Reputation: 3078
My LDAP query is returning zero results even though I can see that the attribute DistinguishedName contains the string in the query
I have a very simple query: (distinguishedName=*Inactive*) which is returning ZERO results, but I do see that the string "Inactive" is contained in some of the objects in the AD.
What I would like to do is to be able to search in those Users OU's but exclude the Users OU which is inside of that Inactive OU. Executing the previous query was (I thought) the answer to my problem, but I don't get any results,
Thank you in advance for your help.
Upvotes: 1
Views: 3141
Answers (3)
Reputation: 40928
Active Directory does not allow you to search a partial match on distinguishedName. If distinguishedName is in the query, it can only be an exact match.
If you want to search only specific OUs, you will either need to:
- Search a single OU by setting the
SearchRootto the OU rather than the domain. You can also set theSearchScopetoSearchScope.OneLevelto not search sub-OUs if you want. Repeat the search for every OU you want to include. - Search the top-most OU with the results you want, loop through the results, and discard the ones in the Inactive OU by looking at the
distinguishedName(since you already have the results at this point, thedistinguishedNameis just a string you can do whatever you want with, including a partial match).
I'd recommend #2 since it means one search against AD instead of multiple. It'll be faster.
And yes, you can use userAccountControl as a filter to exclude disabled accounts, but that depends on if you're ok with excluding disabled accounts that may not be in the Inactive OU, or including enabled accounts that might have ended up in the Inactive OU.
Upvotes: 0
Reputation: 3078
After a big research, I found this:
I could filter by the LDAP attribute userAccountControl...
Based on Microsoft Support's explanation:
This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this:
(!(UserAccountControl:1.2.840.113556.1.4.803:=2))
You might be asking yourself, what is that number and what is the meaning of them?
Here are the answers:
and the Flag options: https://blogs.technet.microsoft.com/mempson/2011/08/24/useraccountcontrol-flags/
Upvotes: 0
Reputation: 10986
Generally you can not do a substring match rule for distinguishedName
As discussed in this thread.
Further, many LDAP server implementations support ExtensibleMatch however, Microsoft Active Directory does NOT support this functionality and only supports: Microsoft Active Directory Extensible Match Rules
Upvotes: 1
Related Questions
- LDAP Query not returning all queried attributes
- Ldap search does not return all attributes of an account in Active Directory
- LDAP Filter for distinguishedName EndsWith?
- LDAP Query returns incorrect results
- No results when searching with dn
- LDAP query for `name` works, but returns zero results for `managedBy`
- Active Directory LDAP query result always missing attributes that are known to exist
- Why is my LDAP query failing?
- LDAP query issue
- Active Directory query troubleshooting