Saved LDAP Query Locked Out Specific OU - active-directory

Currently I can do this in powershell via this script:
Search-ADAccount –LockedOut -SearchBase 'OU=location,OU=country,DC=company,DC=com' | ft Name, SamAccountName, LastLogonDate
I would rather have it in a LDAP saved query, I found this one to display all locked out accounts in the company:
(&(&(ObjectCategory=Person)(ObjectClass=User)(LockoutTime>=1)))
I have tried a number of combinations, but I can't seem to get it right. Here is one of them:
(&(&(ObjectCategory=Person)(ObjectClass=User)(memberof=OU=location,OU=country,DC=company,DC=com)(LockoutTime>=1)))
What am I doing wrong?

As information, when you create a new query, you have the option of specifying the "query root"... by drilling down with that, I was able to achieve the desired goal. I didn't have to modify the query string at all.

Related

Get no result from LDAP query

I am trying to filter out employees from a specific OU via LDAP.
The problem is that the OU contains spaces.
By itself, with \20 between the respective words, this OU should be resolved and be able to be found.
Furthermore, there is no CN in the respective OU.
What I have tried so far is the following:
(&(objectCategory=person)(objectClass=user)(ou=test\20user\20accounts,dc=lab,dc=local))
Unfortunately I only get an empty output.
The searchbase is missing and i dont know how to implement it in the ldap query.
With Powershell i dont have any issues to get what i want:
Get-ADObject -LDAPFilter "(ObjectClass=user)" -SearchBase "ou=test\20user\20accounts,dc=lab,dc=local" -Properties * |`
? {$_.ObjectCategory -like "cn=Person*" }| select name,objectclass,ObjectCategory | fl
I appreciate any advice :)
Thanks in advance
To search for users in an OU, set the search root of your query (sometimes called Base DN) to the OU. It cannot be done in the filter.
The memberOf attribute is used for groups, not OU's.
You do not supply enough information to make an accurate assessment.
What are you looking for within OU=Test,User,Accounts,DC=Lab,DC=local?
"I wanna get all the members of the OU Test User Accounts"
This should get all "Users" (sAMAccountType=805306368) in the container "OU=Test,User,Accounts,DC=Lab,DC=local" (With some tweaking to fit your server and credentials)
ldapsearch -D "cn=exampleuser,example.com" -w secret -h server.example.com -b "OU=Test,User,Accounts,DC=Lab,DC=local" -s sub "(sAMAccountType=805306368)"

Add a value to all users in AD

I am trying to set up dynamic distribution lists at the company I work for.
I want to use the company value in AD for a distribution list that everyone in the company needs to be part of.
Most of our users have the name of the company as the value, but after checking some users it appears that this value is not set for all users.
Is there a way to set this value for all AD users (by using powershell f.e), or get a list of users where the company value is not set to the company name?
You can use the PowerShell ActiveDirectory module, which is included in the Remote Server Administration Tools (RSAT). Details on how to install it are here.
Then you can use Get-ADUser and pipe the results into Set-ADUser. Something like this:
$badusers = Get-ADUser -Filter "company -ne 'Your Company Name'"
$badusers | Set-ADUser -Company "Your Company Name"
You could do this in one line, but I split it into two so you can inspect the $badusers collection to actually see the users that you changed (just type $badusers into the PowerShell prompt and hit enter).
It may be wise to limit it to, say, 5 or 10 users just to make sure it works the way you want before attempting to change every user. You can do this by adding -ResultSetSize 5 to the Get-ADUsers line.
This also assumes you want to change all user objects to have your company name, even administrative accounts. Keep in mind that this will stop processing users if it hits one that you don't have permission to modify. If you want to limit it to a single OU, you can use the -SearchBase parameter of Get-ADUsers, like this:
$badusers = Get-ADUser -Filter "company -ne 'Your Company Name'" -SearchBase "OU=Users,DC=example,DC=com"

LDAP memberOf returns no results

I'm trying to create a custom query in ADUaC to help me index administrators in my system. I've narrowed down security groups that I need to list the members of, but I'm misusing the 'memberOf' attribute in some way which breaks the query.
(objectClass=user)(objectCategory=user)(memberOf=*)
The above query works fine to return all users, but the when I change the wildcard to anything else (ex. (memberOf=*Administrators*)), the query returns no objects.
I have confirmed that there is a relevant Security Group for this query to get users from. I am aware that it does not work for Primary Groups or nested users, and I am simply trying to get it working on a basic level right now. Anyone know how to have the code return users that are a member of the security group?
Unfortunately, you cannot use the wildcard * character to filter distinguishedName attributes. The reason for this is the X.500 Standard.
http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
Perhaps Powershell can be handy. Something like this could do the trick:
#for just one group
get-adgroupmember -Recursive -Identity "domain admins"
#for a batch of groups
$adminsgroups = "Enterprise Admins","Domain admins"
foreach ($admingroup in $adminsgroups)
{
#with the recursive switch you get nested group members
get-adgroupmember -Recursive -Identity $admingroup
}

How to query for users where one set is deeper in the tree than the other

Let's say you have two sets of users:
OU=IT Dept,OU=Groups,DC=mycompany,DC=com
OU=XYZ Corp,OU=Temp Accounts,OU=Groups,DC=mycompany,DC=com
How would you express the query for that? I tried a search base of OU=Groups,DC=mycompany,DC=com and a filter of (|(OU=IT Dept)(OU=XYZ Corp,OU=Temp Accounts)) and that didn't work.
Never had to do much with LDAP, so please excuse the somewhat open-ended question.
Let's say you have two sets of users:
OU=IT Dept,OU=Groups,DC=mycompany,DC=com
OU=XYZ Corp,OU=Temp Accounts,OU=Groups,DC=mycompany,DC=com
These are not the valid distinguishedName for user objects.
User objects are stored in some parent container (like OUs), and their distinguishedName starts with CN. OUs are top level containers which contain child objects like users, computers, child OUs, etc.
I tried a search base of OU=Groups,DC=mycompany,DC=com and a filter of
(|(OU=IT Dept)(OU=XYZ Corp,OU=Temp Accounts)) and that didn't work.
Your filter didn't work because you didn't select the appropriate filtering conditions. You need to apply the filter for (objectCategory=person) or (objectCategory=user). You can also use objectClass as the filtering parameter instead of objectCategory. Check the link Filter on objectCategory and objectClass to know in detail.
How would you express the query for that?
Assuming your users are as below:
CN=Firstname lastname,OU=IT Dept,OU=Groups,DC=mycompany,DC=com
CN=Firstname lastname,OU=XYZ Corp,OU=Temp Accounts,OU=Groups,DC=mycompany,DC=com
Then your LDAP query should have SearchBase set to what you currently have (OU=Groups,DC=mycompany,DC=com), and filter on (|(objectCategory=person)(objectCategory=user)) and any additional filter if you'd like, e.g., you may want to search by sAMAccountName, name, etc.
As highlighted in the second para, you can also use objectClass as the filter type to get the desired result.

dsget all domain users

I try to get all the members of my domain - using
dsget group "CN=Domain Users,CN=Users,DC=cms,DC=local" -members -expand
But it returns an empty result. How can this be? If I look up the Domain Users in the AD GUI and view its members, I get the full list without problems.
Why is the command not working?
It's just explained by the fact that the member attribute of Domain Users does not contain any user. This group looks like a dynamic group based on a query.

Resources