Solved

How to write LDAP query for users not in a specific group

Posted on 2008-10-29
6
5,095 Views
Last Modified: 2013-12-24
I'm trying to write a LDAP query for users NOT in any group starting with a particular word.  For example, I'd like to see all users who are not in a group that starts with the word Travel.

I would like to use LDAP query within Active Directory or a separate VB Script.
0
Comment
Question by:TravelSmith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 22839254
Hi!

Try to create the follwing custom query in Active Directory User and Computers:
(&(objectCategory=user)(!memberOf=CN=Travel,OU=Test,DC=test,DC=local))

Substitute "CN=Travel,OU=Test,DC=test,DC=local" with proper LDAP distinguished name for your group.

HTH

Toni
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22840035

You can't use wildcards for group names when searching member or memberOf. That makes "any group starting with a particular word" impossible within the context of an LDAP query I'm afraid. That kind of check would have to be done in code, performed against a data set returned from a query against AD.

The nearest you'll get is a query for "not a member" of a specific group as Toni has demonstrated above.

Chris
0
 

Author Comment

by:TravelSmith
ID: 22845708
Can I list multiple groups?  If so how should it be separated in the code?  (semicolon?)
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22845860

Yes, and not quite :)

You would use either AND (&) or OR (|). e.g.

AND: (&(objectCategory=user)(&(!memberOf=CN=Travel,OU=Test,DC=test,DC=local)(!memberOf=CN=Group2,OU=Test,DC=test,DC=local)))

Translates to: Object is a User AND is NOT in Travel AND is NOT in Group2

OR: (&(objectCategory=user)(|(!memberOf=CN=Travel,OU=Test,DC=test,DC=local)(!memberOf=CN=Group2,OU=Test,DC=test,DC=local)))

Translates to: Object is a User AND is NOT in Travel OR is NOT in Group2

AD Users and Computers has a maximum length for query so if your group paths are long you might run into that.

If you're not too familiar with LDAP queries I find it best to break them down like this:

(&
  (objectCategory=user)
  (|
    (!memberOf=CN=Travel,OU=Test,DC=test,DC=local)
    (!memberOf=CN=Group2,OU=Test,DC=test,DC=local)
  )
)

Statements at the same level are evaluated together, each level will return True or False, always start with the highest level (in this case, the two memberOf expressions).

If that makes any sense at all ;)

Chris
0
 

Author Comment

by:TravelSmith
ID: 22845962
The AND query works great!  Thank you so much!!
0
 

Author Closing Comment

by:TravelSmith
ID: 31511308
Great Work!
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Display SQL maintenance plan SQL Code 3 44
Database Availability Group Distribution 9 46
Creating a View from a CTE 15 39
I'm being stupid with my powershell 2 24
As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
This article shows the steps required to install WordPress on Azure. Web Apps, Mobile Apps, API Apps, or Functions, in Azure all these run in an App Service plan. WordPress is no exception and requires an App Service Plan and Database to install
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question