Reputation: 51
LDAP query filter by member count in Active Directory
Super new to Active directory and creating LDAP queries.
I want to try and pull distribution groups with only 1 member. I was trying to edit a query I used to find groups with no members, but have had no luck. I've been searching for a solution, but haven't been able to find any information. I was just curious if this was even possible.
(&(&(&(objectCategory=group)(member=1)(objectClass=group)(proxyAddresses=*@domain.com))))
Upvotes: 1
Views: 3375
Answers (1)
Reputation: 16095
No, you can't just with a single LDAP query.
The (member=1) filter does not work because it just try to match an invalid dn ('1'). By the way the whole filter is wrong, you don't need to nest the conditions nor to add & operators for each. However you can still add (!(member=*)) to exclude groups that don't have any member. So in your situation, a correct filter should look like this :
(&(objectCategory=group)(objectClass=group)(proxyAddresses=*@domain.com)(!(member=*)))
To filter groups having only one member, you would have in a first step to search for the groups using the filter above, then iterate over each group entries, read the member attribute to get the count manually and exclude groups with more than one member.
You can also add a custom attribute to group objects so that you can store member count in it and finally be able to apply filters as you intended first (e.g. memberCount=1), that is in a single query. BUT this of course also requires to maintain the attribute.
Upvotes: 3
Related Questions
- LDAP query to get list of members in an AD group
- Query to list all users of a certain group
- LDAP Groupfilter with range
- LDAP search filter for selecting the groups with a particular member
- LDAP filter to only allow users that have a group membership
- LDAP Query -- Find Users who ONLY belong to "Domain Users" group
- ldap active directory PHP filter
- LDAP query with FILTER
- LDAP filter not returning appropriate number of entries
- Sub filters in LDAP query