none
ldap_query all users ine one OU RRS feed

  • Question

  • Hello everybody.

    I'm searching an requet for to find all the users in a group. For the moment i have :

    'ldap_query' => '(&(objectCategory=user)(OU=55Users,DC=domain,DC=local))',

    But this commande not working why ?

    Thank you.

    Monday, October 29, 2012 1:21 PM

Answers

  • you can not use the target OU as part of the filter

    the target OU should be specified as part of the query scope

    Assuming that the distinguishedName of the group is CN=Group1,DC=domain,DC=local, then the filter, in your case, direct membership could be obtained by using (&(objectclass=user)(objectcategory=person)(memberof=CN=Group1,DC=Domain,DC=local))

    For all group members, including those who are members due to group nesting, you would run:

    (&(objectclass=user)(objectcategory=person)(memberOf:1.2.840.113556.1.4.1941:=cn=Group1,dc=Domain,dc=local))

    details at http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters-en-us.aspx

    hth
    Marcin



    Monday, October 29, 2012 1:30 PM
  • LDAP Query to list all users of a certain group
    http://stackoverflow.com/questions/9890049/ldap-query-to-list-all-users-of-a-certain-group

    Get all users in specific AD group using VbScript
    http://www.winfrastructure.net/article.aspx?BlogEntry=Get-all-users-in-specific-AD-group-using-VbScript

    You can slo use dsquery:dsquery group -name "group name" | dsget group -members -expand | dsget user -fn -ln


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Monday, October 29, 2012 2:20 PM
  • Hello everybody.

    I'm searching an requet for to find all the users in a group. For the moment i have :

    'ldap_query' => '(&(objectCategory=user)(OU=55Users,DC=domain,DC=local))',

    But this commande not working why ?

    Thank you.

    You are querying an OU and not a group. Maybe you were confused between the OUs and group concept.

    If you would like to get the list of users under 55Users OU (which is under domain.local domain), you can simply run the following: dsquery user "OU=55Users,DC=domain,DC=local". For more details about dsquery user commands: http://technet.microsoft.com/en-us/library/cc725702%28v=ws.10%29.aspx

    To get the list of users which are member of an AD group, you can query the member attribute of your group. It could be done using the following command: dsquery * <DN of your group> -attr member.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Monday, October 29, 2012 4:08 PM

All replies

  • You cannot filter on OU membership, but you can filter on group membership. To retrieve all users that are members of a specified group, filter on the memberOf attribute. For example:

    "(&(objectCategory=person)(objectClass=user)(memberOf=cn=Test Group,ou=West,dc=MyDomain,dc=com"))

    -----

    You must specify the full distinguished name of the group.


    Richard Mueller - MVP Directory Services

    Monday, October 29, 2012 1:28 PM
  • you can not use the target OU as part of the filter

    the target OU should be specified as part of the query scope

    Assuming that the distinguishedName of the group is CN=Group1,DC=domain,DC=local, then the filter, in your case, direct membership could be obtained by using (&(objectclass=user)(objectcategory=person)(memberof=CN=Group1,DC=Domain,DC=local))

    For all group members, including those who are members due to group nesting, you would run:

    (&(objectclass=user)(objectcategory=person)(memberOf:1.2.840.113556.1.4.1941:=cn=Group1,dc=Domain,dc=local))

    details at http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters-en-us.aspx

    hth
    Marcin



    Monday, October 29, 2012 1:30 PM
  • LDAP Query to list all users of a certain group
    http://stackoverflow.com/questions/9890049/ldap-query-to-list-all-users-of-a-certain-group

    Get all users in specific AD group using VbScript
    http://www.winfrastructure.net/article.aspx?BlogEntry=Get-all-users-in-specific-AD-group-using-VbScript

    You can slo use dsquery:dsquery group -name "group name" | dsget group -members -expand | dsget user -fn -ln


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Monday, October 29, 2012 2:20 PM
  • All users in a “Group” or in an “OU”? or combination of both?


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Monday, October 29, 2012 3:53 PM
    Moderator
  • Your best bet is to specify the OU as your searchBase for your query.  In your case, the searchBase would be OU=55Users,DC=domain,DC=local.  Then your query is simply (&(objectClass=user)(objectCategory=person)).

