| Author | Messages | |
MikeLeone
Posts:55
 | | 09/01/2010 8:21 PM |
| Following an example I found online (I know, never trust anything on
the Interwebs ...), I am trying to find all members, including nested
memberships, of a group. But I seem to be failing miserably, and I
know not why ....
Z:\>adfind -f "(&(objectClass=user)(objectCategory=person)(`memberOf:1.2.840.113556.1.4.1941:=cn=CN=Remote
Control Operators,CN=Users,DC=...`))"
0 Objects returned
Note that the AD group, "Remote Control Operators", has a space in the
name, if that matters.
So why isn't this working? There are 3 groups as members, and those
groups have their own members (which is what I am trying to list). So
what am I doing wrong?
| | | |
| skradel
Posts:177
| | 09/01/2010 8:25 PM |
| Your search filter appears to have some errant backticks (`) in it.
Otherwise it should probably work.
Also, you didn't mention the version of your DC. I think the nested
group search control is for 2008 and newer.
--Steve
On Wed, Sep 1, 2010 at 3:19 PM, Michael Leone <oozerdude@gmail.com> wrote:
> Following an example I found online (I know, never trust anything on
> the Interwebs ...), I am trying to find all members, including nested
> memberships, of a group. But I seem to be failing miserably, and I
> know not why ....
>
>
> Z:\>adfind -f "(&(objectClass=user)(objectCategory=person)(`memberOf:1.2.840.113556.1.4.1941:=cn=CN=Remote
> Control Operators,CN=Users,DC=...`))"
> 0 Objects returned
>
> Note that the AD group, "Remote Control Operators", has a space in the
> name, if that matters.
>
> So why isn't this working? There are 3 groups as members, and those
> groups have their own members (which is what I am trying to list). So
> what am I doing wrong?
>
>
| | | |
| MikeLeone
Posts:55
| | 09/01/2010 8:31 PM |
| On Wed, Sep 1, 2010 at 3:24 PM, Steve Kradel <skradel@zetetic.net> wrote:
> Your search filter appears to have some errant backticks (`) in it.
> Otherwise it should probably work.
The backticks were in the example - I just changed the group name in
the example to my own (using the DN of the group I am looking to
expand). Removing the backticks made no difference - still didn't find
anything.
> Also, you didn't mention the version of your DC. I think the nested
> group search control is for 2008 and newer.
Ratz! I am on Win2003 ....
I am using the latest ADFIND - AdFind V01.42.00cpp
| | | |
| mkline
Posts:83
| | 09/01/2010 8:49 PM |
| In the memberof section you have ":=cn=CN=" take that second CN out
(so cn=remote....
There are also some limitations of trying to find all the groups.
joe discussed it in his blog entry below (and in the comments) and he
says it better than I can 
http://blog.joeware.net/2007/08/01/939/
Thanks
Mike
On 9/1/10, Michael Leone <oozerdude@gmail.com> wrote:
> On Wed, Sep 1, 2010 at 3:24 PM, Steve Kradel <skradel@zetetic.net> wrote:
>> Your search filter appears to have some errant backticks (`) in it.
>> Otherwise it should probably work.
>
> The backticks were in the example - I just changed the group name in
> the example to my own (using the DN of the group I am looking to
> expand). Removing the backticks made no difference - still didn't find
> anything.
>
>> Also, you didn't mention the version of your DC. I think the nested
>> group search control is for 2008 and newer.
>
> Ratz! I am on Win2003 ....
>
> I am using the latest ADFIND - AdFind V01.42.00cpp
>
>
| | | |
| MikeLeone
Posts:55
| | 09/01/2010 9:04 PM |
| On Wed, Sep 1, 2010 at 3:47 PM, mike kline <mkline@gmail.com> wrote:
> In the memberof section you have ":=cn=CN=" take that second CN out
> (so cn=remote....
AH HA! Yes, that was it ... silly of me, really ...
> There are also some limitations of trying to find all the groups.
> joe discussed it in his blog entry below (and in the comments) and he
> says it better than I can
>
> http://blog.joeware.net/2007/08/01/939/
I will read up on that. And read the blog, now that I know about it. :-)
Thanks SO much ....
| | | |
| listmail
Posts:822
| | 09/02/2010 7:30 AM |
| The LDAP_MATCHING_RULE_IN_CHAIN query matching rule is in Windows Server
2003 SP2 and better versions of AD.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
Blog: http://blog.joeware.net
-----Original Message-----
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Steve Kradel
Sent: Wednesday, September 01, 2010 3:24 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Using ADFIND to get nested group membership
Your search filter appears to have some errant backticks (`) in it.
Otherwise it should probably work.
Also, you didn't mention the version of your DC. I think the nested
group search control is for 2008 and newer.
--Steve
On Wed, Sep 1, 2010 at 3:19 PM, Michael Leone <oozerdude@gmail.com> wrote:
> Following an example I found online (I know, never trust anything on
> the Interwebs ...), I am trying to find all members, including nested
> memberships, of a group. But I seem to be failing miserably, and I
> know not why ....
>
>
> Z:\>adfind -f
"(&(objectClass=user)(objectCategory=person)(`memberOf:1.2.840.113556.1.4.19
41:=cn=CN=Remote
> Control Operators,CN=Users,DC=...`))"
> 0 Objects returned
>
> Note that the AD group, "Remote Control Operators", has a space in the
> name, if that matters.
>
> So why isn't this working? There are 3 groups as members, and those
> groups have their own members (which is what I am trying to list). So
> what am I doing wrong?
>
>
| | | |
|
|