Solved

How to write LDAP query for users not in a specific group

Posted on 2008-10-29
6
4,236 Views
Last Modified: 2013-12-24
I'm trying to write a LDAP query for users NOT in any group starting with a particular word.  For example, I'd like to see all users who are not in a group that starts with the word Travel.

I would like to use LDAP query within Active Directory or a separate VB Script.
0
Comment
Question by:TravelSmith
  • 3
  • 2
6 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 22839254
Hi!

Try to create the follwing custom query in Active Directory User and Computers:
(&(objectCategory=user)(!memberOf=CN=Travel,OU=Test,DC=test,DC=local))

Substitute "CN=Travel,OU=Test,DC=test,DC=local" with proper LDAP distinguished name for your group.

HTH

Toni
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22840035

You can't use wildcards for group names when searching member or memberOf. That makes "any group starting with a particular word" impossible within the context of an LDAP query I'm afraid. That kind of check would have to be done in code, performed against a data set returned from a query against AD.

The nearest you'll get is a query for "not a member" of a specific group as Toni has demonstrated above.

Chris
0
 

Author Comment

by:TravelSmith
ID: 22845708
Can I list multiple groups?  If so how should it be separated in the code?  (semicolon?)
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22845860

Yes, and not quite :)

You would use either AND (&) or OR (|). e.g.

AND: (&(objectCategory=user)(&(!memberOf=CN=Travel,OU=Test,DC=test,DC=local)(!memberOf=CN=Group2,OU=Test,DC=test,DC=local)))

Translates to: Object is a User AND is NOT in Travel AND is NOT in Group2

OR: (&(objectCategory=user)(|(!memberOf=CN=Travel,OU=Test,DC=test,DC=local)(!memberOf=CN=Group2,OU=Test,DC=test,DC=local)))

Translates to: Object is a User AND is NOT in Travel OR is NOT in Group2

AD Users and Computers has a maximum length for query so if your group paths are long you might run into that.

If you're not too familiar with LDAP queries I find it best to break them down like this:

(&
  (objectCategory=user)
  (|
    (!memberOf=CN=Travel,OU=Test,DC=test,DC=local)
    (!memberOf=CN=Group2,OU=Test,DC=test,DC=local)
  )
)

Statements at the same level are evaluated together, each level will return True or False, always start with the highest level (in this case, the two memberOf expressions).

If that makes any sense at all ;)

Chris
0
 

Author Comment

by:TravelSmith
ID: 22845962
The AND query works great!  Thank you so much!!
0
 

Author Closing Comment

by:TravelSmith
ID: 31511308
Great Work!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
powershell and sql server - alerting 7 77
Creating and Connection two new domains 5 77
Password change 3 21
constraint check 2 0
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now