Re: Querying AD

In general, the best thing to do here would probably be to find the user
object you are looking for (perhaps via a search with just sAMAccountName)
and then just look in the memberOf to see if the DN is there. You could
also search for the group based on its CN or sAMAccountName and see what its
DN actually is.

Learning a few things about how to use this tool to help you will serve you
well in your future efforts.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Jim in Arizona" <tiltowait@xxxxxxxxxxx> wrote in message
news:OKdZCzBlIHA.2276@xxxxxxxxxxxxxxxxxxxxxxx
I fired up ldp.exe like you suggested then connected and binded to our main
DC. (this is the first time I've used this tool)

When donig a search for base DN of

CN=test,OU=testou1,DC=corp,DC=mydomain,DC=com

I do get a positive return. But, when I try:

CN=test,OU=testou1,OU=testou2,DC=corp,DC=mydomain,DC=com

It returns 0 entries.

When I look at the properties of the 2nd OU (by right clicking on it in AD
Users and Computers), under the Object tab, I get this:

corp.mydomain.com/testou1/testou2

Yep, I'm lost now. Is my DN malformed (OU=testou1,OU=testou2) ?

I'll take this up with the ADSI group if necessary but I was hoping to
resolve it here before I took it deeper.

Thanks Joe!



"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ePvl9lBlIHA.2268@xxxxxxxxxxxxxxxxxxxxxxx
Are you sure that the value you are using for memberOf in your filter is
the actual DN of the group?

I recommend using a lower level LDAP query tool like ldp.exe for testing
these types of queries and examining the actual values of attributes in
AD objects so you can see what is really going on.

I also recommend you redirect these types of questions to the
ms.public.adsi.general group as that is where most of the AD programming
discussions go on. It isn't a big deal, but this type of question is
less likely to get lost there.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net






.

Relevant Pages

  • Re: Querying AD
    ... I recommend using a lower level LDAP query tool like ldp.exe for testing ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services ...
    (microsoft.public.windows.server.active_directory)
  • Re: Web Single Sign On
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... current Windows credentials to the server, ... This common identity is the user's username used to logon to the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Changing ADAM user password
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... Running the bind from another W2K3SP1 machine ... support in digest or something like that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SignOn Problem during Team Foundation WebTest Playback
    ... That sounds likely to me (the query string parameters). ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.windows.server.active_directory)
  • Re: ASP.NET 2.0 WindowsTokenRoleProvider Local Groups Broken
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... There is no Group property on the WindowsIdentity object in .NET 2.0, ...
    (microsoft.public.dotnet.framework.aspnet.security)