Solved

LDAP query syntax

Posted on 2014-12-05
6
168 Views
Last Modified: 2014-12-10
I'm trying to create some groups (distribution lists) through an application we're using and I need to do so using LDAP query.
It's for breaking our students into their respective school site and I have it working but it's including the disabled accounts.  I would like to create the list and NOT include those disabled accounts.
Here's what I'm using (made generic for the domain) and this is working:
(&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us)))
I've tried adding (!(userAccountControl=514)) at the end, but then no output is generated.  I've tried adding (&(userAccountControl=512) at the beginning but still no joy.  
[514=disabled account so that should skip disabled accounts]
[512=enabled so that was an attempt to keep only the enabled accounts]

Can anyone help me with adding this sytax?  (LDAP doesn't come up as a topic so next best match was Active Directory)
0
Comment
Question by:skbarnard
  • 4
  • 2
6 Comments
 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40484039
(&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us))) (!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Open in new window


Useful LDAP Search Queries

 How to query Active Directory by using a bitwise filter
0
 

Author Comment

by:skbarnard
ID: 40487014
I tried the above query string in the 3rd party application and recieved no results.  So to test the query string, I entered it in an Active Directory "custom search" query and received the attached error. (I'm not sure why the error is showing 4 ampersands, there are only 2 at the beginning of the string).

The articles included referenced a tidbit about skipping specific OU's and stated that's not possible without running multiple queries.  While I'm not trying to skip a specific OU, would it work for me to try something like that in order to skip the disable student accounts?
LDAPQueryError.pdf
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40487081
Is there a specific reason why you created a pdf to hold a picture and not just upload the picture?

I'm not sure that the open and close brackets match .. the important part is at the end.
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:skbarnard
ID: 40487225
The picture is a screen print, I have no other way to upload the picture than to save it to something.
I was curious about the open and close parenthesis.  I just copied and pasted the query string from what you provided above.  
I'll take a look at the parenthesis and report back.
0
 

Author Comment

by:skbarnard
ID: 40487266
Mr. Johnson -- you were right, it was a open/close parenthesis issue.  I was able to clean that up and now I'm getting the results I was hoping for.
Cleaned up query: (&(&(objectCategory=person)(objectClass=user)(physicalDeliveryOfficeName=SchoolName*)(mail=*@student.domain.us)(!(userAccountControl:1.2.840.113556.1.4.803:=2))))
Thanks for that.
One more question though before I close the thread --- we'd also like to create groups by each grade level but the grade level isn't an AD attribute.  I know we can create a custom attribute but do I do that through another LDAP query or should I use PowerShell?  If through LDAP, can you provide assistance with the query syntax?
0
 

Author Closing Comment

by:skbarnard
ID: 40491629
Be sure to look toward the bottom of the thread to see the cleaned up query but many thanks Mr. Johnson for providing the syntax to exclude the disabled accounts
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question