    For more information about searchBase, and LDAP searches in general, read this article: http://technet.microsoft.com/en-us/library/cc978021.aspx

    Alternately, you can use the simple query (&(objectClass=user)(objectCategory=person)) and the default searchBase (entire domain tree), then do some post-processing to filter out the specific users you are interested in.  The OU a user exists in is part of the user's distinguishedName so you can find users in the OU based on that attribute.  Naturally this is much more expensive than my original suggestion since you have to pull every user in the domain and then use some method to find the users you want after.  Better to specify searchBase and let AD work for you.

    Monday, October 29, 2012 4:07 PM
  • Hello everybody.

    I'm searching an requet for to find all the users in a group. For the moment i have :

    'ldap_query' => '(&(objectCategory=user)(OU=55Users,DC=domain,DC=local))',

    But this commande not working why ?

    Thank you.

    You are querying an OU and not a group. Maybe you were confused between the OUs and group concept.

    If you would like to get the list of users under 55Users OU (which is under domain.local domain), you can simply run the following: dsquery user "OU=55Users,DC=domain,DC=local". For more details about dsquery user commands: http://technet.microsoft.com/en-us/library/cc725702%28v=ws.10%29.aspx

    To get the list of users which are member of an AD group, you can query the member attribute of your group. It could be done using the following command: dsquery * <DN of your group> -attr member.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Monday, October 29, 2012 4:08 PM
  • Hi,

    In the same lines as this query, I am trying to filter users who are under multiple OUs, example "OU=Location_1,OU=Org,OU=domain,OU=local" and "OU=Location_2,OU=Org,OU=domain,OU=local".

    Please help me set this filter right.

    I tried with (&(objectCategory=user)(|(OU=Location_1,OU=Org,OU=domain,OU=local)(OU=Location_2,OU=Org,OU=domain,OU=local))), but this doesn't work.

    and also with SearchBase while using get-ADUser, but I cannot give multiple OUs under SearchBase.

    Any help is welcome.

    Thanks.

    Regards,

    Shyam

    Thursday, April 26, 2018 8:16 AM
  • You cannot filter on the parent OU of objects. And only one search base at a time is allowed. You can specify the search scope. If you specify scope as subTree, then the base and all children of the base will be searched. Otherwise, you must query each OU separately. You could loop through a list of OU's.

    You cannot use a filter clause similar to:

    (OU=Location_1,OU=Org,OU=domain,OU=local)

    because there is no "ou" attribute of user objects. The "ou attribute only applies to objects of organizationalUnit class.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, April 26, 2018 11:28 AM
  • Even having so many answers I'm still struggling on below:

    See below query (this is a filter for Cisco CUCM Ldap integration):

    (&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=ou=Users3,dc=mawoznia,dc=lab))

    Quering directly on Windows Server 2012 I found that below doesn't return any reply:

    (memberOf=ou=Users3,dc=mawoznia,dc=lab)

    See the output of dsquery user ou=Users3,dc=mawoznia,dc=lab

    "CN=User3 User3,OU=Users3,DC=mawoznia,DC=lab"

    What I'm missing?

    Thank you in advance for your responses.

    Tuesday, June 26, 2018 3:36 PM
  • The dsquery user statement you posted will find all users in the specified OU. There is one user, cn=User3 User3. However, no user will ever have a memberOf value equal to the distinguished name of the OU. Users can be in an OU (they have the OU as their parent, and they are children of the OU), but they are never members of an OU (like they can be members of a group). The LDAP syntax filter you post will always return nothing.

    No LDAP filter can retrieve all users in an OU. Instead, you must make the distinguished name of the OU the base of the query (that is what your dsquery user statement does). I don't know how that would be done with the Cisco CUCM. Then you would query for all users in the base.

    You could use dsquery * to find all enabled users in an OU, but the most common filter for users is:

    (&(objectCategory=person)(objectClass=user))

    To retrieve all active users in the OU:

    dsquery * "ou=Users3,dc=mawoznia,dc=lab" -Filter "(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) -Attr distinguishedName sAMAccountName cn

    I retrieved 3 attributes above. The default is just distinguishedName, but you can specify any you want with the -Attr parameter. There is help for dsquery at the command line.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, June 26, 2018 4:37 PM