Active Directory LDAP Query by sAMAccountName and Domain

Question

How do you do a query of an LDAP store by sAMAccountName and Domain   What is the  domain  property named in Active Directory or LDAP terms   This is what I have for the filter so far  I d like to be able to add in the domain     amp  objectCategory Person  sAMAccountName BTYNDALL

User · Answer

Domain  is not a property of an LDAP object  It is more like the name of the database the object is stored in   So you have to connect to the right database  in LDAP terms   bind to the domain directory server   in order to perform a search in that database   Once you bound successfully  your query in it s current shape is all you need   BTW  Choosing  ObjectCategory Person  over  ObjectClass user  was a good decision  In AD  the former is an  indexed property  with excellent performance  the latter is not indexed and a tad slower

User · Answer

You have to perform your search in the domain    http   msdn microsoft com en-us library ms677934 VS 85  aspx So  basically your should bind to a domain in order to search inside this domain

User · Answer

I have written a C  class incorporating    the algorithm from Dscoduc  the query optimization from sorin  a cache for the domain to server mapping  and a method to search for an account name in DOMAIN sAMAccountName format    However  it is not Site-aware   using System  using System Collections Generic  using System DirectoryServices  using System Linq  using System Text   public static class ADUserFinder       private static Dictionary lt string  string gt   dictDomain2LDAPPath       private static Dictionary lt string  string gt  DictDomain2LDAPPath               get                       if  null     dictDomain2LDAPPath                                string configContainer                  using  DirectoryEntry rootDSE   new DirectoryEntry  LDAP   RootDSE                        configContainer   rootDSE Properties  ConfigurationNamingContext   Value ToString                     using  DirectoryEntry partitionsContainer   new DirectoryEntry  LDAP   CN Partitions     configContainer                   using  DirectorySearcher dsPartitions   new DirectorySearcher                          partitionsContainer                             amp  objectcategory crossRef  systemFlags 3                             new string      name    nCName    dnsRoot                             SearchScope OneLevel                                        using  SearchResultCollection srcPartitions   dsPartitions FindAll                                           dictDomain2LDAPPath   srcPartitions OfType lt SearchResult gt                             ToDictionary                          result   gt  result Properties  name   0  ToString       the DOMAIN part                         result   gt    LDAP    result Properties  dnsRoot   0    result Properties  nCName   0                                                                        return  dictDomain2LDAPPath                       private static DirectoryEntry FindRootEntry string domainPart                if  DictDomain2LDAPPath ContainsKey domainPart               return new DirectoryEntry DictDomain2LDAPPath domainPart            else             throw new ArgumentException   Domain    domainPart    is unknown in Active Directory               public static DirectoryEntry FindUser string domain  string sAMAccountName                using  DirectoryEntry rootEntryForDomain   FindRootEntry domain           using  DirectorySearcher dsUser   new DirectorySearcher                  rootEntryForDomain                      amp  sAMAccountType 805306368  sAMAccountName  EscapeLdapSearchFilter sAMAccountName         magic number 805306368 means  user objects   it s more efficient than  objectClass user                             return dsUser FindOne   GetDirectoryEntry               public static DirectoryEntry FindUser string domainBackslashSAMAccountName                string   domainAndsAMAccountName   domainBackslashSAMAccountName Split                if  domainAndsAMAccountName Length    2              throw new ArgumentException   User name    domainBackslashSAMAccountName    is not in correct format DOMAIN  SAMACCOUNTNAME    DomainBackslashSAMAccountName             string domain   domainAndsAMAccountName 0           string sAMAccountName   domainAndsAMAccountName 1            return FindUser domain  sAMAccountName                   lt summary gt          Escapes the LDAP search filter to prevent LDAP injection attacks          Copied from https   stackoverflow com questions 649149 how-to-escape-a-string-in-c-for-use-in-an-ldap-query          lt  summary gt           lt param name  searchFilter  gt The search filter  lt  param gt           lt see cref  https   blogs oracle com shankar entry what is ldap injection    gt           lt see cref  http   msdn microsoft com en-us library aa746475 aspx    gt           lt returns gt The escaped search filter  lt  returns gt      private static string EscapeLdapSearchFilter string searchFilter                StringBuilder escape   new StringBuilder            for  int i   0  i  lt  searchFilter Length    i                        char current   searchFilter i               switch  current                                case                           escape Append    5c                        break                  case                          escape Append    2a                        break                  case                          escape Append    28                        break                  case                          escape Append    29                        break                  case   u0000                       escape Append    00                        break                  case                          escape Append    2f                        break                  default                      escape Append current                       break                                   return escape ToString

