Re: Queries

---

• From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 17 Jul 2007 17:10:47 -0500

---

See inline below:

"Nick Skoy" <nskoy@xxxxxxxxxxxx> wrote in message
news:385FCF93-B787-4944-A876-40EE0FD4E52F@xxxxxxxxxxxxxxxx

I am new to LDAP queries, and for the life of me, I can't find an easy way
to run 2 different queries.

1) Member Of Domain Admins
a) Accounts that are members of the Domain Admins Group

(memberOf=cn=Domain Admins,cn=Users,dc=MyDomain,dc=com)

b) Accounts that are not disabled

(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))

To combine these, use the & (AND) operator (watch line wrapping, this is one
line):

(&(memberOf=cn=Domain
Admins,cn=Users,dc=MyDomain,dc=com)(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))

2) Member of Domain Users
a) Accounts that are members of the Domain Users Group

(memberOf=cn=Domain Users,cn=Users,dc=MyDomain,dc=com)

b) Accounts that are not disabled

(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))

c) Accounts that do not contain specific words in the descrpition of
the account

(&(objectCategory=person)(objectClass=user)(!description=*test*))

where "!" is the NOT operator and * is the wildcard character. This example
returns all user objects where description does not include the string
"test". Again, the query clauses can be combined using & (AND) or | (OR).
Make sure the Distinguished Names of the groups are correct for your domain.

I hope I am asking this in the right place.

Thanks ahead of time
-Nick

For more on using ADO to query AD, see this link:

http://www.rlmueller.net/ADOSearchTips.htm

These query clauses can also be used in command line utilities, or to filter
objects in ADUC.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.

---

• Prev by Date: Re: intra-site replication schedule
• Next by Date: Re: intra-site replication schedule
• Previous by thread: Re: Contacting the PDC on bad password
• Next by thread: Issuing tickets from N DCs and how to control
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Sub Domain Admin Accounts ... because it is a member of the Enterprise administrators universal group. ... Other members of the child domain admins group would not have this ability ... >> no technical reason why an admin accounts in one domain need to access ... (microsoft.public.windows.server.general) RE: GP wont apply ... this particular user acct is member of Domain users and Domain Admins ... Kathy ... (microsoft.public.windows.server.active_directory) Re: AD Delegation Fails - Permissions Disappear ... in turn a member of the Print Operators group. ... inheriting permissions?? ... ACL on all security principals (users, groups, and machine accounts) present ... AdminSDHolder Object Affects Delegation of Control for Past Administrator ... (microsoft.public.windows.server.active_directory) Re: security INF files ... member of and remove it. ... Use of included script samples are subject ... >>That will remove all accounts from the power users group. ... (microsoft.public.win2000.security) Question regarding New User Creation Script ... to manage both the NT4 domain and the AD Domain. ... use the VBScript I have created to create user accounts they can only ... create accounts on the NT4 domain and not the AD domain. ... the script directly on a server which is a member of the AD domain ... (microsoft.public.scripting.vbscript)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2007-07