Display accounts wich belong to one group

[Guest]

I use ldap query. Something like this "(ObjectClass=User)(&MemberOf=MyGroup)".
Filter blocks all records.
But when I use "(ObjectClass=User)(&MemberOf=*)" filter displays almost all
accounts except those wich are only members of Domain Users or Domain Admins.
How can I get list of all accounts wich are members of MyGroup and then
export to txt file.

 

[Tim.Olsen]

"(ObjectClass=User)(&MemberOf=*)"

This should give a list of all users (and computers --computers are
also part of the User class) that are a member of at least one group.

Unless the user is in exactly one group, and that global group is set
to their primary group.

I'm sure why Domain Admins or Domain users would be missing from the
list, unless the scope of your search excluded them --for example you
started your search at OU=accounts,DC=mydomain,DC=com. That would
exclude the default location for domain admins and domain users,
"builtin", which is one level higher.

You can find sample code on listing members of a group here:
http://www.microsoft.com/technet/scriptcenter/scripts/ad/groups/adgpvb13.mspx

 

[Richard Mueller]

Hi,

The memberOf attribute has DN syntax. It is a multi-valued attribute that
has the Distinguished Names of all groups the object is a direct member of,
except the "primary" group of the object. In an LDAP search, you must
specify the full DN of the member. For example:

(&(objectCategory=person)(objectClass=user)(memberOf=cn=Sales,ou=West,dc=MyDomain,dc=com))

The only wildcard you can use is to check if the memberOf attribute has any
value, such as:

(&(objectCategory=person)(objectClass=user)(memberOf=*))

This will return all user objects where memberOf is not Null. This would be
all users except those whose only group membership is their "primary" group.

 

[Guest]

(&(objectCategory=person)(objectClass=user)(memberOf=cn=Sales,ou=West,dc=MyDomain,dc=com))

I use your sample and it return empty list.
The same happen when I use filter option in active derectory users and
computers.
Custom filter return emty list whatever group name I use. And only with
wildcard filter return accounts.
I did following:
In View->Filter Options choose custom filter.
Choose Field->User->Group Membership
In field "condition" I choose "Start with" and in field Value enter Group name
May be I did something wrong?

 

[Joe Richards [MVP]]

Richard's filter should work for any groups which are not used as primary groups
(such as domain admins and domain users). Primary groups are maintained in AD in
a different way and do not show up in the member attribute of the group nor the
memberof backlink.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Tim.Olsen]

I just tried the way you suggest, it looks like ADUC generates a bad
query string. The query builder doesn't seem to respect the attribute
syntax. In my test, using the process you outline it generated:

(&(objectCategory=user)(memberOf=PC*))

which we know is bad because it doesn't follow the syntax of the
memberof attribute. So you're not doing anything wrong, the query
builder just isn't very smart.

So here's an alternative way to create the query you want.
In aduc under saved queries
1) create a new query; call it what you want.
2) hit Define query button
3) On the "Find Custom Search dialog" choose "Custom Search" from the
drop down
4) Hit the advanced tab.
5) Paste in Richard's sample. (Rembmer to replace the sample DN in
Richard's sample with the DN of one of your groups)
6) Choose ok, close the menus and double click the new query to run
it.

You should get what you want.

Regards.

 

[Joe Richards [MVP]]

The objectcategory=user is bugged, they should be correcting that in LH or LH R2.

The memberof=PC* indicates that the value was entered as a wildcard in the GUI.
You can't wildcard that at all. The GUI I guess should not allow you to enter
what you want and instead make you pick a specific group.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Guest]

Thank you very much. I did what I need.
Last question. Can get list of users who are only members of primary group?

 

[Richard Mueller]

Thank you very much. I did what I need.
Last question. Can get list of users who are only members of primary
group?

To retrieve all users whose only group membership is their primary group:

(&(objectCategory=person)(objectClass=user)(!memberOf=*))

The "!" is the Not operator. This returns all users that have no values in
the memberOf multi-valued attribute. Or, as Joe would prefer (but I have to
keep looking up):

(&(sAMAccountType=805306368)(!memberOf=*))