Re: [ActiveDir] LDAP query assistance

[Paul Williams]

Something like this, against a GC:   (|(&(objectCategory=person)(memberOf=<dn of group 01>))(&(objectCategory=person)(memberOf=<dn of group 02>))(&(objectCategory=person)(memberOf=<dn of group 03>)))     You can also do it the way you want using ASQ if you don't mind DN as the output.  Here's an example using ADFIND:   adfind -b "cn=group,ou=groups,dc=domain-name,dc=com" -asq member -f "objectCategory=group" member -list     --Paul ----- Original Message ----- From: Amanda Rose To: ActiveDir Mailing List Sent: Friday, September 22, 2006 10:02 AM Subject: [ActiveDir] LDAP query assistance Hello!  I work in a small company where we have need of some LDAP query assistance to identify a group of users out of AD.  We only have basic LDAP knowledge in house and our query is not finding what we need.  I would really appreciate any assistance you could lend to the following:   We are trying to identify synchronize a group called “LLUsers” within AD with an external application- so that we can do single-sign-on (AD Authentication)   Our Active Directory is structured as follows: Parent Domain – contains global security group called “LLUsers”             Two child domains – each contains a Global Security Group called “LLUsers”   In the Parent Domain, there is an additional Local Security Group called “LLUsersLocal” whose members are the “LLUsers” groups from all three domains.   We want to construct a single LDAP query that will return the Users from all three “LLUsers” groups.   Right now, the LDAP query we have pulls individual users added to the LLUsers group in the parent domain.   Is there a way to create a nested or “OR” query that can look in “LLUsersLocal – and pull out the Individual Users in each group within?   This is the current LDAP query (&(objectcategory=user)(memberOf=CN=LLUsers,CN=users,DC=res-ltd,DC=com))   We have tried many others – often a variation of:   (&(objectcategory=user)(|(memberOf=CN=LLUsersLocal,CN=users,DC=res-ltd,DC=com)(memberOf=CN=LLUserslocal,CN=users,DC=glasgow,DC=res-ltd,DC=com)(memberOf=CN=LLUserslocal,CN=users,DC=austin,DC=res-ltd,DC=com)))   Or – perhaps the AD design with Parent and Child directories makes this impossible?  We have received some advice that we should move to a flat structure with only one domain and use work groups within.   Amanda Rose, Renewable Energy Systems [EMAIL PROTECTED] (email) www.res-americas.com or www.res-ltd.com