Solved

LDAP query syntax

Posted on 2014-12-05
6
165 Views
Last Modified: 2014-12-10
I'm trying to create some groups (distribution lists) through an application we're using and I need to do so using LDAP query.
It's for breaking our students into their respective school site and I have it working but it's including the disabled accounts.  I would like to create the list and NOT include those disabled accounts.
Here's what I'm using (made generic for the domain) and this is working:
(&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us)))
I've tried adding (!(userAccountControl=514)) at the end, but then no output is generated.  I've tried adding (&(userAccountControl=512) at the beginning but still no joy.  
[514=disabled account so that should skip disabled accounts]
[512=enabled so that was an attempt to keep only the enabled accounts]

Can anyone help me with adding this sytax?  (LDAP doesn't come up as a topic so next best match was Active Directory)
0
Comment
Question by:skbarnard
  • 4
  • 2
6 Comments
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40484039
(&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us))) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Open in new window


Useful LDAP Search Queries

 How to query Active Directory by using a bitwise filter
0
 

Author Comment

by:skbarnard
ID: 40487014
I tried the above query string in the 3rd party application and recieved no results.  So to test the query string, I entered it in an Active Directory "custom search" query and received the attached error. (I'm not sure why the error is showing 4 ampersands, there are only 2 at the beginning of the string).

The articles included referenced a tidbit about skipping specific OU's and stated that's not possible without running multiple queries.  While I'm not trying to skip a specific OU, would it work for me to try something like that in order to skip the disable student accounts?
LDAPQueryError.pdf
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40487081
Is there a specific reason why you created a pdf to hold a picture and not just upload the picture?

I'm not sure that the open and close brackets match .. the important part is at the end.
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
0
 

Author Comment

by:skbarnard
ID: 40487225
The picture is a screen print, I have no other way to upload the picture than to save it to something.
I was curious about the open and close parenthesis.  I just copied and pasted the query string from what you provided above.  
I'll take a look at the parenthesis and report back.
0
 

Author Comment

by:skbarnard
ID: 40487266
Mr. Johnson -- you were right, it was a open/close parenthesis issue.  I was able to clean that up and now I'm getting the results I was hoping for.
Cleaned up query: (&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))
Thanks for that.
One more question though before I close the thread --- we'd also like to create groups by each grade level but the grade level isn't an AD attribute.  I know we can create a custom attribute but do I do that through another LDAP query or should I use PowerShell?  If through LDAP, can you provide assistance with the query syntax?
0
 

Author Closing Comment

by:skbarnard
ID: 40491629
Be sure to look toward the bottom of the thread to see the cleaned up query but many thanks Mr. Johnson for providing the syntax to exclude the disabled accounts
0

Join & Write a Comment

Suggested Solutions

My last post dealt with using group policy preferences to set file associations, a very handy usage for a GPP. Today I am going to share another cool GPP trick, this may be a specific scenario but I run into these situations frequently in my activit…
I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now