tags:

views:

3461

answers:

2
+2  Q: 

LDAP query for all users in sub OUs within a particular OU

The active directory I have to deal with is laid out as such: the domain contains many OUs. One of these OUs is named "Primary OU". Within this OU are several OUs named with location of global offices (ie "Chicago" "Paris").

Any user account that is an actual flesh and bone person is put into the OU named for the office they work in as their primary OU. Any user account that is an alias, generic account, or otherwise not directly tied to a real person, has the "Primary OU" OU set as their primary OU.

Data-wise, this primary OU distinction is the only thing that indicates which users are real people, and which users are not. There is no group that contains only real people, no indicator in any field that they are real people or not, and making any changes to active directory or any user accounts is strictly forbidden.

My task is writing a query that will only get all actual flesh and bone people.

Unfortunately LDAP is not exactly my strong suit and the only way I've come up with is searching each of these office sub OUs individually and putting all the results together, but there are a lot of offices and it would require a change to the query if any offices were added, which I need to avoid.

Is there a way to query all users within a particular OU's "sub" OUs, but not return any users directly in the parent OU?

+2  A: 

Yes, sure - you would need to:

1) Bind to the particular OU

DirectoryEntry myOU = new DirectoryEntry("LDAP://OU=MyOU,......,DC=MyCompany,DC=com");

2) Enumerate all its sub-OU's

DirectorySearcher subOUsearcher = new DirectorySearcher(myOU);
subOUsearcher.SearchScope = SearchScope.OneLevel; // don't recurse down
subOUsearcher.Filter = "(objectClass=organizationalUnit)";

foreach(SearchResult subOU in subOUsearcher.FindAll())
{
   // stick those Sub OU's into a list and then handle them
}

3) One-by-one enumerate all the users in each of the sub-OU's and stick them into a global list of users

DirectorySearcher userSearcher = new DirectorySearcher(myCurrentSubOU);
userSearcher.SearchScope = SearchScope.OneLevel; // don't recurse down
subOUsearcher.Filter = "(objectClass=user)";

foreach(SearchResult user in userSearcher.FindAll())
{
  // stick those users into a list being built up
}

4) Return that list

Marc

marc_s  2009-06-26 16:30:55
That may be the way I have to go, I was just curious if there was some sort of way to write a query to return all users in one go, something like perhaps a searchScope setting that would only search child OUs and not the parent.
kscott  2009-06-26 16:36:57
No, I don't think you can do this in a single request - you'll have to grab your information bit by bit :-)
marc_s  2009-06-26 16:38:07
A: 

Shoudn't the Filter in step 3) be userSearcher.Filter and not subOUsearcher.Filter?

 2009-09-23 08:19:17

related questions

Querying Active Directory with "SQL"?
Can I get more than 1000 records from a DirectorySearcher in Asp.Net?
How to get AD User Groups for user in Asp.Net?
Attempting to update a user's "connect to:" home directory path in AD using C#
Monitoring group membership in Active Directory more efficiently (C# .NET)
How do I speed up data retrieval from .NET AD within ColdFusion
How do you authenticate against an Active Directory server using Spring Security?
Managing large user databases for single-signon.
Move Active Directory Group to Another OU using Powershell
How to move SharePoint sites from one active directory domain to another?
When did I last talk to my Domain Server?
Using ActiveDirectoryMembershipProvider with two domain controllers
I am having trouble getting phpBB to authenticate with our Active Directory
How do I use ADAM to run unit tests?
COMException "Library not registered." while using System.DirectoryServices
Caching Active Directory Data
Windows / Active Directory - User / Groups
Get a list of available domains (NT4 and Active Directory)
How do I use NTLM authentication with Active Directory
I/O permission settings using .net installer
quoting System.DirectoryServices.ResultPropertyCollection
How do you impersonate an Active Directory user in Powershell?
Setting Group Type for new Active Directory Entry in VB.NET
Is there a way for MS Access to grab the current Active Directory user?
Checklist for IIS 6/ASP.NET Windows Authentication?