User · Answer

You have to perform your search in the domain    http   msdn microsoft com en-us library ms677934 VS 85  aspx So  basically your should bind to a domain in order to search inside this domain

User · Answer

First  modify your search filter to only look for users and not contacts     amp  objectCategory person  objectClass user  sAMAccountName BTYNDALL     You can enumerate all of the domains of a forest by connecting to the configuration partition and enumerating all the entries in the partitions container   Sorry I don t have any C  code right now but here is some vbscript code I ve used in the past   Set objRootDSE   GetObject  LDAP   RootDSE   AdComm Properties  Sort on      name  AdComm CommandText     lt LDAP   cn Partitions    amp        objRootDSE Get  ConfigurationNamingContext    amp    gt     amp               amp  objectcategory crossRef  systemFlags 3      amp                 name nCName dnsRoot onelevel  set AdRs   AdComm Execute   From that you can retrieve the name and dnsRoot of each partition   AdRs MoveFirst With AdRs   While Not  EOF     dnsRoot    Fields  dnsRoot        Set objOption   Document createElement  OPTION       objOption Text   dnsRoot 0      objOption Value    LDAP      amp  dnsRoot 0   amp       amp   Fields  nCName   Value     Domain Add objOption       MoveNext    Wend  End With

User · Answer

First  modify your search filter to only look for users and not contacts     amp  objectCategory person  objectClass user  sAMAccountName BTYNDALL     You can enumerate all of the domains of a forest by connecting to the configuration partition and enumerating all the entries in the partitions container   Sorry I don t have any C  code right now but here is some vbscript code I ve used in the past   Set objRootDSE   GetObject  LDAP   RootDSE   AdComm Properties  Sort on      name  AdComm CommandText     lt LDAP   cn Partitions    amp        objRootDSE Get  ConfigurationNamingContext    amp    gt     amp               amp  objectcategory crossRef  systemFlags 3      amp                 name nCName dnsRoot onelevel  set AdRs   AdComm Execute   From that you can retrieve the name and dnsRoot of each partition   AdRs MoveFirst With AdRs   While Not  EOF     dnsRoot    Fields  dnsRoot        Set objOption   Document createElement  OPTION       objOption Text   dnsRoot 0      objOption Value    LDAP      amp  dnsRoot 0   amp       amp   Fields  nCName   Value     Domain Add objOption       MoveNext    Wend  End With

User · Answer

You have to perform your search in the domain    http   msdn microsoft com en-us library ms677934 VS 85  aspx So  basically your should bind to a domain in order to search inside this domain

User · Answer

Domain  is not a property of an LDAP object  It is more like the name of the database the object is stored in   So you have to connect to the right database  in LDAP terms   bind to the domain directory server   in order to perform a search in that database   Once you bound successfully  your query in it s current shape is all you need   BTW  Choosing  ObjectCategory Person  over  ObjectClass user  was a good decision  In AD  the former is an  indexed property  with excellent performance  the latter is not indexed and a tad slower

User · Answer

You have to perform your search in the domain    http   msdn microsoft com en-us library ms677934 VS 85  aspx So  basically your should bind to a domain in order to search inside this domain

User · Answer

You can use following queries  Users whose Logon Name Pre-Windows 2000  is equal to John    amp  objectCategory person  objectClass user   sAMAccountType 805306370  sAMAccountName   John       All Users    amp  objectCategory person  objectClass user   sAMAccountType 805306370     Enabled Users    amp  objectCategory person  objectClass user   sAMAccountType 805306370   userAccountControl 1 2 840 113556 1 4 803  2     Disabled Users    amp  objectCategory person  objectClass user   sAMAccountType 805306370  userAccountControl 1 2 840 113556 1 4 803  2     LockedOut Users    amp  objectCategory person  objectClass user   sAMAccountType 805306370  lockouttime gt  1

User · Answer

If you re using  NET  use the DirectorySearcher class  You can pass in your domain as a string into the constructor      if you domain is domain com    string username    user  string domain    LDAP   DC domain DC com   DirectorySearcher search   new DirectorySearcher domain   search Filter     SAMAccountName     username

User · Answer

You can use following queries  Users whose Logon Name Pre-Windows 2000  is equal to John    amp  objectCategory person  objectClass user   sAMAccountType 805306370  sAMAccountName   John       All Users    amp  objectCategory person  objectClass user   sAMAccountType 805306370     Enabled Users    amp  objectCategory person  objectClass user   sAMAccountType 805306370   userAccountControl 1 2 840 113556 1 4 803  2     Disabled Users    amp  objectCategory person  objectClass user   sAMAccountType 805306370  userAccountControl 1 2 840 113556 1 4 803  2     LockedOut Users    amp  objectCategory person  objectClass user   sAMAccountType 805306370  lockouttime gt  1

