Re: LDAP query returns data in parent domain but not from child do


"Howard Bullock" <HowardBullock@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8C5FC609-482E-4EE8-A077-023EEDE403F3@xxxxxxxxxxxxxxxx


"Howard Bullock" wrote:


Using the GC did not seem to work. Although the ADO object RecordCount
reports one row was returned, I could not retrieve any data from the
object.
It appears to be empty.

This acts like my failed query; no error just no data.

There still seems to be a simple issue that should be resolvable. If the
query of the parent domain works:
select objectSid from 'LDAP://dc=company,dc=com' where memberof
='CN=somegroup,CN=Users,DC=company,DC=com'

Then why wouldn't the same query construct, pointed to a child AD domain,
not work as well?

This fails:
select objectSid from 'LDAP://dc=child,dc=company,dc=com' where memberof
=
'CN=GatdWillHamatyU,CN=Users,DC=child,DC=company,DC=com'

The groups in question could be any group type.

Are there other binding options that make sense?
Do LDAP queries to child domains default to using the parent domain's
available GC entries?


After further reflection, I think that the MemberOf property is associated
with the user account in the parent domain. Therefore, querying for
memberOf=somegroup in a child domain where the accounts reside in the
parent
make little sense.

Would you agree?

So my question becomes: What is an efficient ADO query that would list the
members of a local group (or any group) in a child domain where most of
the
members are accounts from the parent domain?

I do not want to use ADSI GetObject and Members method as it is very
inefficient consuming excessive memory for the IDsipatch objects.

Maybe the issue is that these are Domain Local Groups. Users in other
domains can be members of these groups, but the groups are not visible in
other domains. I think you must retrieve the member attribute of the group
object. ADO returns this attribute value as an array of distinguished names.
However, it makes more sense to bind to the group directly and enumerate the
member attribute, which is multi-valued. No need to search when you know the
group DN.

The Members method must bind to every member, which takes time. Retrieving
the member attribute should be fast.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.

Relevant Pages

  • Re: Returning only a subset of groups in AD
    ... Output.WriteLine "There are no members in this group." ... I assume that ADSICommand is an ADO command object, ... value assigned to the CommandText property, which is the ADO query. ... ' Comma delimited list of attribute values to retrieve. ...
    (microsoft.public.scripting.vbscript)
  • Re: MANAGE DISTRIBUTION LIST FROM CHILD DOMAIN
    ... >can add members from ADUC but the person I gave selected in the managed by ... individuas need the "Write members" permission to modify the list ... >from the parent domain but I still had to set security on the object. ...
    (microsoft.public.exchange.admin)
  • Re: Not enough storage is available to process this command
    ... This will not raise an error, but if any groups have more members you ... advantages of ADO and slows the program considerably. ... I see you also bind to the manager object if managedBy has a value. ... Sub WriteFile ...
    (microsoft.public.scripting.vbscript)
  • Re: How to tally group membership for huge group +10k accounts?
    ... Let me know if the code to retrieve RecordCount works. ... recordset with thousands of rows. ... ' Use ADO to search the domain for members of the group. ... you could enumerate the recordset with: ...
    (microsoft.public.windows.server.scripting)
  • Re: How to tally group membership for huge group +10k accounts?
    ... The first thing I did was run your ADO Large Group and it stops at ... recordset with thousands of rows. ... ' Use ADO to search the domain for members of the group. ... you could enumerate the recordset with: ...
    (microsoft.public.windows.server.scripting)