LDAP Search for memberOf zero returns

Discussion in 'Active Directory' started by Eric - ARUP, Jun 2, 2005.

  1. Eric - ARUP

    Eric - ARUP Guest

    Please excuse me if i am asking a stupid question i am fairly new to ldap and
    am starting to learn it.

    I am trying to pull all members of 'Domain Admins' our of AD using 'Active
    Directory Users and Computers'. I searched the newgroup for items on this
    and i know the memberof has to be an exact match to work. I also saw a post
    from 3/1 that said something about memberOf being effected by built in groups
    and primary group, but i didnt quite understand what they were talking about.

    the ADU&C query i am using is via the wizard in the custom search user >
    member of and it return the string..

    (&(objectCategory=user)(memberOf=Domain Admins))

    It seems completely strange to me that MS would ship something that puts
    this string in and it doesnt work. Totally mind boggling.

    I was also looking at petri.co.il that had an example to search users in a
    group in an OU in a specific domain as follows..

    objectCategory=user)(memberOf=CN=QA Users,OU=Help Desk,DC=domain,

    I dont understand why this example would differ from the one that the query
    tool writes.

    the thing that really gets me is i was playing with this last week not
    really paying attention and i had the string right on the 2nd try and it
    worked. but i didnt save it, now i am regreting that. Any help is greatly

    Eric - ARUP, Jun 2, 2005
    1. Advertisements

  2. Hi,

    First, the memberOf attribute is DN syntax. You must specify the full
    Distinguished Name of the group. For example:


    Next, the memberOf attribute includes all groups the user is a direct member
    of, with the exception of the group that is designated the "primary" group
    of the user. By default, this is the group "Domain Users", although it can
    be changed. Hopefully, you can assume that all users have "Domain Users" as
    their primary group and not worry about it. The "Member Of" tab of ADUC
    properties dialog indicates which group is designated the "primary".

    Finally, the memberOf attribute only includes groups the user is a direct
    member of. It does not reveal nested group membership. For example, if user
    JSmith is a member of a group called "Grade1", and this group is a member of
    another called "School", then JSmith would also be a member of "School" (and
    would have any permissions granted to the "School" group), but the memberOf
    attribute of JSmith would not include this group.
    Richard Mueller [MVP], Jun 2, 2005
    1. Advertisements

  3. Eric - ARUP

    Eric - ARUP Guest

    Thanks to Kaplan all worked out with the following.
    (&(objectCategory=user)(memberOf=CN=Domain Admins,OU=Security

    I am still curoius however why this query would work but the one built into
    the query in ADU&C builds a bad query. bug?

    Eric - ARUP, Jun 2, 2005
  4. I'm sorry I need to point out something that needs to be corrected.

    You don't want objectcategory=user, user isn't an objectcategory, it is an
    objectclass only. Objectcategory=user would get converted to
    objectcategory=person which would then have you tearing through users and
    contacts. If you want to focus specifically on users you want one of the following



    Note that that will not pull all domain admins. You will not get admins who have
    domain admins set as their primary group. Primary group membership is maintained
    in a different attribute due to a shortcoming in how Linked Value replication
    worked in 2K AD. You can find these users with a query like
    "&(samaccounttype=805306368)(primarygroupid=512)". Additionally, if a user is in
    another group that is nested in the domain admins group, you will not get that
    membership either. Chasing nested memberships is involved. You would need to get
    the member attribute of the group and then enumerate each of those groups. Any
    groups in those groups would have to be further enumerated.

    Also if you are on 2K AD, it will be slower to run this query than it would be
    to just enumerate the member attribute of the group object. This is because
    while linked attributes are implicitely indexed, the QP is not intelligent
    enough to use the implicit index. You will see an obvious speed different in
    querying memberof versus outputting the member attribute of a group between 2K
    and K3.

    I didn't read most of the responses so I am not sure about your ADUC building a
    querying question. My guess is that you did a query and specified a group cn
    instead of the group DN. ADUC doesn't convert a CN to a full DN for you, you
    need to specify the whole DN for those queries.
    Joe Richards [MVP], Jun 2, 2005
  5. Eric - ARUP

    Mary [MSFT] Guest

    Hi Eric,

    The custom/advanced query (&(objectCategory=user)(memberOf=cn=domain
    admins,cn=users,dc=domainName)) works.

    In the Custom Search UI, when you select user from the Field list and
    memberOf for the attribute, in the Value field, you have to add the
    distinguished name of the Domain Admins group object, not the relative
    distinguished name. Domain Admins by itself is the value of both the "name"
    and "cn" (common name) attributes of the group object, not the distinguished
    name. LDAP requires the distinguished name value because that's the type of
    value the schema defines for the memberOf attribute. The wizard returned
    memberOf=Domain Admins because that's the value you provided. It isn't a
    predefined string that Microsoft ships.

    So the value in the memberOf attribute must be entered as a distinguished
    name. In the case of the Domain Admins group, the distinguished name is
    cn=domain admins,cn=users,dc=domainName. This name tells LDAP that the
    common name (cn) of the group is Domain Admins, and the container that the
    group is in is Users,

    DC= stands for domain component, so you need, for example,
    dc=subdomain,dc=forestrootdomain,dc=com--depending on the name of the domain
    you are searching. Do you have Windows Support Tools installed? If so, open
    ADSI Edit (Start\Run\adsiedit.msc) and look at the properties of the
    Administrator account. In the memberOf attribute, you'll see the
    distinguished name of the Domain Admins group (among others). That's what
    LDAP requires to locate users who are members of that group.

    I noticed when trying this out that if you get it wrong the first time, you
    have to refresh the query object after you change the query. You can't just
    edit the query and have the value returned. I thought I was getting it
    wrong, but I just needed to refresh the query object.
    Mary, Active Directory Writer
    Windows Server Content Group, Microsoft Corporation
    Windows Server Content Group, Microsoft Corporation

    Please remove the word "online" from my email address to contact me through
    the Windows Server Documentation team.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Mary [MSFT], Jun 2, 2005
  6. Eric - ARUP

    Eric - ARUP Guest

    Got it. :) thank you very much for the help guys.

    Eric - ARUP, Jun 3, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.