|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
gouty
Guest
|
 Posted: Wed May 17, 2006 1:27 pm Post subject: Query in Active Directory |
 |
|
Could anyone point me in the right direction to run a query in active
directory on 2003 server so that i can find all users who are not a member of
a certain group ?
I used to know but it has left me and i am 3 days in to new job and need to
get it done.
Many thanks
Stuart |
|
| Back to top |
|
 |
|
|
Brian Delaney
Guest
|
| Posted: Wed May 17, 2006 2:28 pm Post subject: RE: Query in Active Directory |
|
|
There's quite a few ways this can be done. The easiest is probably AD Users
and Computers.
RIght Click the Domain and Click Find
Go to the Advanced tab and click on Field
User --> Member Of
Select "Is Not" and then type in the DN of the group
ie. CN=GroupA,OU=Groups,DC=domain,DC=local
or you can use an ldap search filter with pretty much any ldap client such
as ldp or even ldifde. The search filter would look something like this:
(&(objectcategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local)(!(memberOf=CN=GroupA,OU=Groups,DC=domain,DC=local)))
--
Brian Delaney, MCSE
"gouty" wrote:
| Quote: | Could anyone point me in the right direction to run a query in active
directory on 2003 server so that i can find all users who are not a member of
a certain group ?
I used to know but it has left me and i am 3 days in to new job and need to
get it done.
Many thanks
Stuart |
|
|
| Back to top |
|
|
Joe Richards [MVP]
Guest
|
| Posted: Thu May 18, 2006 4:44 am Post subject: Re: Query in Active Directory |
|
|
It actually isn't this simple. It doesn't take into account primary group
membership nor nested group membership. From that aspect, there is no single
query that will accurately do this.
If their is a single domain
If there is no nesting
If there is no one using the group as a primary group
Then you can use a query such as
&(objectcategory=person)(objectclass=user)(!(memberof=group_dn))
Otherwise it is probably quicker and faster to dump the membership (don't forget
primary group and nesting) of the group, and then dump all users and generate
the report based on what users exist but are not in the group.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Brian Delaney wrote:
| Quote: | There's quite a few ways this can be done. The easiest is probably AD Users
and Computers.
RIght Click the Domain and Click Find
Go to the Advanced tab and click on Field
User --> Member Of
Select "Is Not" and then type in the DN of the group
ie. CN=GroupA,OU=Groups,DC=domain,DC=local
or you can use an ldap search filter with pretty much any ldap client such
as ldp or even ldifde. The search filter would look something like this:
(&(objectcategory=CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local)(!(memberOf=CN=GroupA,OU=Groups,DC=domain,DC=local)))
|
|
|
| Back to top |
|
|
|
|
