LDAP query to return all groups in specified OU
I am trying to update my filter currently appled to the People Picker in SharePoint (WSS).
I am using stsadm to set the filter.
Something like...
stsadm -o setproperty -url http://webserver:39770 -pn peoplepicker-searchadcustomfilter -pv "(&(userAccountControl=512)(objectCategory=person)(objectClass=user)(memberOf=cn=All Users Group,ou=E-Mail Distribution Lists,dc=domain,dc=com,dc=au))"
I know ho开发者_高级运维w to do this but want to change the LDAP query. This is where I need your help.
I would like to query an OU in AD and return all the groups in it.
As a fall back I could put all groups in the OU into their own group and just query the group using the following query...
(&(memberOf=CN=WSSPeoplePickerGroup,OU=Groups,DC=domain,DC=com,DC=au)(objectCategory=group))
... but I would like to directly query the OU if I can. It has become a bone I don't want to let go of just yet, so hopefully there is someone smarter than me out there.
I think where I need to head is something like the following query I found. As I understand it this is known as an extensible search match and they are filtering on the 'name' of OU but I am having trouble seeing how I might apply this to what I want (despite the numerous attempts I have made), if this is indeed the approach I should take.
(&(objectClass=group)(&(ou:dn:=Chicago)(!(ou:dn:=Wrigleyville))))
TIA
If you want search a particular OU only. Why not just search by the distinguishedName?
In your case, maybe something like this.
(distinguishedName=*ou=E-Mail Distribution Lists,dc=domain,dc=com,dc=au)
which will be equivalent to searching the OU E-Mail Distribution.
And also userAccountControl=512 does not mean all enabled user. It just searches for Normal account. A better way would be to search whether the Disabled flag is set.
Use this instead of userAccountControl=512 to find all users which are not disabled.
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
fyi.
精彩评论