Problem solve Get help with specific problems with your technologies, process and projects.

Mastering the LDAP search filter, Part 2

LDIFDE is a powerful command line tool that with a little practice, can easily extract specific information about AD objects. Expert Gary Olsen explains how to limit your search by way of an object class LDAP filter.

In Part 1 of this two part series, I provided additional details for performing LDAP searches for the LDIFDE command. We left off discussing how we can limit our search by way of an object class LDAP filter. The example below shows the use of the –r option to specify only to return user objects.

C:\>ldifde -f search.ldf -s corp-dc2 -d ou=Engineering,dc=corp,dc=net –r "(objectClass=user)"

We also discussed briefly that you can find these object classes by looking at the list of schema classes using the Schema Manager or the ADSIedit snap-ins. Figure 1 shows a screen shot of the Schema Manager and how the classes are listed. Thus, we could specify any of these object classes in the objectClass filter. Note that we could filter on site since "Site" is an object class. However, just plugging in "site" in the previous command will fail:

C:\>ldifde -f search.ldf -s corp-dc2 -d ou=Engineering,dc=corp,dc=net –r "(objectClass=site)"

Figure 1

This is due to the fact that the DN of the search is in the domain context and the site object is in the Configuration. This is easily seen in Figure 2 where the ADSIedit tool displays the DN of the site object as cn=sites,cn=Configuration,dc=corp,dc=net.

Figure 2

So reformatting our ldifde command using the proper DN would produce the desired result:

C:\>ldifde -f sites.ldf -s hpqbox-dc03 -d "cn=sites,cn=configuration,dc=hpqbox,
dc=adapps,dc=hp,dc=com" -r "(objectClass=site)"
Connecting to "hpqbox-dc03"
Logging in as current user using SSPI
Exporting directory to file sites.ldf
Searching for entries...
Writing out entries..........
10 entries exported
The command has completed successfully

For this reason, I prefer ADSIedit to find the object classes as it will also display the DN path to the object.

Now we can get a list of Users or computers rather than dumping the whole AD. That's an improvement, but what if we want all the users whose last name begins with the letter "J"? In order to do this we need a complex filter, specifying not only to return user objects, but further filtering the search to include those whose surnames begin with "J". The complex filter uses And, Or and Not constructs. The format of the filter is:

(& ( ) ( ))
(& (objectClass=user) (sn=simpson))
(| ( ) ( ))
(| (sn=simpson) (sn=s*))
(!( ))

Note that the operand comes at the beginning of the expression, and that "filter1" is a broader filter while "filter2" is a finer one. Consider the following filter to find all the user objects whose last names start with "L", in the OU "Domain Administrators". The attribute for last name, or surname is "sn".

C:\>ldifde -f Users.ldf -s hpqbox-dc03 -d "ou=domain administrators,dc=hpqbox,dc
=adapps,dc=hp,dc=com" -r "(&(objectClass=user)(sn=L*))"
Connecting to "hpqbox-dc03"
Logging in as current user using SSPI
Exporting directory to file Users.ldf
Searching for entries...
Writing out entries.....
5 entries exported

So now we have limited the search to find only users in the Domain Administrators OU whose surnames (sn attribute) start with "L". However, note that this still returns all defined attributes for each object:

dn: CN=Jason Lambson,OU=Domain
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Jason Lambson
sn: Lambson
c: AU
l: Adelaide
description: Adelaide, Australia
telephoneNumber: +61 411 407 290
givenName: Jason
CN=Jason Lambson,OU=Domain
instanceType: 4
whenCreated: 20060419230155.0Z
whenChanged: 20060419230654.0Z
displayName: Jason Lambson
uSNCreated: 797877 memberOf: CN=Domain Admins,CN=Users,DC=hpqbox,DC=adapps,DC=hp,DC=com
uSNChanged: 797912
co: Australia
name: Jason Lambson
objectGUID:: ejZg2FaNgUqto/KI6W6v/g==
userAccountControl: 512
codePage: 0
countryCode: 36
pwdLastSet: 127899613157463219
primaryGroupID: 513
adminCount: 1
accountExpires: 9223372036854775807
sAMAccountName: jLambson
sAMAccountType: 805306368
legacyExchangeDN: ADCDisabledMail
userPrincipalName: [email protected]
msExchUserAccountControl: 0
msExchALObjectVersion: 48

We aren't interested in all those boring attributes -- we just want to list the displayName of each user along with the city and state they are in. To restrict the output to only certain attributes, use the –l filter. The trick to this is to know the syntax of the attributes you want. Again we can turn to the ADSIedit tool as shown in Figure 3.

Figure 3

Here I looked at the properties of a user who had the attributes defined that I wanted to define. For instance I know that the Gary Olsen user is defined in the city of Alpharetta and the state of Georgia (GA). Thus in ADSIedit, I see that "l" refers to city (actual location) and "st" refers to the state. Of course displayName is obvious. Note that these are standard LDAP attribute names, not something Microsoft made up. Now, armed with the attribute names we want, we can formulate the command:

C:\>ldifde -f Users.ldf -s hpqbox-dc03 -d "ou=domain administrators,dc=hpqbox,dc
=adapps,dc=hp,dc=com" -r "(&(objectClass=user)(sn=L*))" -l displayName,l,st
Connecting to "hpqbox-dc03"
Logging in as current user using SSPI
Exporting directory to file Users.ldf
Searching for entries...
Writing out entries.....
5 entries exported

The output, stored in Users.ldf, now has a nice clean list of the 5 users with the attributes we want listed.

dn: CN=Jason Lane,OU=Domain
changetype: add
l: Adelaide
displayName: Jason Lane

dn: CN=Tony Lawrence,OU=Domain
changetype: add
l: Boston
st: Massachusetts
displayName: Tony Lawrence

dn: CN=Gary Larsen, OU=Domain
changetype: add
displayName: Gary Larsen

dn: CN=Kim Lee,OU=Domain
changetype: add
displayName: Kim Lee

dn: CN=Peter Lamph,OU=Domain
changetype: add
displayName: Peter Lamph

Note that each entry lists the distinguishedName as well as the "changetype" attribute. The rest of the entries are what we specified. Also note that Jason Lane only lists the "l" (city) attribute since Adelaide is in Australia, thus the state (st) attribute is not defined. Undefined attributes are not defined. In fact, only Tony has city and state defined. The others have no city or state listed since they are not defined.

Ldifde is a powerful command line tool that can easily extract specific information about AD objects. It does take a little work but using the examples given in these articles, you can formulate commands to get your desired results. This is very useful in troubleshooting problems where you need to determine the value of certain attributes on a number of objects. Rather that opening up a tool like LDP or ADSIedit and then drilling into each object to observe the attribute values, you can dump the desired attributes and objects to a text file. This is great for technical support personnel as they can give the customer a simple command, generating a small file that can be easily emailed and evaluated. Taking a little time to practice these commands will make them second nature to you.

Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers.

Dig Deeper on Windows systems and network management