A little LDAP help needed

Clayton Sutton · Dec 21, 2005

Can someone tell me what the "&" means in the below query? After I add it
into "Saved Queries" in AD Users and Computers it adds a second "&".

(&(msExchHideFromAddressLists=TRUE)(objectClass=User))

(&(&(msExchHideFromAddressLists=TRUE)(objectClass=User)))

Just trying to understand the LDAP syntax.

TIA,

Clayton

Al Mulnick · Dec 21, 2005

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/creating_a_query_filter.asp

It likely should not be adding the extra ampersand, but that would just be
saying And And. In your case, it's saying match all objects that are of
objectClass is equal to User AND msExchHideFromAddressLists is equal to
TRUE.

Al

Todd J Heron · Dec 22, 2005

It basically says show all users who are hidden from Exchange address lists.

Joe Kaplan \(MVP - ADSI\) · Dec 22, 2005

In addition to what Todd and Al said, the extra (&) in the second filter is
totally extraneous.

Joe K.

Clayton Sutton · Dec 22, 2005

Well when I copy and paste the code into the "Saved Queries" text and click
it places the second "&" it's self. I am just trying to understand the "&"
in the first place. What is it there for? Is if a verable of some kind?
It makes no sense at the begaining of the line to me.

Clayton

Joe Kaplan \(MVP - ADSI\) · Dec 22, 2005

The & and | operators are simply a way of creating queries that have
compound filter components.

For example, if you want to find users with last name of Jones, you might
do:
(&(objectCategory=person)(objectClass=user)(sn=Jones))

The three filter components are grouped together inside an (&...), meaning
that they must all be true. If we only cared if one of those was true, we
would group them in an (|....).

This grouping thing in LDAP filters can get nested many levels deep to
create more and more complex filter expressions. For example, I could do:
(&(objectCategory=person)(objectClass=user)(|(sn=Jones)(sn=Smith)))

to find all of the users whose last name is Jones or Smith. You can keep
nesting as much as you want.

I have no idea why the tool you are using adds the extra (&...) wrapper
around the query. It is redundant and adds no value in the query you
showed. It also doesn't hurt though. I'm sure there's a reason for it
having to do with the way the tool works, but I don't know.

Joe K.

Clayton Sutton · Jan 7, 2006

Thank you Joe,

Your expiation was the best I've gotten so far. In other settings I would
expect to see something like:

(objectCategory=person) & (objectClass=user) & (sn=Jones)

Not THAT I understand! But putting the *&* in front was confusing to me.
In LDAP it's kinda like a powerful *&* wrapper. Do you know of any LDAP
documents that show all of the "wrappers"?

Clayton

Joe Kaplan \(MVP - ADSI\) · Jan 7, 2006

Microsoft's documentation isn't bad:

http://msdn.microsoft.com/library/d.../ad/ad/creating_a_query_filter.asp?frame=true

The section in my book is ok too, but it is still 4 months away from the
shelves.

Other books that cover LDAP will have similar explanations.

Joe K.

Clayton Sutton · Jan 8, 2006

Thank your VERY much Joe,

You have been really helpful!

Clayton

LDAP help needed	4	Dec 14, 2005
GAL LDAP Query	5	Oct 16, 2006
Getting the LDAP descriptor from a variable user login name	2	Aug 2, 2006
help with LDAP query syntax...	1	Apr 12, 2004
SQL and/or AD Security to Query AD Database?	1	May 9, 2008
How-To create a referall object in Active Directory	1	Nov 7, 2005
LDAP Query in AD	4	Jan 16, 2004
LDAP: Add user account and user group?	1	Sep 17, 2003

A little LDAP help needed

Clayton Sutton

Al Mulnick

Todd J Heron

Joe Kaplan \(MVP - ADSI\)

Clayton Sutton

Joe Kaplan \(MVP - ADSI\)

Clayton Sutton

Joe Kaplan \(MVP - ADSI\)

Clayton Sutton

Ask a Question

Similar Threads