Reputation: 11
Query Active Directory users who are managed by given manager's sAMAccountName
I'm trying to search active directory users whose manager's username is given in the search request, but I always get 0 records regardless of the manager's username I pass.
To achieve this, I executed the following LDAP query:
(manager=sAMAccountName=Administrator)
I also tried by manager's common name like this:
(manager=cn=John Smith)
Can anyone write me an LDAP query that returns all users whose manager's sAMAccountName=administrator ?
Upvotes: 1
Views: 13217
Answers (2)
Reputation: 1890
I know this is old but I figured out a way to do this in C# that I have yet to find on stackoverflow.
using (var pc = new PrincipalContext(ContextType.Domain, "yourdomain.com"))
using (var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, "samAccountName"))
{
DirectoryEntry de = (DirectoryEntry)user.GetUnderlyingObject();
if (de.Properties["directReports"].Count != 0)
managedFound = de.Properties["directReports"];
}
This will give you a list of strings that you can then parse out the CN using this:
managedUserName = Regex.Match(managedFound.ToString(), @"CN[=].*?[,]").Value.Replace("CN=", "").Replace(",", "");
Then, the following to get the User properties:
UserPrincipal managedUser = UserPrincipal.FindByIdentity(pc, IdentityType.Name, managedUserName);
Upvotes: 0
Reputation: 11132
manager has distinguished name syntax, therefore, if manager is used in an assertion, the full DN must be used as the value. Neither of the examples you gave meet this criteria. You must correct the filter to use a distinguished name.
The syntax of manager:
attributeTypes: ( 0.9.2342.19200300.100.1.10 NAME 'manager'
EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
X-ORIGIN 'RFC 4524' )
To determine the syntax, use the LDAP Parameters Assignment page. On that page, search for the OID following the SYNTAX keyword (1.3.6.1.4.1.1466.115.121.1.12). That shows that it's DN syntax. Also, the EQUALITY matching rule is distinguishedNameMatch.
An example of an assertion in a filter using the correct syntax:
manager=cn=Manager Number One,ou=managers,ou=people,dc=example,dc=com
All attributes values used in an assertion must have the syntax defined for that attribute type in the schema.
Update
Verify the entries exist with a known good tool such as ldapsearch to ensure that the correct parameters are known for the search request. For example:
$ ldapsearch -h hostname -p port -b 'dc=sahara,dc=local' \
-D [your-bind-dn] -w [your-bind-dn-password] \
-s sub \
'(manager=cn=Izzeddeen Alkarajeh,ou=managers,ou=people,dc=sahara,dc=local)' \
1.1
If this search returns no entries, check with the LDAP administrators to ensure that the BIND DN in use has permission o read those entries.
see also
Upvotes: 2
Related Questions
- Active Directory LDAP Query by sAMAccountName and Domain
- ldapsearch get a list of users (samAccountName) in a specific AD group
- Getting the sAMAccountName for all users in a AD Group
- LDAP search for all users with a specific manager
- C# LDAP Query to Get Managers of users in certain groups
- Active Directory - Get All Users Belonging to a Manager
- How to find manager of department
- Finding all groups that a user manages
- Finding Manager for LDAP user
- Active Directory search - filter by Manager