LDAP query syntax

I'm trying to create some groups (distribution lists) through an application we're using and I need to do so using LDAP query.
It's for breaking our students into their respective school site and I have it working but it's including the disabled accounts.  I would like to create the list and NOT include those disabled accounts.
Here's what I'm using (made generic for the domain) and this is working:
(&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us)))
I've tried adding (!(userAccountControl=514)) at the end, but then no output is generated.  I've tried adding (&(userAccountControl=512) at the beginning but still no joy.  
[514=disabled account so that should skip disabled accounts]
[512=enabled so that was an attempt to keep only the enabled accounts]

Can anyone help me with adding this sytax?  (LDAP doesn't come up as a topic so next best match was Active Directory)
skbarnardAsked:
Who is Participating?
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
(&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us))) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Open in new window


Useful LDAP Search Queries

 How to query Active Directory by using a bitwise filter
0
 
skbarnardAuthor Commented:
I tried the above query string in the 3rd party application and recieved no results.  So to test the query string, I entered it in an Active Directory "custom search" query and received the attached error. (I'm not sure why the error is showing 4 ampersands, there are only 2 at the beginning of the string).

The articles included referenced a tidbit about skipping specific OU's and stated that's not possible without running multiple queries.  While I'm not trying to skip a specific OU, would it work for me to try something like that in order to skip the disable student accounts?
LDAPQueryError.pdf
0
 
David Johnson, CD, MVPOwnerCommented:
Is there a specific reason why you created a pdf to hold a picture and not just upload the picture?

I'm not sure that the open and close brackets match .. the important part is at the end.
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
skbarnardAuthor Commented:
The picture is a screen print, I have no other way to upload the picture than to save it to something.
I was curious about the open and close parenthesis.  I just copied and pasted the query string from what you provided above.  
I'll take a look at the parenthesis and report back.
0
 
skbarnardAuthor Commented:
Mr. Johnson -- you were right, it was a open/close parenthesis issue.  I was able to clean that up and now I'm getting the results I was hoping for.
Cleaned up query: (&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))
Thanks for that.
One more question though before I close the thread --- we'd also like to create groups by each grade level but the grade level isn't an AD attribute.  I know we can create a custom attribute but do I do that through another LDAP query or should I use PowerShell?  If through LDAP, can you provide assistance with the query syntax?
0
 
skbarnardAuthor Commented:
Be sure to look toward the bottom of the thread to see the cleaned up query but many thanks Mr. Johnson for providing the syntax to exclude the disabled accounts
0
All Courses

From novice to tech pro — start learning today.