RE: [ActiveDir] Saved queries

[Lee, Wook]

Aha! I found that in the list of controls, attribute scoped query, (the OID is 1.2.840.113556.1.4.1504 for the curious.) I’d forgotten about this little bit. Cool! So ADUC still can’t do this, but sufficiently groovy LDAP clients can. ADUC can’t even do the required Base Object query scope presumably because the way it uses canned property pages makes it pointless to do so. (Except it would be useful if it could do ASQ, D’oh!)   Thanks for yet another cool LDAP trick, joe (and JoeK and Ryan and yes, even Dean. J)   Wook   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, May 01, 2006 4:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Saved queries   > There is no way to get a result set of objects by querying an attribute of an object.   Well there is one way....   We were going to talk about this in our pres at DEC but Dean ran a little long so we didn't get to slide 114.... Dean was going to do a demo and joke how he could do it with LDP but not ADFIND (hahaha ADFIND sucks) and then I was going to jump in and show how ADFIND could now do it so suck that and start laughing, it was going to be great because Dean had no idea I had hacked that bit of code into the tool even though he saw the beta copy of it (I knew he was too busy to really look at the new help closely).   Anyway, it is attribute scoped queries (ASQ). Actually JoeK (aka Joe Kaplan if you don't follow the newsgroups) and Ryan Dunn touched on this in their very excellent presentation as well. In fact, they had a brilliant idea that I had never even considered, the fact that you can use the ASQ query to get around doing ranging to return lots of members or a specific number of members of a group. When they said that I was totally shocked and just sat back and went hmmmm, why didn't I think of that....   So something like this... Each "dn:" line was returned to adfind as a separate object, not as an attribute value of one object.     C:\>adfind -b CN=LargeDLTest,OU=DLTest,OU=joeware2,OU=Exchange,DC=joe,DC=com -asq member -maxe 10 -f objectclass=* mailnickname   AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006   Using server: 2k3dc01.joe.com:389 Directory: Windows Server 2003   dn:CN=joe,OU=MailUsers,OU=joeware2,OU=Exchange,DC=joe,DC=com >mailNickname: joe   dn:CN=JoeContact,OU=TestOU,OU=joeware2,OU=Exchange,DC=joe,DC=com >mailNickname: JoeContact   dn:CN=dltest0,OU=Users,OU=DLTest,OU=joeware2,OU=Exchange,DC=joe,DC=com >mailNickname: dltest0   dn:CN=dltest1,OU=Users,OU=DLTest,OU=joeware2,OU=Exchange,DC=joe,DC=com >mailNickname: dltest1   dn:CN=dltest2,OU=Users,OU=DLTest,OU=joeware2,OU=Exchange,DC=joe,DC=com >mailNickname: dltest2   dn:CN=dltest3,OU=Users,OU=DLTest,OU=joeware2,OU=Exchange,DC=joe,DC=com >mailNickname: dltest3   dn:CN=dltest4,OU=Users,OU=DLTest,OU=joeware2,OU=Exchange,DC=joe,DC=com >mailNickname: dltest4   dn:CN=dltest5,OU=Users,OU=DLTest,OU=joeware2,OU=Exchange,DC=joe,DC=com >mailNickname: dltest5   dn:CN=dltest6,OU=Users,OU=DLTest,OU=joeware2,OU=Exchange,DC=joe,DC=com >mailNickname: dltest6   dn:CN=dltest7,OU=Users,OU=DLTest,OU=joeware2,OU=Exchange,DC=joe,DC=com >mailNickname: dltest7   10 Objects returned     That being said, ADUC does not implement anything with ASQ style queries. Nor VLV for that matter which would be nice for displaying large containers...      joe   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, Wook Sent: Monday, May 01, 2006 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Saved queries Querying using the MemberOf is the only way to do that in any LDAP-based utility. There is no way to get a result set of objects by querying an attribute of an object. You can get the list of DNs by returning the member attribute in the base-object search of a group, but that’s not the same as a result set.   Wook   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, May 01, 2006 2:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Saved queries   I still don’t understand what you want to do … you want to see the group membership of a particular group in the saved queries view? That’s not really the point of the feature … you’re trying to dump a multivalue attribute into that view rather than the results of a ldap search…   Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Monday, May 01, 2006 5:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Saved queries   Just wondering what the query would look like in "saved queries" and if its even possible to do it that way. I can do it by querying the memberof=groupi'mlookingfor an get a list of all users in that group.   Just wanted to know of i can do the reverse and query the member attrib of the group and get the users because it doesn't seem to work in "saved queries". this is just for my own personal knowldge. There is no "real" reason to do it this way and i know of 100 others that would get the same result.   Thanks   On 5/1/06, Grillenmeier, Guido <[EMAIL PROTECTED] > wrote: uh - not sure I understand your problem. Why don't you just look at the member attribute of a group?   From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Montag, 1. Mai 2006 20:21 To: activedirectory Subject: [ActiveDir] Saved queries   what is the ldap syntax for querying for all the members a particular group has in the AD saved queries feature?   I can't seem to get it to work.     Thanks