Thanks joe for the very detailed reply! My whole purpose for creating the query is that I had an employee here depart about a month ago and I thought I had cleaned up everything when I finally killed the AD account. What I was not aware of was that some other employees had this person setup as a delegate and there were some weird behaviors taking place when meeting requests were issued.... So, I wanted to query my AD users to find out who....
So, as it turns out, you're a scenario was what I was after. FWIW I "manage" a small single-domain forest with about 50 users, and I mostly lurk here to learn. Thanks Gordon Pegue > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, August 01, 2006 3:09 PM > To: [email protected] > Subject: RE: [ActiveDir] LDAP query struggle > > objectcategory=user isn't optimal, that will get changed to > objectcategory=person which will look at all contacts and > users, however that wouldn't prevent the query from working > unless you are timing out. What tool are you using to submit > the query? Does it allow you to specify a timeout? > > Anyway, back to the real issue, publicdelegates has a syntax > of 2.5.5.1 which is a DN, so if you are actually looking for > what users a certain other user has delegate rights to then > you could do something like > > (&(objectcategory=person)(objectclass=user)(publicdelegates=cn > =user,ou=someo > u,dc=domain,dc=com)) > > > Now down to brass tacks... What do you want to do? > > Is it > > A) Users who have ANY publicDelegates configured for themselves? > > B) Users who have a specific publicDelegate configured for > themselves? Aka The users a specific user has publicDelegate > access over? > > > If A, then your query can be a simple > > > (&(objectcategory=person)(objectclass=user)(publicdelegates=*)) > > > If B, then the better way is to enumerate the user's > publicDelegatesBL attribute. That will list every account > he/she has publicDelegate rights to. > Do this against the GC though so cross domain links will show up. > > > > Now finally let me close up with a little bug in this area... > This can come up if you have a multidomain forest. If the > outlook client gets a GC for a domain that the user isn't in > then it is possible that an update to publicDelegates did not > occur properly. The whole publicDelegates thing has two > aspects, there is some stuff in the STORE and stuff in AD. > The stuff in AD is strictly how Send On Behalf is controlled. > So it is possible that you will get someone who has > publicDelegates listed in AD but Outlook won't show them > properly because of the update bug (note that this should be > corrected with the new DSPROXY/DSACCESS capability in E2K3 I > think SP2). It is also possible for outlook to show someone > but they aren't in AD in the attribute. > The first is worse than the second because someone could send > on behalf of the user and the user wouldn't know it. > > Go check out the EHLO blog, they talked a lot about this fix. > For a detailed description of this issue check out the > archives for this list as I really hounded on this problem in > about August of 2003 and April or so of 2004 as I was trying > to get MSFT to step up and fix it. > > joe > > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Pegue > Sent: Tuesday, August 01, 2006 4:18 PM > To: [email protected] > Subject: [ActiveDir] LDAP query struggle > > I'd like to create an LDAP query to return a list of users > that have the "Send on behalf" field populated in the > "Exchange General / Delivery Options" properties in ADUC. > > I cannot seems to make sense of the syntax of the query... > > (&(objectCategory=user)(publicDelegates=<user I'm searching for>)) > > Is there something I'm missing or can someone provide the > correct query format to do what I need? > > Thanks > Gordon Pegue > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
