objectcategory=user isn't optimal, that will get changed to objectcategory=person which will look at all contacts and users, however that wouldn't prevent the query from working unless you are timing out. What tool are you using to submit the query? Does it allow you to specify a timeout?
Anyway, back to the real issue, publicdelegates has a syntax of 2.5.5.1 which is a DN, so if you are actually looking for what users a certain other user has delegate rights to then you could do something like (&(objectcategory=person)(objectclass=user)(publicdelegates=cn=user,ou=someo u,dc=domain,dc=com)) Now down to brass tacks... What do you want to do? Is it A) Users who have ANY publicDelegates configured for themselves? B) Users who have a specific publicDelegate configured for themselves? Aka The users a specific user has publicDelegate access over? If A, then your query can be a simple (&(objectcategory=person)(objectclass=user)(publicdelegates=*)) If B, then the better way is to enumerate the user's publicDelegatesBL attribute. That will list every account he/she has publicDelegate rights to. Do this against the GC though so cross domain links will show up. Now finally let me close up with a little bug in this area... This can come up if you have a multidomain forest. If the outlook client gets a GC for a domain that the user isn't in then it is possible that an update to publicDelegates did not occur properly. The whole publicDelegates thing has two aspects, there is some stuff in the STORE and stuff in AD. The stuff in AD is strictly how Send On Behalf is controlled. So it is possible that you will get someone who has publicDelegates listed in AD but Outlook won't show them properly because of the update bug (note that this should be corrected with the new DSPROXY/DSACCESS capability in E2K3 I think SP2). It is also possible for outlook to show someone but they aren't in AD in the attribute. The first is worse than the second because someone could send on behalf of the user and the user wouldn't know it. Go check out the EHLO blog, they talked a lot about this fix. For a detailed description of this issue check out the archives for this list as I really hounded on this problem in about August of 2003 and April or so of 2004 as I was trying to get MSFT to step up and fix it. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Pegue Sent: Tuesday, August 01, 2006 4:18 PM To: [email protected] Subject: [ActiveDir] LDAP query struggle I'd like to create an LDAP query to return a list of users that have the "Send on behalf" field populated in the "Exchange General / Delivery Options" properties in ADUC. I cannot seems to make sense of the syntax of the query... (&(objectCategory=user)(publicDelegates=<user I'm searching for>)) Is there something I'm missing or can someone provide the correct query format to do what I need? Thanks Gordon Pegue List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
