Announcement

Collapse
No announcement yet.

Searching Group Members in Active Directory

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Searching Group Members in Active Directory

    I am currently experiencing a strange issue when using the find utility in active directory. My problem is this, I have created some users in a OU, I have then added a group called Sales, added a number of users to the group called Sales. I then want to search active directory for all users that are members of the group called sales. Ultimately my purpose is filter out these users for a recipient policy in exchange. Using a custom search I try to build a search queery to find all the users in the group called Sales. I have tried searching for users being a member of the group called Sales and no results are returned. I have also tried searching for group members of the group alled Sales. I know there are user that are members of this group but nothing is being returned. I have been trying for days now to resolve this problem. It seems such a simply thing to do, but I am getting nowhere. Any pointers would be gratefully appreciated.

    Cheers,

    Jewen.

  • #2
    Re: Searching Group Members in Active Directory

    For the group you must use the distinguished name:

    ADU&C / Saved Queries / Define --> Custom Search / Advanced
    Code:
    (&(objectCategory=person)(ObjectClass=user)(memberof=CN=Sales,OU=Path,DC=domain,DC=local))

    \Rems
    Last edited by Rems; 28th September 2007, 19:05. Reason: wrapped the string between [code] tags, to be able to show the correct syntax

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: Searching Group Members in Active Directory

      I am sorry that I am unable to search for users using saved queeries as there doesn't seem to be a way inputing a value for users being a member of a particular group. I don't want to find one user on its own as such but hopefully multiple users in a group. If I select the group only as the filter the policy only seems to be applied to the group object itself. I want to apply it to all of the users that are a member of the group called sales. The group exists an can be found but I want to find the members of the group.

      I feel that this is such a simple queery to build even in the ADUC find utility but regardless of what I do I cannot filter down t0 the level of users that are members of a particular group. Can it not be done???

      Regards

      Ewen.

      Comment


      • #4
        Re: Searching Group Members in Active Directory

        Ewen have you tried the query I showed??? And you are sure that you have changed the distinguished name of the Group for your situation?
        Because the query will show you *all* users that are a direct member of that group.

        Can you show us the queries you are testing with.
        (btw you are using 'Saved Queries' or not?? ).

        When you are using 'Saved Queries' (or, the same if you are going to use 'a Recipient Policy') the only way to get a list of users that are member is by searching between users to see if the have a membership.
        The query searches for all user-objects and read the "MemberOf" attribute of each user. If the attribute contains the distinguished name of the group you are looking for, the user will be joined in the list of results.

        but instead.. if you would be searching the Active Directory for a group-object where name of the group is Sales, then the result will show just one row with the name of the group.
        And on that row you cannot see the attribute "Members" because there is no way in ADU&C to add a column for that. And even there was, then - the distinguished names off all the members will show up just on that same and only row. The row will be very very long and useless.


        If you going to create 'a Recipient Policy', then you are aiming for objects or objecttypes that are having an emailaddress (mailnickname=*).
        Now if you want set this Policy only to those objects that are member of a certain group(s) (or, depending on your wish, maybe jou want to exclude those if they are member) then you check the attribute 'memberof' of each found object to see if there is a match.
        The same thing as when you want to set this policy only to user-objects and not to contacts or mailenabledgroups or mailenabledpublicfolders, then you set a condition for the ObjectClass attribute. ...and so on


        note: These kind of queries cannot deal with 'indirect' memberships! (what i mean is, the objects that are a member of an other group which is nested in the Sales group are not a direct member of Sale, those object are not automaticaly reconized by the query).


        \Rems
        Last edited by Rems; 13th September 2007, 18:11. Reason: deleted a space in memberof (that was copied from my previous reply)

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: Searching Group Members in Active Directory

          Hi, thanks for the reply. I did try to use the queery that was supplied. This what I used.

          (&(objectCategory=person)(ObjectClass=user)(memb er of=CN=sales,OU=test,DC=mydomain,DC=local))

          The users in the group I am looking for =sales
          The OU container=test
          The domain=mydomain.local
          Still no results?

