?
Solved

LDAP query syntax

Posted on 2014-12-05
6
Medium Priority
?
180 Views
Last Modified: 2014-12-10
I'm trying to create some groups (distribution lists) through an application we're using and I need to do so using LDAP query.
It's for breaking our students into their respective school site and I have it working but it's including the disabled accounts.  I would like to create the list and NOT include those disabled accounts.
Here's what I'm using (made generic for the domain) and this is working:
(&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us)))
I've tried adding (!(userAccountControl=514)) at the end, but then no output is generated.  I've tried adding (&(userAccountControl=512) at the beginning but still no joy.  
[514=disabled account so that should skip disabled accounts]
[512=enabled so that was an attempt to keep only the enabled accounts]

Can anyone help me with adding this sytax?  (LDAP doesn't come up as a topic so next best match was Active Directory)
0
Comment
Question by:skbarnard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 40484039
(&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us))) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Open in new window


Useful LDAP Search Queries

 How to query Active Directory by using a bitwise filter
0
 

Author Comment

by:skbarnard
ID: 40487014
I tried the above query string in the 3rd party application and recieved no results.  So to test the query string, I entered it in an Active Directory "custom search" query and received the attached error. (I'm not sure why the error is showing 4 ampersands, there are only 2 at the beginning of the string).

The articles included referenced a tidbit about skipping specific OU's and stated that's not possible without running multiple queries.  While I'm not trying to skip a specific OU, would it work for me to try something like that in order to skip the disable student accounts?
LDAPQueryError.pdf
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40487081
Is there a specific reason why you created a pdf to hold a picture and not just upload the picture?

I'm not sure that the open and close brackets match .. the important part is at the end.
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 

Author Comment

by:skbarnard
ID: 40487225
The picture is a screen print, I have no other way to upload the picture than to save it to something.
I was curious about the open and close parenthesis.  I just copied and pasted the query string from what you provided above.  
I'll take a look at the parenthesis and report back.
0
 

Author Comment

by:skbarnard
ID: 40487266
Mr. Johnson -- you were right, it was a open/close parenthesis issue.  I was able to clean that up and now I'm getting the results I was hoping for.
Cleaned up query: (&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))
Thanks for that.
One more question though before I close the thread --- we'd also like to create groups by each grade level but the grade level isn't an AD attribute.  I know we can create a custom attribute but do I do that through another LDAP query or should I use PowerShell?  If through LDAP, can you provide assistance with the query syntax?
0
 

Author Closing Comment

by:skbarnard
ID: 40491629
Be sure to look toward the bottom of the thread to see the cleaned up query but many thanks Mr. Johnson for providing the syntax to exclude the disabled accounts
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month12 days, 11 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question