It would be nice if there were some easy way to know when not all of the info was represented when you do the ASQ... i.e. A referral or something that gets tossed so you know that there were DNs in the attribute you were ASQ'ing that couldn't be reached. Kind of scary aspect to using ASQ. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Monday, September 25, 2006 5:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP query assistance Great answer Joe. I completely missed the multi-domain issue, thinking (as I wrote) that was only an issue for DLGs. Oh well, you've certainly refreshed my memory and answered the question admirably. As you can tell from this, and from our off-line conversation, I'm just using ASQ all the time ('cause it's great!) -sometimes it's not appropriate : ) --Paul ----- Original Message ----- From: joe <mailto:[EMAIL PROTECTED]> To: ActiveDir@mail.activedir.org Sent: Friday, September 22, 2006 3:53 PM Subject: RE: [ActiveDir] LDAP query assistance This unfortunately isn't going to work... 1. Global group membership is not maintained in the GC. Depending on the domain the GC you query hosts, your results will vary. If you hit a parent DC GC then you will see memberships for the parent (and Unis). If you hit a child DC GC, then you will see memberships of the child (and Unis). 2. An ASQ query query will only work against objects in the linked attribute that are immediately available. Depending on whether you hit a GC port or the local LDAP port and depending on the info present in that GC instance (see comments above) the results again could vary. The ASQ query does NOT cross DCs to return info. Again since the global group membership of a domain is only maintained on a DC of that domain this will only resolve part of the membership. A couple of examples of ASQ in action... G:\Temp\delete>adfind -e -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" member AdFind V01.31.00cpp Joe Richards ( <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 dn:CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com >member: CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com >member: CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=com >member: CN=Domain Users,CN=Users,DC=joe,DC=com 1 Objects returned G:\Temp\delete>adfind -e -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* -dn AdFind V01.31.00cpp Joe Richards ( <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 dn:CN=Domain Users,CN=Users,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com 2 Objects returned Note that the member attribute of the group has 3 members but the ASQ objectclass=* query only returns 2, that is because doing the LDAP port 389 query, the child1 object is not available. Now change that to a GC query to a GC that is a DC for joe.com and it works G:\Temp\delete>adfind -h 2k3dc02 -gc -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* -dn AdFind V01.31.00cpp Joe Richards ( <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:3268 Directory: Windows Server 2003 dn:CN=Domain Users,CN=Users,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com 3 Objects returned But if I wanted the membership of those three global groups and tried against the same GC you will note that the membership of the child1 domain group is not enumerated... G:\Temp\delete>adfind -h 2k3dc02 -gc -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* member AdFind V01.31.00cpp Joe Richards ( <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]) March 2006 Using server: 2k3dc02.joe.com:3268 Directory: Windows Server 2003 dn:CN=Domain Users,CN=Users,DC=joe,DC=com >member: CN=Domain Admins,CN=Users,DC=joe,DC=com >member: CN=administrator,CN=Users,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=child1,DC=joe,DC=com dn:CN=Exchange Domain Servers,CN=Users,DC=joe,DC=com >member: CN=2K3EXC02,CN=Computers,DC=joe,DC=com >member: CN=2K3EXC01,CN=Computers,DC=joe,DC=com 3 Objects returned But turn it around and use a child1 GC and what do you think you get? G:\Temp\delete>adfind -h 2k3dc10 -gc -b "CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=joe,DC=com" -asq member -f objectclass=* member AdFind V01.31.00cpp Joe Richards ( <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]) March 2006 Using server: 2k3dc10.child1.joe.com:3268 Directory: Windows Server 2003 0 Objects returned That's right... nothing. That makes perfect sense correct? If not, think about what group data is "guaranteed" to be in GCs and for what scope groups... There is, unfortunately, no single LDAP query that can be posed to AD to resolve the membership of three global groups in three different domains. The proper way to handle this would be to use a single Universal group or a Single Domain Local Group, with both, you would add all members to the group directly, not nest. An alternate is to consolidate group membership into an alternate directory, say ADAM, where all groups are represented in ADAM and then the AD users are repesented in ADAM as users or userProxies and those ADAM objects are added to those ADAM groups. Fortunately you can get all memberships of a given user or get the entire user population of a given group by querying one machine. Depending on the actual need, you can populate ADAM with enough info that you are good to go after querying ADAM, but it is also possible you may have to go back to AD to look something up. Again, depends on what exactly you need. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Friday, September 22, 2006 8:07 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] LDAP query assistance Something like this, against a GC: (|(&(objectCategory=person)(memberOf=<dn of group 01>))(&(objectCategory=person)(memberOf=<dn of group 02>))(&(objectCategory=person)(memberOf=<dn of group 03>))) You can also do it the way you want using ASQ if you don't mind DN as the output. Here's an example using ADFIND: adfind -b "cn=group,ou=groups,dc=domain-name,dc=com" -asq member -f "objectCategory=group" member -list --Paul ----- Original Message ----- From: Amanda Rose <mailto:[EMAIL PROTECTED]> To: ActiveDir Mailing List <mailto:ActiveDir@mail.activedir.org> Sent: Friday, September 22, 2006 10:02 AM Subject: [ActiveDir] LDAP query assistance Hello! I work in a small company where we have need of some LDAP query assistance to identify a group of users out of AD. We only have basic LDAP knowledge in house and our query is not finding what we need. I would really appreciate any assistance you could lend to the following: We are trying to identify synchronize a group called "LLUsers" within AD with an external application- so that we can do single-sign-on (AD Authentication) Our Active Directory is structured as follows: Parent Domain - contains global security group called "LLUsers" Two child domains - each contains a Global Security Group called "LLUsers" In the Parent Domain, there is an additional Local Security Group called "LLUsersLocal" whose members are the "LLUsers" groups from all three domains. We want to construct a single LDAP query that will return the Users from all three "LLUsers" groups. Right now, the LDAP query we have pulls individual users added to the LLUsers group in the parent domain. Is there a way to create a nested or "OR" query that can look in "LLUsersLocal - and pull out the Individual Users in each group within? This is the current LDAP query (&(objectcategory=user)(memberOf=CN=LLUsers,CN=users,DC=res-ltd,DC=com)) We have tried many others - often a variation of: (&(objectcategory=user)(|(memberOf=CN=LLUsersLocal,CN=users,DC=res-ltd,DC=co m)(memberOf=CN=LLUserslocal,CN=users,DC=glasgow,DC=res-ltd,DC=com)(memberOf= CN=LLUserslocal,CN=users,DC=austin,DC=res-ltd,DC=com))) Or - perhaps the AD design with Parent and Child directories makes this impossible? We have received some advice that we should move to a flat structure with only one domain and use work groups within. Amanda Rose, Renewable Energy Systems [EMAIL PROTECTED] (email) www.res-americas.com or www.res-ltd.com