LDAP query struggle

  • 1.7K Views
  • Last Post 01 August 2006
gpegue posted this 01 August 2006

I'd like to create an LDAP query to return a list of users
that have the "Send on behalf" field populated in the
"Exchange General / Delivery Options" properties in ADUC.

I cannot seems to make sense of the syntax of the query...

(&(objectCategory=user)(publicDelegates=))

Is there something I'm missing or can someone provide the correct
query format to do what I need?

Thanks
Gordon Pegue

show

Order By: Standard | Newest | Votes
ZJORZ posted this 01 August 2006

__________

From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Gordon Pegue
Sent: Tue 2006-08-01 22:18
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] LDAP query struggle

I'd like to create an LDAP query to return a list of users
that have the "Send on behalf" field populated in the
"Exchange General / Delivery Options" properties in ADUC.

I cannot seems to make sense of the syntax of the query...

(&(objectCategory=user)(publicDelegates=))

Is there something I'm missing or can someone provide the correct
query format to do what I need?

Thanks
Gordon Pegue
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
>

slinehan posted this 01 August 2006

Also insure you are putting the full DN of
the user that you are searching for in publicDelegates= since that is a linked
attribute.

 

Thanks,

 

-Steve

show

listmail posted this 01 August 2006

objectcategory=user isn't optimal, that will get changed to
objectcategory=person which will look at all contacts and users, however
that wouldn't prevent the query from working unless you are timing out. What
tool are you using to submit the query? Does it allow you to specify a
timeout?

Anyway, back to the real issue, publicdelegates has a syntax of 2.5.5.1
which is a DN, so if you are actually looking for what users a certain other
user has delegate rights to then you could do something like

(&(objectcategory=person)(objectclass=user)(publicdelegates=cn=user,ou=someo
u,dc=domain,dc=com))
Now down to brass tacks... What do you want to do?

Is it

A) Users who have ANY publicDelegates configured for themselves?

B) Users who have a specific publicDelegate configured for themselves? Aka
The users a specific user has publicDelegate access over?
If A, then your query can be a simple
(&(objectcategory=person)(objectclass=user)(publicdelegates=*))
If B, then the better way is to enumerate the user's publicDelegatesBL
attribute. That will list every account he/she has publicDelegate rights to.
Do this against the GC though so cross domain links will show up.

Now finally let me close up with a little bug in this area... This can come
up if you have a multidomain forest. If the outlook client gets a GC for a
domain that the user isn't in then it is possible that an update to
publicDelegates did not occur properly. The whole publicDelegates thing has
two aspects, there is some stuff in the STORE and stuff in AD. The stuff in
AD is strictly how Send On Behalf is controlled. So it is possible that you
will get someone who has publicDelegates listed in AD but Outlook won't show
them properly because of the update bug (note that this should be corrected
with the new DSPROXY/DSACCESS capability in E2K3 I think SP2). It is also
possible for outlook to show someone but they aren't in AD in the attribute.
The first is worse than the second because someone could send on behalf of
the user and the user wouldn't know it.

Go check out the EHLO blog, they talked a lot about this fix. For a detailed
description of this issue check out the archives for this list as I really
hounded on this problem in about August of 2003 and April or so of 2004 as I
was trying to get MSFT to step up and fix it.

joe

--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm

show

Tony posted this 01 August 2006

It depends a little on what you're looking for.

Let's say you have a meeting room (MR1) and a user (Bob Smith) has Send on Behalf of permissions for the meeting room. A search using MR1 would use publicDelegatesBL (the back link attribute) and would look something like this:

(&(objectclass=user)(objectcategory=person)(publicdelegatesbl=CN=MR1,CN=Users,DC=myco,DC=com))

A search using Bob Smith would use publicDelegates and would look something like this:
(&(objectclass=user)(objectcategory=person)(publicdelegates=CN=Bob Smith,CN=Users,DC=myco,DC=com))

Tony
---------- Original Message ----------------------------------

show

gpegue posted this 01 August 2006

Here's what I tried:
 
(&(objectCategory=person)(objectClass=user)(publicDelegates=Benjamin))
 
I have a mailbox-enabled user named Benjamin
Ortega.
I figured that using Benjamin
would grab the user(s) that
have him set as having Send on behalf permission.
I KNOW I have users defined thus but the query returns
nothing.
 
Steve Linehan mentions something about the full
DN....
 
Guess I better 'fess up and say that I'm an
LDAP rookie and am not sure what he means....
 
But, with some thought about it, here's what worked after I
figured out the full DN of the user in question:
 
(&(objectCategory=person)(objectClass=user)(publicDelegates=CN=Benjamin
Ortega,CN=Users,DC=cg-engrs,DC=com))
 
Thanks for pointing me in the right direction. Now to read
joe's post....
 
ThanksGordon Pegue 

show

listmail posted this 01 August 2006

Ok, so you are trying to find what users have Benjamin as a
publicDelegate. That is my B scenerio I listed.
 
Do this
 
adfind -gc -b "" -f name="Benjamin Ortega"
publicdelegatesBL
 
If you want more detailed info about each of the users he
is a delegate for then we can look at some attribute scoped query magic (-ASQ
switch).
 
  joe
 

--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

show

gpegue posted this 01 August 2006

Thanks joe for the very detailed reply!

My whole purpose for creating the query is that I had an employee
here depart about a month ago and I thought I had cleaned up
everything when I finally killed the AD account. What I was not
aware of was that some other employees had this person setup as
a delegate and there were some weird behaviors taking place
when meeting requests were issued.... So, I wanted to query
my AD users to find out who....

So, as it turns out, you're a scenario was what I was after.

FWIW I "manage" a small single-domain forest with about 50 users,
and I mostly lurk here to learn.

Thanks
Gordon Pegue

show

listmail posted this 01 August 2006

Lurk away, glad to help out. Don't be afraid to ask questions, we just all
seem mean. In real life we are all nice teddy bears, well except Deji. Avoid
Deji if you see him coming, he is a bit scary. ;o)

joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm

show

Close