Re: LDAP Query for memeber of one group

Victor wrote:

> I'm trying to set a saved query that will return the members of on
> group.
> So I've created the follwing query to get all the users which are
> member of the *group* Internet from the *domain* mydomain.local in the
> *OU* Bucharest
>
> -(&(&(objectCategory=person)(|(objectClass=contact) (objectClass=user))(memberOf=cn=Internet,ou=Buchar est,dc=mydomain,dc=local)))-
>
> But I get nothing.
> Some help...
>

It looks like you want users and contacts that are direct member of the
group. I would try:

(&(objectCategory=person)(memberOf=cn=Internet,ou= Bucharest,dc=mydomain,dc=local))

The clause (objectCategory=person) will return user and contact objects.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

My guess is you have the Distinguished Name (DN) wrong. Go into ADSIEdit
and verify that the DN you have in your script matches the actually defined
DN of the object.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"Richard Mueller [MVP]" <rlmueller-> wrote in
message news:e%...
> Victor wrote:
>
>> I'm trying to set a saved query that will return the members of on
>> group.
>> So I've created the follwing query to get all the users which are
>> member of the *group* Internet from the *domain* mydomain.local in the
>> *OU* Bucharest
>>
>> -(&(&(objectCategory=person)(|(objectClass=contact) (objectClass=user))(memberOf=cn=Internet,ou=Buchar est,dc=mydomain,dc=local)))-
>>
>> But I get nothing.
>> Some help...
>>
>
> It looks like you want users and contacts that are direct member of the
> group. I would try:
>
> (&(objectCategory=person)(memberOf=cn=Internet,ou= Bucharest,dc=mydomain,dc=local))
>
> The clause (objectCategory=person) will return user and contact objects.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>

"vop" <> wrote in message
news:...
>
> Hello Paul, thanks for the reply it was very helpful.
>
> OK, so I've installed ADSIEdit and after I got all correct DN's I came
> up with this:
>
> (&(objectCategory=person)(memberOf=CN=Internet,CN= Users,DC=mydomain,DC=local))
>
> .and it works I've got al lthe members of the group Internet.
>
> But this users are spread in more then 50 OU's. How can I add a
> condition to narrow down to the users that are members of the group
> Internet but under a specific OU?
>
> I've tried this but it dose not work:
>
> (&(&(objectCategory=person)(memberOf=CN=Internet,C N=Users,DC=mydomain,DC=local)(OU=Bucharest,OU=Coun try,OU=Company,OU=Organisation,DC=mydomain,DC=loca l)))
>
> Thanks a lot.
>

Filtering on OU cannot be done because it is not an attribute of the user
object (you can see all attributes in ADSI Edit). The only way to do this is
to set the "Base" of the search to the DN of the OU.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

I had run into the exact same issue yesterday, but as Richard said it is not
possible.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.


"vop" <> wrote in message
news:...
>
> Hello Paul, thanks for the reply it was very helpful.
>
> OK, so I've installed ADSIEdit and after I got all correct DN's I came
> up with this:
>
> (&(objectCategory=person)(memberOf=CN=Internet,CN= Users,DC=mydomain,DC=local))
>
> .and it works I've got al lthe members of the group Internet.
>
> But this users are spread in more then 50 OU's. How can I add a
> condition to narrow down to the users that are members of the group
> Internet but under a specific OU?
>
> I've tried this but it dose not work:
>
> (&(&(objectCategory=person)(memberOf=CN=Internet,C N=Users,DC=mydomain,DC=local)(OU=Bucharest,OU=Coun try,OU=Company,OU=Organisation,DC=mydomain,DC=loca l)))
>
> Thanks a lot.
>
>
> --
> vop
> ------------------------------------------------------------------------
> vop's Profile: http://forums.techarena.in/members/vop.htm
> View this thread: http://forums.techarena.in/active-directory/1134186.htm
>
> http://forums.techarena.in
>

"rommel543" <> wrote in message
news:...
>
> I'm having a similar issue, except I'm attempting to pull ALL users from
> AD except the ones in a specific group.
>
> (&(objectCategory=Person)(objectClass=User)(!membe rOf=CN=GroupToExclude,CN=General,CN=Security
> Groups,OU=*corporate,OU=base,DC=domain,DC=com))
>
> I did up a quick LDAP query test and found that I'm able to pull out or
> filter users with the following:
>
> (&(objectCategory=Person)(objectClass=User)(member Of=CN=TestSharepointGroup,CN=Users,DC=domain,DC=co m))
> (&(objectCategory=Person)(objectClass=User)(member Of=CN=Alberta
> Region,CN=Region Distribution List,CN=Email
> Distribution,OU=base,DC=domain,DC=com))
>
> I picked a different group with in the same container as the problem
> group and found this DOES NOT work:
>
> (&(objectCategory=Person)(objectClass=User)(member Of=CN=differnetGroup,CN=General,CN=Security
> Groups,OU=*corporate,OU=base,DC=domain,DC=com))
>
> Can anyone point to any issue with the query, or a possible issue with
> a ldap query to nested OUs?
>
>

Wildcard characters are not allowed in DN attributes, like memberOf
(assuming that's the purpose of the "*" character). If there are three OU's
with groups of the same name, you can AND 3 clauses, each of which specifies
the full DN of a group.

If the DN value itself includes a "*" character, it must escaped by
replacing it with "\2A".

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--