Saved Queries in Active Directories Users and Computers - Part 2

by Pber 16. July 2009 19:01

As you seen with Part 1 of this series, saved queries can help you find specific data that is normally not easy to find.

Part 2 of this series will take you into more advanced queries mainly focusing on custom queries.  Since we are already familiar with saved queries, let's dive right in

All queries will begin with the same steps:

  1. Load Active Directory Users and Computers.
  2. Right Click Saved Queries.
  3. Select New, Query
  4. Give it a name
  5. Set the Query root
  6. Click Define Query.
  7. Under the Find dropdown, select Custom Search

From here you can select the Field button and select the object type you want.  This is very similar to Example 2 in Part 1 of this series, except you can pick any object type.

Multi-Attribute Queries

For our first example we'll combine two attribute to query against.  So let's say we want to find all users in the "Sales" department that have a home drive that points to "S:"

Example 1:

  1. Perform the steps 1-7 above.  Give it a name like: Sales - Drive S
  2. Select the Field and then Users
  3. Select Department
  4. Leave the Condition as: Starts with
  5. Enter the value of: Sales
  6. Click Add
  7. Select the Field and then Users
  8. Select Home Drive
  9. Leave the Condition as: Starts with
  10. Enter the value of: S
  11. Click Add

You should now get a listing of all users in the Sales department that have a home drive of S.  Once again we kept this very basic. 

Now let's say you were changing the Sales department users from using various home drive letters to drive S.  We could create a second query by further manipulate the above query just by modifying the condition field in step 9 from Starts with to Is Not.  We could save this query as Sales - Drive Other.

This will show us all the users in the Sales department that don't have a Home drive that points to drive S.  We now can track our progress of the migration by using these two queries to see who is completed and who needs to be completed.  You could even use the Sales - Drive Other query and easily select the users for batch processing.

LDAP Queries


Now let's get into some raw LDAP queries.  This is the part that I like the best.  You may have noticed after you created any query, the "Edit Query" dialog box always displayed a Query string that resembled something like this: (&(objectCategory=user)(!homeDrive=H)(department=Sales*))... This is LDAP query syntax.

A few rules around LDAP queries:

  • & = AND function
  • | = OR function
  • ! = NOT function
  • * = Wildcard or Present function
  • Brackets contain individual query attributes as well as group all attributes within the brackets together in an AND or OR function.

So lets break down that above query:  (&(objectCategory=user)(!homeDrive=H)(department=Sales*))

  • The ampersand (&) within the first bracket groups all the following query attribute together in an AND function until the brackets are closed.
  • (objectCategory=user)  This selects all user type objects
  • (!homeDrive=H)  The exclamation mark (!) within the bracket enumerates to NOT, so NOT a homeDrive of H.
  • (department=Sales*)  The star (*) means wildcard, so department equals anything beginning with Sales

The best way to get used to LDAP queries is to use the GUI is the previous examples and look at the LDAP it creates.  You can then copy the LDAP syntax and create new queries and paste the LDAP syntax directly within the custom Search Advanced tab.  You can then edit or add additional parameters as needed.   You'll find that many attributes are unavailable from the dropdowns used in the previous examples.  One of these such attributes in the logon script.  So for the next example, we'll try and find all the users that have a certain logon script.

Example 2 - Logon script

  1. Perform the base steps 1-7 at the top of this post.  Give it a name like: logonscript = logon.bat
  2. Click the Advanced TAB
  3. Enter the following in the Enter LDAP Query box: (scriptPath=logon.bat)
  4. Click OK and OK again.

It should now show all the users that have a logon script of logon.bat.  Once again, we can change it slightly by placing the "!" in front of the scriptpath.  So in step 3 above change the LDAP path to: (!scriptPath=logon.bat)  

This will show us all the users that have a logon script that is not logon.bat.  This is useful to see check and make sure everyone is running the correct logon script.  You can then use this information to perform batch processing on the users to make them compliant.


Tags: ,

Active Directory

Comments are closed