LDAP Query Basics
Topic Last Modified: 2011-01-13
By William Taylor
This article discusses Lightweight Directory Access Protocol (LDAP) queries, which can be useful, but confusing, when troubleshooting Microsoft® Exchange Server and its relationship to its directory. This article provides basic information about LDAP queries.
= (EQUAL TO)
This LDAP argument means a certain attribute must be equal to a certain value to be true. For example, if you want to find all objects that have the first name of John, you would use:
This would return all objects that have the first name of John. Parentheses are included to emphasize the beginning and end of the LDAP statement.
& (logical AND)
You use this syntax when you have more than one condition, and you want all conditions in the series to be true. For example, if you want to find all of the people that have the first name of John and live in Dallas, you would use:
Notice that each argument is in its own set of parentheses. The entire LDAP statement must be encompassed in a main set of parentheses. The & operator means that each argument must be true for this filter to apply to your object in question.
! (logical NOT)
This operator is used to exclude objects that have a certain attribute. Suppose you need to find all objects except those that have the first name of John. You would use the following statement:
This statement would find all objects that do not have the first name of John. Notice that the
!operator goes directly in front of the argument and inside the argument's set of parentheses. Because there is only one argument in this statement, it is surrounded with parentheses for illustration.
You use the wildcard operator to represent a value that could be equal to anything. One such situation might be if you wanted to find all objects that have a value for title. You would then use:
This would return all objects that have the title attribute populated with a value. Another example might be if you know an object's first name starts with Jo. Then, you could use the following to find those:
This would apply to all objects whose first name starts with Jo.
The following are more advanced examples of LDAP syntax:
You need a filter to find all objects that are in Dallas or Austin, and that have the first name of John. This would be:
You have received 9,548 events in the Application log, and you need to find all of the objects that are causing this logging event. In this case, you need to find all of the disabled users (msExchUserAccountControl=2) that do not have a value for msExchMasterAccountSID. This would be:
Note: The ! operator in conjunction with the wildcard operator will look for objects where that attribute is not set to anything.
While working with Exchange Server, you encounter situations that use LDAP strings. For example, whenever you set up a recipient or mailbox manager policy or an address list filter, or when you search the Active Directory® directory service, Exchange Server utilizes LDAP. In the next sections, some of the ways in which you can use LDAP statements are discussed.
The following example illustrates how to search using Active Directory Users and Computers:
Open Active Directory Users and Computers.
Right-click the domain object and select Find.
Click the drop-down list next to Find, and then select Custom Search.
From the next screen, select the Advanced tab.
Type the appropriate LDAP statement under Enter LDAP query.
This example attempts to find all objects that either have prez for their title or test for the start of their name. If you click Find Now, you should see the appropriate output, as shown in the following screenshot.
You can also search using LDP, which is included in Microsoft Windows Server™ 2003 and Windows® 2000 Server support tools. This tool gives you the ability to not only search the domain container, but also the Configuration container. You first would open LDP and connect to a valid domain controller. Then you need to bind using appropriate credentials. Select View, and then select Tree. Leave the Base DN field blank, and click OK. Navigate to the container that you want to search, right-click the container, and select Search.
A dialog box appears that should have the correct value in the Base DN field. Type the LDAP statement that you want to filter by, and something similar to the following should appear.
If you want to search all of the containers below the level you are currently at, make sure to select the option button for Subtree. Click Run, and it should find all of the matches.
There may be times when you need to do a search for a set of objects that meet a certain criteria, and you want to build a list of those users. LDIFDE is a command-line tool that you can use to build this list. Suppose you want to find and save a list of all the users whose mailNickName starts with Jeff. You could then run the following command.
C:\>ldifde -d "DC=witaylorroot,DC=com" -f c:\output.txt -r "(&(objectClass=user)(mailNickName=jeff*))
In this example, you would find three objects and export all of their attributes into the output .txt file that you specified. If you are exporting the results for thousands of users, however, the export file will be too large. There is a different option. You can use the
-l (lowercase L) switch to specify which attributes to export. The distinguished name will always export, but if you want nothing else, you can add
nothing to the string, and that would streamline the output. An example of this is the following command.
C:\>ldifde -d "DC=witaylorroot,DC=com" -f c:\output.txt -l nothing -r "(&(objectClass=user)(mailNickName=jeff*))
Consider that in this case, you want to use the LDIFDE export referenced earlier, but only want to include the homeMDB attribute in the output. You must use the following command.
C:\>ldifde -d "DC=witaylorroot,DC=com" -f c:\output.txt -l "homeMDB" -r "(&(objectClass=user)(mailNickName=jeff*)) dn: CN=jeff,OU=55Users,DC=witaylorroot,DC=com changetype: add homeMDB: CN=Private Information Store (WITAYLORNT4EX55),CN=First Storage Group,CN=InformationStore,CN=WITAYLORNT4EX55,CN=Servers,CN=WITAYLORMIXEDSITE,CN=Administrative Groups,CN=WITAYLORORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=witaylorroot,DC=com dn: CN=jeff2,CN=Users,DC=witaylorroot,DC=com changetype: add homeMDB: CN=Private Information Store (WITAYLORNT4EX55),CN=First Storage Group,CN=InformationStore,CN=WITAYLORNT4EX55,CN=Servers,CN=WITAYLORMIXEDSITE,CN=Administrative Groups,CN=WITAYLORORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=witaylorroot,DC=com dn: CN=jeff3,CN=Users,DC=witaylorroot,DC=com changetype: add homeMDB: CN=Private Information Store (WITAYLORNT4EX55),CN=First Storage Group,CN=InformationStore,CN=WITAYLORNT4EX55,CN=Servers,CN=WITAYLORMIXEDSITE,CN=Administrative Groups,CN=WITAYLORORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=witaylorroot,DC=com
If you are doing an export without restricting what attributes are exported, you might want to use the
-n switch to suppress any values that would normally be included. This will help prevent the export file size from getting too large.
To obtain the ADModify tool, contact Microsoft Product Support Services. For more information about how to contact Microsoft Product Support Services, see the Microsoft Help and Support Web site.
To obtain the ADModify tool from a third-party Web site, see the following GotDotNet Web site: ADModify.NET: Workspace Home.
ADModify is a tool that Microsoft Product Support Services uses on a daily basis. With large Active Directory environments, it is not always easy to add an entire organizational unit (OU) that could have thousands of users in it to the list on the right side, and then parse through all of them to find the users you need to change. There is an alternative. On the first screen, choose Modify Existing User Attributes and click Next. On the Modify Active Directory Users screen, there is an Advanced button.
If you click the Advanced button, the Custom LDAP Filter dialog box appears. In this dialog box, you type the LDAP filter that you want to use. In this example, you only want to list the groups that are mail-enabled. It would look like the following.
Next, click OK. Select the OU or the domain where you want ADModify to search. If you want it to look in lower-level containers within the one you selected, make sure to select Traverse Subcontainers when Enumerating Users. Click Add to List, and then click Yes when warned about how long it could take. The objects that meet the criteria you specified should now appear in the right pane.
From here, highlight the objects that you want to modify, and continue with the wizard.
For more information, see the following Microsoft Knowledge Base articles: