none
LDAP including Child attributes

    General discussion

  • Hi All,

    Is it possible to run LDAPs that interogate child attributes as well.  By this I mean, could I run a search for AD accounts that had the manager field populated and where that manager (in that field) was based in Newcastle.

    I would really appreciate your thoughts.

    Many Thanks

    Tuesday, March 13, 2012 10:17 AM

All replies

  • Yes that is possible. Here is an example using get-aduser in PowerShell:

     get-aduser -filter * -property manager | where {$_.manager -ne $null}

    Tuesday, March 13, 2012 10:39 AM
  • I normally run LDAPs from .cmd files.  Could one of these be modified or am I constrained to using PowerShell ?

    Many Thanks

    Tuesday, March 13, 2012 11:53 AM
  • You can use ldifde for this purpose which can be called from batch or .cmd:

    ldifde -d "dc=contoso,DC=com" -f output.txt -r "(&(objectClass=user)(manager=*))

    Tuesday, March 13, 2012 12:06 PM
  • Thats looks fine, but then how can I add criteria about the manager, like where they are based.

    I think what im asking isnt possible.

    Tuesday, March 13, 2012 12:41 PM
  • Thats looks fine, but then how can I add criteria about the manager, like where they are based.

    I think what im asking isnt possible.

    It can be done in PowerShell as has been demonstrated.  It cannot be easily dome with a CMD file.


    ¯\_(ツ)_/¯

    Tuesday, March 13, 2012 12:54 PM
  • How do you tell the manager is based in Newcastle? Is there an attribute of the manager user object that indicates this?

    You can query for all users that have a specific manager. You can query for all users that any one of several managers assigned to them in AD. You can query for users that have any manager. However, if managers based in Newcastle have some attribute, such as the department attribute equal to "Newcastle", and you want all users that have any of these managers, it cannot be done in one query. This is true no matter whether PowerShell or anything else. You would need to run one query with (department=Newcastle), retrieve all the DN's from that query, then run a second query for the direct reports. This requires two queries, plus some code to construct the filter for the second query.


    Richard Mueller - MVP Directory Services

    Tuesday, March 13, 2012 1:23 PM
  • The only way I could imagine you doing that from .cmd would be to parse the output from ldifde and creating a new query based on that either using ldifde or dsget user.
    Tuesday, March 13, 2012 1:42 PM
  • Thanks all.  Thats my question answered.  Will try the PowerShell route.
    Tuesday, March 13, 2012 2:07 PM
  • I would only note, that if I understand the question, PowerShell cannot do this in one query either. If some attribute of the manager user objects identifies them as based in Newcastle, you will need two queries to retrieve all users with any manager based in Newcastle. Code will need to take the results of the first query and construct a filter for the second. I've done similar in PowerShell and VBScript. How do you know if a user is based in Newcastle?


    Richard Mueller - MVP Directory Services

    Tuesday, March 13, 2012 2:52 PM
  • Sorry, I just realized that this can be done in one query. The trick it to query for the managers. Then we can filter just on managers based in Newcastle. We can retrieve the directReports attribute and enumerate that. The manager attribute of the user is linked to the directReports attribute of the manager. A PowerShell V1 script follows, assuming that managers based in Newcastle have department equal to "Newcastle":

    # Search entire domain.
    $Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
    $Root = $Domain.GetDirectoryEntry()
    $Searcher = [System.DirectoryServices.DirectorySearcher]$Root

    $Searcher.PageSize = 200
    $Searcher.SearchScope = "subtree"
    $Searcher.PropertiesToLoad.Add("distinguishedName") > $Null
    $Searcher.PropertiesToLoad.Add("directReports") > $Null

    # Filter on all managers based in Newcastle.
    # Managers are anyone with direct reports.
    $Searcher.Filter = "(&(department=Newcastle)(directReports=*))"
    $Results = $Searcher.FindAll()

    # Enumerate managers based in Newcastle and their direct reports.
    ForEach ($User In $Results)
    {
        $DN = $User.properties.Item("distinguishedName")
        "Manager: $DN"
        $Reports = $User.properties.Item("directReports")
        ForEach ($Report In $Reports)
        {
            "  Direct Report: $Report"
        }
    }

    -----

    Similar can be done in VBScript, or using PowerShell V2 and the Get-ADUser cmdlet. However Get-ADUser will restrict managers to users, so you may want to use Get-ADObject instead if managers can be groups or contacts. If you want attributes of the reports other than the Distinguished Names, you will need to bind to each report object to retrieve the other attributes (like "pre-Windows 2000 logon" name).


    Richard Mueller - MVP Directory Services

    Tuesday, March 13, 2012 3:42 PM