Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

LDAP query for all users in sub OUs within a particular OU

The active directory I have to deal with is laid out as such: the domain contains many OUs. One of these OUs is named "Primary OU". Within this OU are several OUs named with location of global offices (ie "Chicago" "Paris").

Any user account that is an actual flesh and bone person is put into the OU named for the office they work in as their primary OU. Any user account that is an alias, generic account, or otherwise not directly tied to a real person, has the "Primary OU" OU set as their primary OU.

Data-wise, this primary OU distinction is the only thing that indicates which users are real people, and which users are not. There is no group that contains only real people, no indicator in any field that they are real people or not, and making any changes to active directory or any user accounts is strictly forbidden.

My task is writing a query that will only get all actual flesh and bone people.

Unfortunately LDAP is not exactly my strong suit and the only way I've come up with is searching each of these office sub OUs individually and putting all the results together, but there are a lot of offices and it would require a change to the query if any offices were added, which I need to avoid.

Is there a way to query all users within a particular OU's "sub" OUs, but not return any users directly in the parent OU?

like image 913
kscott Avatar asked Jun 26 '09 16:06

kscott


People also ask

How do you get a list of all users from a specific OU?

Simply open the “User Accounts” report, specify the path to the OU you're interested in and run the report. You'll get a list of the members of that OU with the following user account properties: name, logon name and status.

How do I export a user from a specific OU?

All you need to do is open ADUC, navigate to your desired OU, and click the Export List button. This will export all of the accounts in the OU to a tab delimited text file.


2 Answers

Yes, sure - you would need to:

1) Bind to the particular OU

DirectoryEntry myOU = new DirectoryEntry("LDAP://OU=MyOU,......,DC=MyCompany,DC=com");

2) Enumerate all its sub-OU's

DirectorySearcher subOUsearcher = new DirectorySearcher(myOU);
subOUsearcher.SearchScope = SearchScope.OneLevel; // don't recurse down
subOUsearcher.Filter = "(objectClass=organizationalUnit)";

foreach(SearchResult subOU in subOUsearcher.FindAll())
{
   // stick those Sub OU's into a list and then handle them
}

3) One-by-one enumerate all the users in each of the sub-OU's and stick them into a global list of users

DirectorySearcher userSearcher = new DirectorySearcher(myCurrentSubOu);
userSearcher.SearchScope = SearchScope.OneLevel; // don't recurse down
userSearcher.Filter = "(objectClass=user)";

foreach(SearchResult user in userSearcher.FindAll())
{
  // stick those users into a list being built up
}

4) Return that list

Marc

like image 116
marc_s Avatar answered Sep 19 '22 13:09

marc_s


// Create a new DirectorySearcher that starts at the root.
// You can start it anywhere you want though
//     by providing a value in the DirectoryEntry constructor.
DirectorySearcher searcher = new DirectorySearcher(new DirectoryEntry());

// Set the scope to Subtree in order to search all children.
searcher.SearchScope = SearchScope.Subtree;

// Set the filter to only look for Organizational Units
//     that have the name you are looking for.
searcher.Filter = "(&(objectClass=organizationalUnit)(name=" + ouName + "))";

// If you are looking for only one result then do the following two things.
SearchResult result = searcher.FindOne();

DirectoryEntry newDir = result.GetDirectoryEntry();
like image 23
Joshua G Avatar answered Sep 19 '22 13:09

Joshua G