User · Answer

If you re using  NET  use the DirectorySearcher class  You can pass in your domain as a string into the constructor      if you domain is domain com    string username    user  string domain    LDAP   DC domain DC com   DirectorySearcher search   new DirectorySearcher domain   search Filter     SAMAccountName     username

User · Answer

Domain  is not a property of an LDAP object  It is more like the name of the database the object is stored in   So you have to connect to the right database  in LDAP terms   bind to the domain directory server   in order to perform a search in that database   Once you bound successfully  your query in it s current shape is all you need   BTW  Choosing  ObjectCategory Person  over  ObjectClass user  was a good decision  In AD  the former is an  indexed property  with excellent performance  the latter is not indexed and a tad slower

User · Answer

If you re using  NET  use the DirectorySearcher class  You can pass in your domain as a string into the constructor      if you domain is domain com    string username    user  string domain    LDAP   DC domain DC com   DirectorySearcher search   new DirectorySearcher domain   search Filter     SAMAccountName     username

User · Answer

The best way of searching for users is  sAMAccountType 805306368    Or for disabled users      amp  sAMAccountType 805306368  userAccountControl 1 2 840 113556 1 4 803  2    Or for active users     amp  sAMAccountType 805306368    userAccountControl 1 2 840 113556 1 4 803  2     I find LDAP as not being so light at it was supposed to be    Also resource for common LDAP queries - trying to find them yourself and you will precious time and definitely make mistakes    Regarding domains  it not possible in a single query because the domain is part of the user distinguisedName  DN  which  on Microsoft AD  is not searchable by partial matching

User · Answer

Domain  is not a property of an LDAP object  It is more like the name of the database the object is stored in   So you have to connect to the right database  in LDAP terms   bind to the domain directory server   in order to perform a search in that database   Once you bound successfully  your query in it s current shape is all you need   BTW  Choosing  ObjectCategory Person  over  ObjectClass user  was a good decision  In AD  the former is an  indexed property  with excellent performance  the latter is not indexed and a tad slower

User · Answer

If you re using  NET  use the DirectorySearcher class  You can pass in your domain as a string into the constructor      if you domain is domain com    string username    user  string domain    LDAP   DC domain DC com   DirectorySearcher search   new DirectorySearcher domain   search Filter     SAMAccountName     username

User · Answer

I have written a C  class incorporating    the algorithm from Dscoduc  the query optimization from sorin  a cache for the domain to server mapping  and a method to search for an account name in DOMAIN sAMAccountName format    However  it is not Site-aware   using System  using System Collections Generic  using System DirectoryServices  using System Linq  using System Text   public static class ADUserFinder       private static Dictionary lt string  string gt   dictDomain2LDAPPath       private static Dictionary lt string  string gt  DictDomain2LDAPPath               get                       if  null     dictDomain2LDAPPath                                string configContainer                  using  DirectoryEntry rootDSE   new DirectoryEntry  LDAP   RootDSE                        configContainer   rootDSE Properties  ConfigurationNamingContext   Value ToString                     using  DirectoryEntry partitionsContainer   new DirectoryEntry  LDAP   CN Partitions     configContainer                   using  DirectorySearcher dsPartitions   new DirectorySearcher                          partitionsContainer                             amp  objectcategory crossRef  systemFlags 3                             new string      name    nCName    dnsRoot                             SearchScope OneLevel                                        using  SearchResultCollection srcPartitions   dsPartitions FindAll                                           dictDomain2LDAPPath   srcPartitions OfType lt SearchResult gt                             ToDictionary                          result   gt  result Properties  name   0  ToString       the DOMAIN part                         result   gt    LDAP    result Properties  dnsRoot   0    result Properties  nCName   0                                                                        return  dictDomain2LDAPPath                       private static DirectoryEntry FindRootEntry string domainPart                if  DictDomain2LDAPPath ContainsKey domainPart               return new DirectoryEntry DictDomain2LDAPPath domainPart            else             throw new ArgumentException   Domain    domainPart    is unknown in Active Directory               public static DirectoryEntry FindUser string domain  string sAMAccountName                using  DirectoryEntry rootEntryForDomain   FindRootEntry domain           using  DirectorySearcher dsUser   new DirectorySearcher                  rootEntryForDomain                      amp  sAMAccountType 805306368  sAMAccountName  EscapeLdapSearchFilter sAMAccountName         magic number 805306368 means  user objects   it s more efficient than  objectClass user                             return dsUser FindOne   GetDirectoryEntry               public static DirectoryEntry FindUser string domainBackslashSAMAccountName                string   domainAndsAMAccountName   domainBackslashSAMAccountName Split                if  domainAndsAMAccountName Length    2              throw new ArgumentException   User name    domainBackslashSAMAccountName    is not in correct format DOMAIN  SAMACCOUNTNAME    DomainBackslashSAMAccountName             string domain   domainAndsAMAccountName 0           string sAMAccountName   domainAndsAMAccountName 1            return FindUser domain  sAMAccountName                   lt summary gt          Escapes the LDAP search filter to prevent LDAP injection attacks          Copied from https   stackoverflow com questions 649149 how-to-escape-a-string-in-c-for-use-in-an-ldap-query          lt  summary gt           lt param name  searchFilter  gt The search filter  lt  param gt           lt see cref  https   blogs oracle com shankar entry what is ldap injection    gt           lt see cref  http   msdn microsoft com en-us library aa746475 aspx    gt           lt returns gt The escaped search filter  lt  returns gt      private static string EscapeLdapSearchFilter string searchFilter                StringBuilder escape   new StringBuilder            for  int i   0  i  lt  searchFilter Length    i                        char current   searchFilter i               switch  current                                case                           escape Append    5c                        break                  case                          escape Append    2a                        break                  case                          escape Append    28                        break                  case                          escape Append    29                        break                  case   u0000                       escape Append    00                        break                  case                          escape Append    2f                        break                  default                      escape Append current                       break                                   return escape ToString

