Lurk away, glad to help out. Don't be afraid to ask questions, we just all seem mean. In real life we are all nice teddy bears, well except Deji. Avoid Deji if you see him coming, he is a bit scary. ;o)
joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Pegue Sent: Tuesday, August 01, 2006 5:43 PM To: [email protected] Subject: RE: [ActiveDir] LDAP query struggle Thanks joe for the very detailed reply! My whole purpose for creating the query is that I had an employee here depart about a month ago and I thought I had cleaned up everything when I finally killed the AD account. What I was not aware of was that some other employees had this person setup as a delegate and there were some weird behaviors taking place when meeting requests were issued.... So, I wanted to query my AD users to find out who.... So, as it turns out, you're a scenario was what I was after. FWIW I "manage" a small single-domain forest with about 50 users, and I mostly lurk here to learn. Thanks Gordon Pegue > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Tuesday, August 01, 2006 3:09 PM > To: [email protected] > Subject: RE: [ActiveDir] LDAP query struggle > > objectcategory=user isn't optimal, that will get changed to > objectcategory=person which will look at all contacts and > users, however that wouldn't prevent the query from working > unless you are timing out. What tool are you using to submit > the query? Does it allow you to specify a timeout? > > Anyway, back to the real issue, publicdelegates has a syntax > of 2.5.5.1 which is a DN, so if you are actually looking for > what users a certain other user has delegate rights to then > you could do something like > > (&(objectcategory=person)(objectclass=user)(publicdelegates=cn > =user,ou=someo > u,dc=domain,dc=com)) > > > Now down to brass tacks... What do you want to do? > > Is it > > A) Users who have ANY publicDelegates configured for themselves? > > B) Users who have a specific publicDelegate configured for > themselves? Aka The users a specific user has publicDelegate > access over? > > > If A, then your query can be a simple > > > (&(objectcategory=person)(objectclass=user)(publicdelegates=*)) > > > If B, then the better way is to enumerate the user's > publicDelegatesBL attribute. That will list every account > he/she has publicDelegate rights to. > Do this against the GC though so cross domain links will show up. > > > > Now finally let me close up with a little bug in this area... > This can come up if you have a multidomain forest. If the > outlook client gets a GC for a domain that the user isn't in > then it is possible that an update to publicDelegates did not > occur properly. The whole publicDelegates thing has two > aspects, there is some stuff in the STORE and stuff in AD. > The stuff in AD is strictly how Send On Behalf is controlled. > So it is possible that you will get someone who has > publicDelegates listed in AD but Outlook won't show them > properly because of the update bug (note that this should be > corrected with the new DSPROXY/DSACCESS capability in E2K3 I > think SP2). It is also possible for outlook to show someone > but they aren't in AD in the attribute. > The first is worse than the second because someone could send > on behalf of the user and the user wouldn't know it. > > Go check out the EHLO blog, they talked a lot about this fix. > For a detailed description of this issue check out the > archives for this list as I really hounded on this problem in > about August of 2003 and April or so of 2004 as I was trying > to get MSFT to step up and fix it. > > joe > > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gordon Pegue > Sent: Tuesday, August 01, 2006 4:18 PM > To: [email protected] > Subject: [ActiveDir] LDAP query struggle > > I'd like to create an LDAP query to return a list of users > that have the "Send on behalf" field populated in the > "Exchange General / Delivery Options" properties in ADUC. > > I cannot seems to make sense of the syntax of the query... > > (&(objectCategory=user)(publicDelegates=<user I'm searching for>)) > > Is there something I'm missing or can someone provide the > correct query format to do what I need? > > Thanks > Gordon Pegue > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
