Need an LDAP query that will determine if a user has null values for any one of three attributes in Active Directory

Question

I need an ldap query that will determine if a user has null values for any the following attributes: department, employeeID and Last Name (sn). Using Active Directory Users and Computers console, I can use the graphical Find utility and then under the Advanced tab construct a query to add all three of these search attributes to a Conditions list with a Condition of "Not Present" and it will find all users missing all three of these values. But, it won't find users missing just one of these values or two of the three values. It only finds users missing all three values. How do I find all users missing at least one, or two, or all three values all together in my final search result?

Answer 1

That graphical find interface joins the conditions with AND. You want OR. So you'll have to write the LDAP query yourself. Click on the Advanced tab, and you can paste this in:

(&(objectClass=user)(objectCategory=person)(|(!department=*)(!employeeID=*)(!sn=*)))

The first part that looks at objectClass and objectCategory limits your search to only users. The rest checks if any of those attribute are not set.

There is a good summary of how to build LDAP queries here: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx