AWESOME! Thank you so much for the help. Is it as simple to add users to the group using the same method? Did you come up with this on your own or find this info somewhere? Any other tips of things I can look out for as I'm working with CFLDAP?
John -----Original Message----- From: Dawson, Michael [mailto:[EMAIL PROTECTED] Sent: Friday, February 22, 2008 12:08 PM To: CF-Talk Subject: RE: LDAP Query for group members There are a couple of solutions to this issue, however, one is the best. I'll save that for last, of course. "Member" is a multi-value attribute in Active Directory. By default, it is a comma-delimited value. As you have found, distinguished names are also comma-delimted by nature. You can solve this issue by using CFLDAP's SEPARATOR attribute. If you specify a tab char, chr(9), you will get back a tab-separated list of member distinguished names. You can then use CFLOOP to loop over each member. However, if you want to know the member's first name, you would have to perform another LDAP query for each member. That could, and will, be very slow, if you have a large group. You will also have a limitation of 1000 members. Active Directory returns only 1000 values in a multi-value attribute. There is a workaround for this, but it really sucks. I don't even want to talk about it. Basically, this will get you close to what you are doing now, with the only improvement of a tab-separated list of members. The best solution comes now... It is so simple, it will make you giggle. Rather than query a group's members, you are better off querying all users who are a member of a group. Basically, you will set your filter to be: "(&(objectCategory=Person)(memberOf=DN=GroupName, OU=Org, DC=domain, DC=com))" Also, you need to specify the DELIMITER attribute in the CFLDAP tag. Set it to a tab character chr(9). You won't be passing any tabs in your filter, however, this prevents any errors because of the commas in the group's distinguished name. Then, in your CFLDAP tag, you can specify all of the user attributes that you need: givenName, sn, title, department, telephoneNumber, etc. You will get it all back in one CF query object. The best part is that you are not limited to the 1000-value limit that you would have hit by using the first method. However, you may hit another limit in the number of records that Active Directory returns via LDAP queries. By default, I think it may be 1000, but you can modify your domain controllers to increase that limit. I increased our limit to 10,000 records. If you have this problem, Google "ntdsutil and maxpagesize" or just click here: http://support.microsoft.com/kb/315071 m!ke ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:299741 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4