User · Answer

First  modify your search filter to only look for users and not contacts     amp  objectCategory person  objectClass user  sAMAccountName BTYNDALL     You can enumerate all of the domains of a forest by connecting to the configuration partition and enumerating all the entries in the partitions container   Sorry I don t have any C  code right now but here is some vbscript code I ve used in the past   Set objRootDSE   GetObject  LDAP   RootDSE   AdComm Properties  Sort on      name  AdComm CommandText     lt LDAP   cn Partitions    amp        objRootDSE Get  ConfigurationNamingContext    amp    gt     amp               amp  objectcategory crossRef  systemFlags 3      amp                 name nCName dnsRoot onelevel  set AdRs   AdComm Execute   From that you can retrieve the name and dnsRoot of each partition   AdRs MoveFirst With AdRs   While Not  EOF     dnsRoot    Fields  dnsRoot        Set objOption   Document createElement  OPTION       objOption Text   dnsRoot 0      objOption Value    LDAP      amp  dnsRoot 0   amp       amp   Fields  nCName   Value     Domain Add objOption       MoveNext    Wend  End With

User · Answer

First  modify your search filter to only look for users and not contacts     amp  objectCategory person  objectClass user  sAMAccountName BTYNDALL     You can enumerate all of the domains of a forest by connecting to the configuration partition and enumerating all the entries in the partitions container   Sorry I don t have any C  code right now but here is some vbscript code I ve used in the past   Set objRootDSE   GetObject  LDAP   RootDSE   AdComm Properties  Sort on      name  AdComm CommandText     lt LDAP   cn Partitions    amp        objRootDSE Get  ConfigurationNamingContext    amp    gt     amp               amp  objectcategory crossRef  systemFlags 3      amp                 name nCName dnsRoot onelevel  set AdRs   AdComm Execute   From that you can retrieve the name and dnsRoot of each partition   AdRs MoveFirst With AdRs   While Not  EOF     dnsRoot    Fields  dnsRoot        Set objOption   Document createElement  OPTION       objOption Text   dnsRoot 0      objOption Value    LDAP      amp  dnsRoot 0   amp       amp   Fields  nCName   Value     Domain Add objOption       MoveNext    Wend  End With

User · Answer

The best way of searching for users is  sAMAccountType 805306368    Or for disabled users      amp  sAMAccountType 805306368  userAccountControl 1 2 840 113556 1 4 803  2    Or for active users     amp  sAMAccountType 805306368    userAccountControl 1 2 840 113556 1 4 803  2     I find LDAP as not being so light at it was supposed to be    Also resource for common LDAP queries - trying to find them yourself and you will precious time and definitely make mistakes    Regarding domains  it not possible in a single query because the domain is part of the user distinguisedName  DN  which  on Microsoft AD  is not searchable by partial matching

[active-directory] Active Directory LDAP Query by sAMAccountName and Domain

Examples related to active-directory

Examples related to ldap

Examples related to ldap-query