memberOf property usin CSVDE

Discussion in 'Active Directory' started by paulcerv, Dec 17, 2004.

  1. paulcerv

    paulcerv Guest

    I am curios as to why I can not specify a memberOf filter when using CSVDE.
    For example:

    csvde -f users.csv -r "(memberOf=C*)"

    This returns nothing. Also, the command tool appears to be inconsistent.
    When I issue the following I get mostly users, but also some computers:

    csvde -f users.csv -r "(objectClass=user)"


    Strange. Does anyone have an idea whet might be wrong or a good reference
    that does more than give the syntax of the command.
     
    paulcerv, Dec 17, 2004
    #1
    1. Advertisements

  2. I'm not real familiar with csvde, but LDAP filters in general can't use
    wildcards in distinguished name-syntax attributes such as member and
    memberOf. Therefore, I would not be surprised that the search returns
    nothing.

    It looks like you are trying to export every user who is a member of at
    least one group (besides primary group). I don't really know how you could
    do that query.

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Dec 17, 2004
    #2
    1. Advertisements

  3. paulcerv

    paulcerv Guest

    Thanks Joe, I'll script it instead.

     
    paulcerv, Dec 17, 2004
    #3
  4. DN-valued attributes cannot be searched using wildcards. You could read it
    from the other end: search for all groups starting with C, and read their
    member attribute -- that would give you the list of users. Or you can export
    all users belonging to a specific group by specifying the full group DN in
    the filter below.

    As for (objectClass=user) -- computer class is a subclass of user class.
    Therefore, each computer object is also a user object -- look at their
    objectClass value. That's why you are getting computers. There are two ways
    to get around this:

    1) use (&(objectClass=user)(!(objectClass=computer))) to explicitly exclude
    computer objects

    or

    2) use (objectCategory=person). This one is more efficient because
    objectCategory is an indexed attribute, while objectClass is not indexed by
    default.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Dec 17, 2004
    #4
  5. paulcerv

    Guido G Guest

    you'd actually not find the link to the primary group in memberOf - it will
    only show you the backlinks to the groups you're explicitely a member of
    (the ADUC UI also adds the primary group to the list on the "Member Of" tab
    of a user)

    you should be more lucky to query for all groups of a specific name and then
    dump their member attribute.

    btw, computers are user-objects, better to use "objectCategory=person" - but
    this will also return contacts. If you don't want these you could use the
    following filter: &(objectCategory=person)(!(objectClass=contact))

    /Guido
     
    Guido G, Dec 18, 2004
    #5
  6. paulcerv

    Al Mulnick Guest

    Personally I'm not a fan of using a not operator in a query if possible.

    In this case, if you only want users, you can use the objectClass to
    differentiate.
    Contacts are objectClass = contact
    Users are objectClass = user
    Both are objectCategory = Person
    (computers are objectClass=computer and can be interchanged for user,
    contact, etc)

    In CSVDE you can specify what attributes you want it to return, so you can
    return a list of users AND they're groups using a similar command:
    csvde -f c:\output.txt -d "dc=vmdomain,dc=com" -r
    "(&(objectCategory=Person)(objectClass=User))" -l memberof,cn

    That query would give you a list of all users in the search scope (subtree
    IIRC by default) and for each user class object it will return the memberof
    and cn attribute values. You *could* then go back and see that for each
    user, they are a member of the following groups etc.

    If you wanted contacts you'd change objectClass to Contact vs. User. If you
    wanted both, you could add objectClass=* or use an OR operator for the
    query.

    The other way would be to query each group and return the member attribute.
    Each group would then tell you which users it contained. I think Guido is
    trying to tell you that below.

    Does that help at all? Are you seeing the reference you want? CSVDE is not
    going to give you ldap filter reference, it will instead give you command
    line reference about how to run the command on a command line.

    For filter references, www.rlmueller.net has some good references. For some
    script examples that deal with group memberships and how to get information
    for a single user, you can take a look at http://www.houseofqueues.com at
    the code examples.

    There are plenty of others out there as well.

    Al
     
    Al Mulnick, Dec 18, 2004
    #6
  7. Actually, that's why I said "besides the primary group" in my response. As
    you clarified, it is not available in memberOf. I should have been more
    clear.

    Joe K.
     
    Joe Kaplan \(MVP - ADSI\), Dec 19, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.