Reputation: 103
Active Directory Query using LDAP Query in custom search
Some of the users in the domain I'm working on have no manager assigned or no Job title so I tried to create a new query with this LDAP query in the definequery>customsearch>advanced tab:
(&(objectCategory=user)(objectClass=user))(|(!manager=*)(!title=*)
This returns zero results even though I know they exist. Using the Custom Search creates the same search string and also returns zero results. I tried this, based on research elsewhere, which also returns zero results.
(&(objectCategory=person)(objectClass=user))(|(!manager=*)(!title=*)
What am I doing wrong?
Also I want to search only in specific folders and their subfolders, should I pre-pend this:
(|(OU=Innsbruck)(OU=Totnes)(OU=Dueren))
where these are immediately below the domain and each location has its own sub folders of Computers, Groups, Users.
Upvotes: 0
Views: 4508
Answers (2)
Reputation: 4868
It seems to me that the filter is not compliant with RFC 4515: LDAP String Representation of Search Filters.
May be AD and the tool you are using is accepting it, but NOT filters should be in the form of (!(manager=*)).
(&(objectCategory=person)(objectClass=user)(|(!(manager=*))(!(title=*))))
Upvotes: 1
Reputation: 40928
Your query is just invalid. That window doesn't tell you that - it just gives zero results.
You're missing closing parentheses and you need to put the OR condition inside the AND condition. And you also need to use (objectCategory=person), not (objectCategory=user). You don't really need (objectCategory=person) since (objectClass=user) is good enough to limit the search to user objects, but it doesn't hurt.
This is what it should look like:
(&(objectCategory=person)(objectClass=user)(|(!manager=*)(!title=*)))
I will usually paste my query into Notepad++, which highlights matching parentheses, so it's easy to find missing ones. Or you can break it up over multiple lines to make it easier to read and easier to spot errors:
(&
(objectCategory=person)
(objectClass=user)
(|
(!manager=*)
(!title=*)
)
)
Regardless of how you search (through the Users and Computers UI or through code) you can only search one OU at a time. There is no OU attribute or any other attribute that you can use in a query to limit to specific OUs.
In the UI, you can click 'Browse' in the top right to pick the OU you want to search.
If you were doing this in code, you can do a couple things to limit it to specific OUs:
- Search each OU separately (you can optionally set the Search Scope to not search sub-OUs if you want), or
- Search the whole domain, then look at the
distinguishedNameattribute of each result and discard the results from OUs you don't want.
Option #2 will probably perform faster since it's less network requests.
Upvotes: 1
Related Questions
- Using DN in Search Filter
- Querying Windows Active Directory server using ldapsearch from command line
- How to apply additional search query to LDAP
- Regarding LDAP Search Query
- Active Directory search filter example
- Search for users in AD
- How to Search User in Active Directory using LDAP in Asp.net C#
- Active Directory Custom Search LDAP query
- How do I make a LDAP search on OU on Microsoft Active Directory?
- LDAP query issue