[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 11674
  • Last Modified:

LDAP Query for specific AD groups and OU

I have been struggling to put together an effective LDAP filter/query for the purpose of importing specific user profiles into SharePoint.

I've been using both the Advanced Search feature of Active Directory Users and Computers and LDIFDE to see what results are being returned, but I am obviously missing something because I'm either getting NO results or TOO many.

In a nutshell, I need two LDAP queries which return:

1) Active users who belong to "Security Group A" AND to the "Office" OU (or any sub OU/branch of "Office")
2) Active users who DO NOT belong to the 'Users' built-in container (or any of the sub-containers/branches of "Users" - these were created when we migrated from Exchange 2000 to 2003)

0
drewberrylicious
Asked:
drewberrylicious
  • 6
  • 4
1 Solution
 
bhanukir7Commented:
hi

i think this post on EE would be of help for you to run a query

http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/ASP/Q_21730320.html

revert back with what is the kind of query you are running so as to understand the query you are using.

bhanu
0
 
drewberryliciousAuthor Commented:
I read that post before posting my question.  Unfortunately it was far too complex for my current skill-set.  

Essentially what I need is a LDAP filter using the syntax shown below retrieve all the users which meet the criteria I originally specified

"(&(objectCategory=Person)(objectClass=User)(memberof:1.2.840.113556.1.4.1941:=(OU=Users,OU=Domain Accounts,DC=domain,DC=com)))
0
 
drewberryliciousAuthor Commented:
Allow me to be a little more specific....

In our environment, all active staff members belong within OU=Office (or a sub-OU of Office).  I have included screen shots with display the various users displayed below.  As shown in the following screen-shots, there are 7 users which meet this criteria.

I need to develop an LDAP filter which retrieve ONLY these users, but despite my best efforts (and a myriad of research), Ive not as yet been successful.  

My first real question is whether or not it is possible to filter users based on their OU member alone.    

Assuming this is possible, I am of the impression that the following query (based on http://sharepointsherpa.com/2008/03/14/sharepoint-2007-ldap-user-filters-for-limiting-user-profile-import/) should return users belong to the Office OU

(&(objectCategory=Person)(objectClass=User)(memberof:1.2.840.113556.1.4.1941:=(CN=Authenticated Users,OU=Office,DC=domain,DC=local)))

I dont really understand what the numbers stand for, but I thought that I had the disitinguished name correct, based on my LDP.exe query (see attached image).

I then tried similar variations of the query which I found at http://mindsharpblogs.com/wayne/archive/2005/06/15/497.aspx, but the results were the same (ie: there werent any)

(&(objectCategory=Person)(objectClass=User)(memberOf=OU=Office,DC=domain,DC=local))
(&(objectCategory=Person)(objectClass=User)(memberOf=OU=Amsterdam, OU=Office,DC=domain,DC=local))
(&(objectCategory=Person)(objectClass=User)(memberOf=OU=HQ,OU=Office,DC=domain,DC=local))
(&(objectCategory=Person)(objectClass=User)(memberOf=OU=PC Users,OU=HQOU=Office,DC=domain,DC=local))

If it is not possible to filter AD users by OU only, my second strategy would be to EXCLUDE users which belong to the USERS Container and sub-containers? (the sub-containers are legacy of migration from Exchange 2000 to 2003 ) I  tried the following, but it returned nothing.

(&(objectCategory=Person)(objectClass=User)(!memberOf=CN=Users,DC=domain,DC=local))

The other alternative would be to only extract users who belong to the AD Group called Actresses  but Ive had no luck with this either.

(&(objectCategory=Person)(objectClass=User)(memberOf=CN=Actresses,CN=Users,DC=domain,DC=local))

Please help, Im pulling out my hair over this one.

image1.png
image2.png
image3.png
image4.png
image5.png
image6.png
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
bhanukir7Commented:
hi,

i think this post will give you more insight into how to base your sharepoint imports. This is a good tool on how to use ldfide and how to import user profiles from the sharepoint central admin site

http://mindsharpblogs.com/wayne/archive/2005/06/15/497.aspx

bhanu
0
 
drewberryliciousAuthor Commented:
Thanks, but that's the post I referenced in my last response and I'm still not having any luck after following it.
0
 
drewberryliciousAuthor Commented:
Do you know if it's possible to include/exclude users in an LDAP query based on their OU and/or security group?
0
 
bhanukir7Commented:
hi,

I was revisting this post again, and i found one of the user comments

re: Importing only a specific group into sharepoint profile database (via LDAP)  3/17/2008 2:15 PM  Katherine

Hi Wayne,
We found that the syntax you offered above:
(&(objectCategory=Person)(objectClass=User) | (memberOf=CN=Corporate East,OU=Administrative,OU=Distribution Lists,OU=East,DC=domain,DC=local)(memberOf=CN=Corporate West,OU=Administrative,OU=Distribution Lists,OU=West,DC=domain,DC=local)(memberOf=CN=Corporate EMEA,OU=Administrative,OU=Distribution Lists,OU=EMEA,DC=domain,DC=local))

requires a paren before the OR separator (pipe) and a final closing paren, like this:

(&(objectCategory=Person)(objectClass=User)(|(memberOf=CN=Corporate East,OU=Administrative,OU=Distribution Lists,OU=East,DC=domain,DC=local)(memberOf=CN=Corporate West,OU=Administrative,OU=Distribution Lists,OU=West,DC=domain,DC=local)(memberOf=CN=Corporate EMEA,OU=Administrative,OU=Distribution Lists,OU=EMEA,DC=domain,DC=local)))

can you confirm if you have already made the corrections and checked the results

bhanu
0
 
drewberryliciousAuthor Commented:
I think the problem is that I'm trying to create a filter based on OU alone - and I just don't think that this is possible.

For example - this filter (based on a distribution list) works perfectly:
(&(objectCategory=Person)(objectClass=User)(memberOf=CN=Communications,CN=Distribution Lists,CN=Users,DC=foundation,DC=org))


However OU based filter returns nothing.
(&(objectCategory=Person)(objectClass=User)(memberOf=OU=HQ Consultants & Temps,OU=HQ Users,OU=HQ,OU=Office,DC=foundation,DC=org))
0
 
drewberryliciousAuthor Commented:
I've now managed to create the two separate filters I need - I just haven't successfully joined the two statements together.

Okay, so filter 1 is:

(&(objectCategory=Person)(objectClass=User)(memberOf=CN=Team,CN=Security Groups,CN=Users,DC=foundation,DC=org))

And filter 2 is:

(&(objectCategory=Person)(objectClass=User)(|(!cn=_*)(!cn=svc*)(!cn=hello*)))

How do I combine two into a single statement?
0
 
bhanukir7Commented:
hi

you can replace the (objectClass=User) with (objectClass=User)(|(!cn=_*)(!cn=svc*)(!cn=hello*))

bhanu
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now