
Great Work!
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html) provided 218 attendees with a step-by-step guide for identifying Acti…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question