Jump to content

LDAP Query


jazzyjeff
 Share

Recommended Posts

Hey All,

I am banging my head against a wall here trying to get an LDAP query to work, so I am hoping someone can help me out. 

GOAL: I'm trying to map drives using Item Level targeting.

CURRENT SOLUTION: An Autoit login script runs, determines the user that logs in, looks at the users group membership. If a User is a member of a group that contains the string "User-LAX" Then it will map \\server1\shareA.  If a User is a member of a group that contains the string "User-ORD" Then it will map \\server2\shareB. With the power of scripting this is easy to achieve.

PROBLEM: The active directory setup is extremely large and complex, and perhaps has not been designed with a lot of thought for situations like this. There are multiple buildings, and each building has a user code used in Security Group names i.e. User-LAX-HR, User-ORD-HR, User-LAX-Accounting, User-ORD-Accounting etc. So if they are a member of a group that contains "User-LAX", it will map the UNC path \\server1\shareA. That's the aim. Now there are potentially hundreds of groups that begin with "User-LAX", so while I could easily run an LDAP Query on each group called "User-LAX", this would take me forever to build a group policy containing all the different possibilities.

RESEARCH: I have discovered that I cannot do LDAP Query's on a distinguished name using a wild card, which really messes things up. This is how I would like the query to work, but I know it doesn't so i am looking for an alternative. &(objectcategory=user)(memberof=*User-LAX*))

POTENTIAL SOLUTION: I have just thought about this as a potential solution as I type this out, and that would be to build a script that would find all the groups that begin with "User-LAX", and then export all the members of those groups and make them members of a new groups called "User-LAX-XDrive" and then I can use ILT to map drives based on that new group membership.

 

To be honest the above solution seems like the easiest way right now, but perhaps there is something else I can do with an LDAP Query that I am missing? 

I'm reluctant to dive straight in and create a new security group, because while my previous job I was given full responsibility to do that, I'm not sure if I am given that same trust here at my new job. However, If it needs to be done then it needs to be done.

Any feedback is appreciated.

Link to comment
Share on other sites

memberOf is a distinguished name attribute. You can't search it with a wildcard search.  It must be an exact match.
Means: Retrieve all the groups the user is a member of and then process the returned array.

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (NEW 2022-02-19 - Version 1.6.1.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2017-07-21 - Version 0.4.0.1) - Download - General Help & Support - Example Scripts
OutlookEX (2021-11-16 - Version 1.7.0.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX_GUI (2021-04-13 - Version 1.4.0.0) - Download
Outlook Tools (2019-07-22 - Version 0.6.0.0) - Download - General Help & Support - Wiki
PowerPoint (2021-08-31 - Version 1.5.0.0) - Download - General Help & Support - Example Scripts - Wiki
Task Scheduler (NEW 2022-07-28 - Version 1.6.0.1) - Download - General Help & Support - Wiki

Standard UDFs:
Excel - Example Scripts - Wiki
Word - Wiki

Tutorials:
ADO - Wiki
WebDriver - Wiki

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...