Solved

How to write LDAP query for users not in a specific group

Posted on 2008-10-29
6
4,027 Views
Last Modified: 2013-12-24
I'm trying to write a LDAP query for users NOT in any group starting with a particular word.  For example, I'd like to see all users who are not in a group that starts with the word Travel.

I would like to use LDAP query within Active Directory or a separate VB Script.
0
Comment
Question by:TravelSmith
  • 3
  • 2
6 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 22839254
Hi!

Try to create the follwing custom query in Active Directory User and Computers:
(&(objectCategory=user)(!memberOf=CN=Travel,OU=Test,DC=test,DC=local))

Substitute "CN=Travel,OU=Test,DC=test,DC=local" with proper LDAP distinguished name for your group.

HTH

Toni
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22840035

You can't use wildcards for group names when searching member or memberOf. That makes "any group starting with a particular word" impossible within the context of an LDAP query I'm afraid. That kind of check would have to be done in code, performed against a data set returned from a query against AD.

The nearest you'll get is a query for "not a member" of a specific group as Toni has demonstrated above.

Chris
0
 

Author Comment

by:TravelSmith
ID: 22845708
Can I list multiple groups?  If so how should it be separated in the code?  (semicolon?)
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22845860

Yes, and not quite :)

You would use either AND (&) or OR (|). e.g.

AND: (&(objectCategory=user)(&(!memberOf=CN=Travel,OU=Test,DC=test,DC=local)(!memberOf=CN=Group2,OU=Test,DC=test,DC=local)))

Translates to: Object is a User AND is NOT in Travel AND is NOT in Group2

OR: (&(objectCategory=user)(|(!memberOf=CN=Travel,OU=Test,DC=test,DC=local)(!memberOf=CN=Group2,OU=Test,DC=test,DC=local)))

Translates to: Object is a User AND is NOT in Travel OR is NOT in Group2

AD Users and Computers has a maximum length for query so if your group paths are long you might run into that.

If you're not too familiar with LDAP queries I find it best to break them down like this:

(&
  (objectCategory=user)
  (|
    (!memberOf=CN=Travel,OU=Test,DC=test,DC=local)
    (!memberOf=CN=Group2,OU=Test,DC=test,DC=local)
  )
)

Statements at the same level are evaluated together, each level will return True or False, always start with the highest level (in this case, the two memberOf expressions).

If that makes any sense at all ;)

Chris
0
 

Author Comment

by:TravelSmith
ID: 22845962
The AND query works great!  Thank you so much!!
0
 

Author Closing Comment

by:TravelSmith
ID: 31511308
Great Work!
0

Join & Write a Comment

Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now