          Further to this I added the organisation name that relates to the users into the properties of the users. Just call the company abc. I then went into active directory and clicked on Find, chose custom search, selected field name, then chose company name. I then entered abc, added the fields, clicked on find and lo and behold all the users that I required to find were there. I then went into exchange and created a new recipient policy and modified the policy. I used the same search and again it found the users that I required. I changed the email details to the suffix that I required and set it as primary. I then clicked ok and applied the policy and it worked. Now this is fine as long as I remember to input the company name in each users properties. I know I can do a multiple select after creating the users and only adding it one time. This will suffice me for now as a resolution.

          However I am still baffled by what the custom search field does when you select the following:

          user - member of - Is exactly and I input the value = sales

          It returns absolutely nothing! even though as I have said in my previous post that the users exist and are members of the group sales.

          Thanks again,

          jewen.

          Comment


          • #6
            Re: Searching Group Members in Active Directory

            ooh believe it or not, it is this forum that caused a syntax error!
            If you quote my first reply you be able to see there is no space in "memberof".

            Long words will be automaticaly broken here, as you also can see in your last reply.
            sorry for that I didn't notice it my self becasue it was broken so well.

            It is better to [code] the part of the text that contains lines of code

            try this:
            Code:
            (objectCategory=person)(ObjectClass=user)(memberof=CN=Sales,OU=Path,DC=domain,DC=local)
            \Rems

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: Searching Group Members in Active Directory

              Thank you very much Rems, finally it works, however the full syntax you posted the second time around, missed out a couple of brackets and an ampersand. I am now getting somewhere. I didn't think that I would have had to go down to such a low level queery to get my results for users in a group. Seems like I have to learn more about LDAP queeries and syntax.

              This is what worked for me.

              (&(objectCategory=person)(ObjectClass=user)(member of=CN=Sales,OU=test,DC=mydomain,DC=local))
              Thanks again,

              Jewen.

              Comment


              • #8
                Re: Searching Group Members in Active Directory

                hmm "memberof" was again splitted .
                It only work with: [CODE]lines containing code or long paths[/CODE]


                Originally posted by jewen View Post
                Thank you very much Rems, finally it works, however the full syntax you posted the second time around, missed out a couple of brackets and an ampersand.
                You are right the ampersand must be there in the querystring!!, but 'Saved Queries' will add it any way. It will be doubled then, that is why I could and did, left it from the string here (a double set of brackets and an ampersand would be harmless though, is beter than none)

                I didn't think that I would have had to go down to such a low level queery to get my results for users in a group.
                Well, that depends on the query tool. In 'Saved Queries' and in 'Recipient Views/Policies' it can just be done by filtering alone, of the targets. But if you would use a vbScript to retrieve a list of members, you can search for the group by its name, read the content of 'Members' attribute as an array, loop through that array to show the members one by one, or connect to only these specific users one by one to get more info on them.

                \Rems
                Last edited by Rems; 13th September 2007, 20:16. Reason: remark: "memberof" showed again as "member of"

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: Searching Group Members in Active Directory

                  Just an FYI: remember that this does not take into account membership through nested groups.

                  i.e.: if there is a group called "Pre-Sales" that is member of "Sales", the users who are members of "Pre-Sales" group will not be returned by the query.
                  Guy Teverovsky
                  "Smith & Wesson - the original point and click interface"

                  Comment


                  • #10
                    Re: Searching Group Members in Active Directory

                    I have discovered an alternative method to get results from the inbuilt find utility in active directory:

                    To find members of a group,

                    Step 1: Right click on the domain
                    Step 2: Select find
                    Step 3: Choose Custom Search
                    Step 4: In the Field select User - Member of-
                    Step 5: For value enter the distinguished name of the group object

                    eg: CN=sales,OU=saleou,DC=testdomain,DC=local

                    Users of the group sales are then retrurned.

                    Probably wise to create a new saved queery for future reference. Maybe previous posts were trying to explain this and I was not catching on. It was always the value input that I wasn't clear about. I was always inputting sales and nothing else. It seems that a more defined location is required.

                    Anyway thanks for the help.

                    Jewen.

                    Comment

                    Working...
                    X