Solved

LDAP query syntax

Posted on 2014-12-05
6
167 Views
Last Modified: 2014-12-10
I'm trying to create some groups (distribution lists) through an application we're using and I need to do so using LDAP query.
It's for breaking our students into their respective school site and I have it working but it's including the disabled accounts.  I would like to create the list and NOT include those disabled accounts.
Here's what I'm using (made generic for the domain) and this is working:
(&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us)))
I've tried adding (!(userAccountControl=514)) at the end, but then no output is generated.  I've tried adding (&(userAccountControl=512) at the beginning but still no joy.  
[514=disabled account so that should skip disabled accounts]
[512=enabled so that was an attempt to keep only the enabled accounts]

Can anyone help me with adding this sytax?  (LDAP doesn't come up as a topic so next best match was Active Directory)
0
Comment
Question by:skbarnard
  • 4
  • 2
6 Comments
 
LVL 79

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40484039
(&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us))) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Open in new window


Useful LDAP Search Queries

 How to query Active Directory by using a bitwise filter
0
 

Author Comment

by:skbarnard
ID: 40487014
I tried the above query string in the 3rd party application and recieved no results.  So to test the query string, I entered it in an Active Directory "custom search" query and received the attached error. (I'm not sure why the error is showing 4 ampersands, there are only 2 at the beginning of the string).

The articles included referenced a tidbit about skipping specific OU's and stated that's not possible without running multiple queries.  While I'm not trying to skip a specific OU, would it work for me to try something like that in order to skip the disable student accounts?
LDAPQueryError.pdf
0
 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40487081
Is there a specific reason why you created a pdf to hold a picture and not just upload the picture?

I'm not sure that the open and close brackets match .. the important part is at the end.
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:skbarnard
ID: 40487225
The picture is a screen print, I have no other way to upload the picture than to save it to something.
I was curious about the open and close parenthesis.  I just copied and pasted the query string from what you provided above.  
I'll take a look at the parenthesis and report back.
0
 

Author Comment

by:skbarnard
ID: 40487266
Mr. Johnson -- you were right, it was a open/close parenthesis issue.  I was able to clean that up and now I'm getting the results I was hoping for.
Cleaned up query: (&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))
Thanks for that.
One more question though before I close the thread --- we'd also like to create groups by each grade level but the grade level isn't an AD attribute.  I know we can create a custom attribute but do I do that through another LDAP query or should I use PowerShell?  If through LDAP, can you provide assistance with the query syntax?
0
 

Author Closing Comment

by:skbarnard
ID: 40491629
Be sure to look toward the bottom of the thread to see the cleaned up query but many thanks Mr. Johnson for providing the syntax to exclude the disabled accounts
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question