LDAP query


I was wondering how to formulate an ldap query that would return all users and their manager's phone number attribute.
Currently I have the Filter set as (objectclass=user) which just returns every user in the organization.

Each user has an attribute "manager" which has their manager's Distinguished Name eg: CN=Manager's Name,OU=Staff,OU=Users,OU=CompanyName,DC=XXX,DC=local

Each user also has an attribute "homePhone" which has the phone number

So how do I say give me the user + query the user's manager and only give me the managers homePhone attribute?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
You won't be able to get that in an LDAP query in ADUC.  You could do (&(objectcategory=person)(objectclass=user))

You could use a tool like adfind to find the manager attribute and then pipe it into adfind again to get the manager phone number

I could show you an example of that if you are interested.


maloriopoliumAuthor Commented:
Hi mkline71.

Thanks for your reply. I forgot to add that I am trying to do this programmatically in .NET. So based on what you have said, would I need to do another sub query? So basically, I iterate through each user, and for each user, I do another ldap query filtering on the manager's DN and then get back the homePhone attribute?
Bruno PACIIT ConsultantCommented:

Personally, to make a more efficient code than get all users and search the manager for each of theses users, if I had to do that in vbs I would create a Dictionary object.

I would start by a LDAP query to obtain "samAccountName' and 'manager' attribute of all users. I would keep the resulting recordset open.
I would add the 'manager' attribute result in the Dictionary object to obtain an array of unique managers distinguishedName.
I would then scan the Dictionary and interrogate AD to obtain homePhone of each manager that is in the Dictionary,and would keep the result in the 'item' property in the Dictionary.
Finally I would rescan the recordset and for each record use the Dictionary to obtain the homePhone matching with manager distinguishdname.

That should limit AD interrogations and save time and network traffic...

Have a good day.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
maloriopoliumAuthor Commented:
Thanks PaciB. Yes interrogating the Dictionary object makes more sense for efficiency.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.