Building custom LDAP queries
Posted in The Windows Server 2003 Active Directory Users and Computers snap-in (ADUC) includes the ‘Saved Queries’ feature which allows you to save queries for future use. One of the nice things about this feature is that once you save the query you can view the actual LDAP query string. You can then proceed to customize the string, or copy and paste it into a script for example.
The biggest shortfall that I see with the ADUC find/search utility, is when it comes to selecting a Condition, and this is where you may need to customise a LDAP query. The drop-down allows you to choose from Starts with or Ends with etc, but what about Contains? If you want to search all users to find a description for example that contains a word or phrase anywhere in the description you can’t using the standard method. This is where using a saved query comes in handy.
The easiest way to construct a custom query is to start by creating a query that is close to what you would like to search for. In this case you could construct the query by using either Starts with or Ends with as the condition, and then modify the query string once its saved. I’ll run through this now.
1. Right click on Saved Queries, then Select New -> Query.
2. Give the query a name, then click on Define Query
3. In this example, we’ll just search users, so select Custom Search from the drop-down.
4. Click on the Field button and select User -> Description.
5. Select Starts with and enter the text that you want to search for, e.g “test lab”, then click on Add.
6. Click on OK. Notice that the Query string field is now populated. Highlight and copy the Query string text and click on Define Query again.
7. Higlhight the criteria that you added before and click on Remove.
8. Click on the Advanced tab, and then paste in the query text
9. At this point you can now customise the query text. To search for descriptions that contain “test lab”, you need an asterix (*) on either side of the text. So you need to add an asterix to the end of the search text so that it looks like the text in the image below.
10. Click on OK, then OK again.
11. Right click on the Saved Query and click on Refresh. You’ll see that users with “test lab” anywhere in the description will be listed, for example, a user with “Sydney test lab user account” as the description would be listed in the results.
Of course, customizing your LDAP searches can allow you to do a lot more than what I just demonstrated. If you start exploring ADSI Edit you’ll find more attributes of objects that you can search on that aren’t listed in the ADUC search fields. For example, if you wanted to search for all users that have mailboxes on a particular Exchange server, you could use the msExchHomeServerName attribute. Your LDAP query would like something like this:
(&(&(objectCategory=user)(msExchHomeServerName=/o=OrgName/ou=AdminGroupName
/cn=Configuration/cn=Servers/cn=ServerName)))
The LDAP queries that you construct aren’t limited for use in ADUC, you can implement them in scripts that perform LDAP queries or third-party software that performs LDAP lookups for example. The ADUC saved queries feature just allows you to construct the basic query, from there you can modify it to do what you need. I should point out that you can also construct LDAP queries and view the LDAP string when you create Query-based distribution lists, or Exchange Address Lists/GALs.
Luanne said,
May 17, 2007 @ 3:31 am
This information has been helpful; however, I’m still unable to get the information I want. I’m trying to query all users who belong to a group that contains ‘ctx’ in the group name. Can you offer any suggestions?
Ben Christian said,
May 17, 2007 @ 11:40 pm
Hi Luanne,
That’s a good question. Unfortunately I don’t think you’ll be able to return the results you want in a single LDAP query. The problem is that the memberof attribute that you use to query users that belong to a group requires a distinguished name, and LDAP doesn’t like using wildcards in distinguished names.
You could use vbscript to query groups that have ‘ctx’ in the display name, and then loop through each group and enumerate the members. If you’re intereseted in this approach I’m sure I could put something together for you.
Barry Duncan said,
September 3, 2007 @ 5:19 pm
Thanks HEAPS! This helped out greatly. I’m away and fixing SMS now. Never done custom LDAP queries, and this will make SMS drill down to the exact containers instead of searching the entirety of AD for workstations and security groups and users.
Thanks again!
Ben Christian said,
September 3, 2007 @ 8:08 pm
Hi Barry, I’m glad I could help out!
FreeStoring said,
December 12, 2007 @ 8:53 am
hay!!
good project
senks
Good Credit said,
January 6, 2008 @ 7:10 am
It is very important to have good or at least decent credit history if you want to be approved for any kind of credit. Your credit report is the document that shows your creditworthiness. I’ve been working hard on my credit history - paying my bills, keeping my income stable and I’m really hoping to be a proved for a good credit card deal at
0 interest discover
R56ma87de
johnmazarr said,
March 7, 2008 @ 3:05 am
A Realistic $250K First Year Income Potential
Less than four years ago I was driving this beat-up ‘94 VW with a rusty muffler. Within two years of creating this system I was making more than my doctor, accountant, and attorney COMBINED… while working less than 40 hours a week FROM HOME! Together with my group of leaders we are now seeking qualified entrepeneurs sharein the incredible results of our system.
for more information check this site out….
make money online scams
kefoccacy said,
March 27, 2008 @ 9:00 am
free amateures galleries free penis gay frat ametuer college · ametuer porn stars · petite ametuer nude women · ametuer free girl photo voyeur · ametuer wife pics …