Building custom LDAP queries
Posted in The Windows Server 2003 Active Directory Users and Computers snap-in (ADUC) includes the ‘Saved Queries’ feature which allows you to save queries for future use. One of the nice things about this feature is that once you save the query you can view the actual LDAP query string. You can then proceed to customize the string, or copy and paste it into a script for example.
The biggest shortfall that I see with the ADUC find/search utility, is when it comes to selecting a Condition, and this is where you may need to customise a LDAP query. The drop-down allows you to choose from Starts with or Ends with etc, but what about Contains? If you want to search all users to find a description for example that contains a word or phrase anywhere in the description you can’t using the standard method. This is where using a saved query comes in handy.
The easiest way to construct a custom query is to start by creating a query that is close to what you would like to search for. In this case you could construct the query by using either Starts with or Ends with as the condition, and then modify the query string once its saved. I’ll run through this now.
1. Right click on Saved Queries, then Select New -> Query.
2. Give the query a name, then click on Define Query
3. In this example, we’ll just search users, so select Custom Search from the drop-down.
4. Click on the Field button and select User -> Description.
5. Select Starts with and enter the text that you want to search for, e.g “test lab”, then click on Add.
6. Click on OK. Notice that the Query string field is now populated. Highlight and copy the Query string text and click on Define Query again.
7. Higlhight the criteria that you added before and click on Remove.
8. Click on the Advanced tab, and then paste in the query text
9. At this point you can now customise the query text. To search for descriptions that contain “test lab”, you need an asterix (*) on either side of the text. So you need to add an asterix to the end of the search text so that it looks like the text in the image below.
10. Click on OK, then OK again.
11. Right click on the Saved Query and click on Refresh. You’ll see that users with “test lab” anywhere in the description will be listed, for example, a user with “Sydney test lab user account” as the description would be listed in the results.
Of course, customizing your LDAP searches can allow you to do a lot more than what I just demonstrated. If you start exploring ADSI Edit you’ll find more attributes of objects that you can search on that aren’t listed in the ADUC search fields. For example, if you wanted to search for all users that have mailboxes on a particular Exchange server, you could use the msExchHomeServerName attribute. Your LDAP query would like something like this:
(&(&(objectCategory=user)(msExchHomeServerName=/o=OrgName/ou=AdminGroupName
/cn=Configuration/cn=Servers/cn=ServerName)))
The LDAP queries that you construct aren’t limited for use in ADUC, you can implement them in scripts that perform LDAP queries or third-party software that performs LDAP lookups for example. The ADUC saved queries feature just allows you to construct the basic query, from there you can modify it to do what you need. I should point out that you can also construct LDAP queries and view the LDAP string when you create Query-based distribution lists, or Exchange Address Lists/GALs.
