LDAP Filtering with _AD_GetObjectsInOU

antmar904 · February 27, 2023

Hi.

I am having issues filtering accounts by CanonicalName. I'd like to add to my current filter any user object that has the word "consultant" or "contractor" in their CN. I think I have to loop through the array $aUserObjects and search for this and I might not be able to by using _AD_GetObjectsInOU, is that correct?

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!(sAMAccountName=*_dt)(cn=*contractor*)(cn=*consultant*))))", 2, "sAMAccountName,accountExpires,Name)

Edited February 27, 2023 by antmar904

water · February 27, 2023

Can't test, but I think the statement should be:

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(sAMAccountName=*_dt)(cn=*contractor*)(cn=*consultant*)))", 2, "sAMAccountName,accountExpires,Name")

| stands for OR
Had to remove a ) after "cn=*consultant*"
Closing quote after "..Name" was missing

Can you please test and if it still doesn't work, please provide @error and @extended.

Details about LDAP queries can be found here: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

antmar904 · February 28, 2023

On 2/27/2023 at 1:57 PM, water said:
Can't test, but I think the statement should be:
$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(sAMAccountName=*_dt)(cn=*contractor*)(cn=*consultant*)))", 2, "sAMAccountName,accountExpires,Name")
| stands for OR

Had to remove a ) after "cn=*consultant*"

Closing quote after "..Name" was missing

Can you please test and if it still doesn't work, please provide @error and @extended.

Details about LDAP queries can be found here: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

Hi

This is not working, no errors produced it's just not returning my test account which has "Consultants" in the CN.

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!(sAMAccountName=*_dt)(|(title=*contractor*)(title=*consultant*)(description=*contractor*)(description=*consultant*)(cn=*contractor*)(cn=*consultant*))))", 2, "sAMAccountName,accountExpires,Name")

water · March 1, 2023

For debugging let's keep it as simple as possible. If it works we can add complexity.
Please try:

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(description=*contractor*))", 2, "sAMAccountName,accountExpires,Name")

If it doesn't work, can you please try

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(description=*Contractor*))", 2, "sAMAccountName,accountExpires,Name")

antmar904 · March 1, 2023

Ok, just a fyi this has been working for me all along:

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!(sAMAccountName=*_dt)(|(title=*contractor*)(title=*consultant*)(description=*contractor*)(description=*consultant*))))", 2, "sAMAccountName,accountExpires,Name")

It's when I add the two CN filters at the end that's when it does not work:

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!(sAMAccountName=*_dt)(|(title=*contractor*)(title=*consultant*)(description=*contractor*)(description=*consultant*)(cn=*contractor*)(cn=*consultant*))))", 2, "sAMAccountName,accountExpires,Name")

to answer your question this does work:

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(description=*contractor*))", 2, "sAMAccountName,accountExpires,Name")

and this works also:

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(description=*Contractor*))", 2, "sAMAccountName,accountExpires,Name")

water · March 1, 2023

This should work (according to Google):

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(cn=*Contractor*))", 2, "sAMAccountName,accountExpires,Name")

If it does work, please add filter after filter till it doesn't work any more.
In case of an error please provide @error and @extended.

antmar904 · March 2, 2023

This not returning anything and no errors:

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(cn=*Contractor*))", 2, "sAMAccountName,accountExpires,Name")

antmar904 · March 2, 2023

Even using the following returns nothing.

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(canonicalname=*Contractor*))", 2, "sAMAccountName,accountExpires,Name")

water · March 2, 2023

Test 1: When you run example script _AD_GetObjectsInOU.au3 what do you get from example 2.

Test 2: Can you please drop "accountExpires" from the list of attributes to return? IIRC this is a constructed attribute which can't be used this way.

antmar904 · March 3, 2023

I'm having more issues with this. I was also trying to connect to GC so I can also query users in our sub-domains but now it's only returning the sAMAccountName and Name. The accountExpires is missing only when connecting to Global Catalog.

Edited March 3, 2023 by antmar904

antmar904 · March 3, 2023

17 hours ago, water said:

Test 1: When you run example script _AD_GetObjectsInOU.au3 what do you get from example 2.

Test 2: Can you please drop "accountExpires" from the list of attributes to return? IIRC this is a constructed attribute which can't be used this way.

Test 1 example 2:

It successfully returns the: sAMAccountName, CN, Name

water · March 3, 2023

What does Test 2 return?

antmar904 · March 3, 2023

For which line? Sorry

water · March 3, 2023

3 hours ago, antmar904 said:

I'm having more issues with this. I was also trying to connect to GC so I can also query users in our sub-domains but now it's only returning the sAMAccountName and Name. The accountExpires is missing only when connecting to Global Catalog.

Can we please solve one problem at a time?

water · March 3, 2023

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(cn=*Contractor*))", 2, "sAMAccountName,Name")

If it returns the correct result you could try your full blown LDAP aquery.

Edited March 3, 2023 by water

antmar904 · March 3, 2023

This returns nothing:

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(canonicalname=*Contractor*))", 2, "sAMAccountName,Name")

water · March 3, 2023

"canonicalname" is wrong, should be "cn"

antmar904 · March 3, 2023

This is returning one user account in the array who's cn is "mydomain.internal/Users/Service Contractor"

$aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(cn=*Contractor*))", 2, "sAMAccountName,Name")

This is the only thing it's returning to be clear. I have many other accounts that have "contractor" in their cn.

Edited March 3, 2023 by antmar904

water · March 3, 2023

Is this correct or do you expect more users to be returned?

antmar904 · March 3, 2023

More

LDAP Filtering with _AD_GetObjectsInOU

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members