This articleArticleThe query of the Lightweight Directory Access Protocol (Lightweight Directory Access Protocol-LDAP) is discussed. this technique is useful when you troubleshoot the relationship between Microsoft Exchange server and its directory, but it is not easy to understand. this article provides basic knowledge about LDAP queries.
The following are more advanced examples of LDAP Syntax:
You need a filter to find all objects in Dallas or Austin, and the first name must be John. The filter should be:
(& (Givenname = John) (| (L = Dallas) (L = Austin )))
You have received 9548 events in Application log, and you need to find all the objects that cause this log event. In this case, you need to find all the disable users ,(Msexchuseraccountcontrol= 2) andMsexchmasteraccountsidThis property has no value.
(& (Msexchuseraccountcontrol = 2 )(! Msexchmasteraccountsid = *))
The! Operator in conjunction with the wildcard operator will look for objects where that attribute is not set to anything.
Note .! When the operator is connected with a wildcard, it will look for objects whose attributes are not set to any value.
Where can I use LDAP for query?
====================
When working with the Exchange server, you may encounter the situation of Using LDAP strings. for example, whenever you set a receiver, mailbox administrator policy, or an address list filter, or when you search for the active directroy directory service, the Exchange server uses LDAP. in the next section, we will discuss some methods you can use LDAP statements:
1. Search Using Active Directory users and computers
The following example describes how to use Active Directory users and computers for search:
1. Open Active Directory users and computers (WIN + R, DSA. MSC)
2. Right-click the domain object and selectFind.
3. Click NextFindAnd then selectCustom Search.
4. On the screen below, selectAdvancedTab.
5. InEnter LDAP QueryEnter the appropriate LDAP statement.
This example will try to find all objects that meet the following conditions: their title attribute is Prez, or their names start with test. If you clickFind now, You should see the appropriate output results, please refer to the following screenshot:
2. Use LDP for search
You can also use LDP for search. This toolkit is included in Microsoft Windows Server 2003 and Windows 2000 server support tools. this tool not only gives you the ability to search for domain iner, but also the ability to search for configuration container. you will first open LDP and connect it to a valid domain controller. then you need to use the appropriate credential to bind. selectView,Then selectTree. KeepBase DNThe column is empty. ClickOK. Navigate to the container you want to search for, right-click container, and selectSearch.
A dialog box will be tanchu, which will containBase DNThe correct value of. Enter the LDAP statement you want to filter. The result will appear as shown in the previous step.
If you want to search all the layers under your current containter, make sure thatSubtreeSelected. ClickRun, It should find all the results that meet the conditions.
3. Search by ldifde
You need to query an object set that meets certain conditions, and you want to create a list of these users. ldifde is a command line tool that helps you create such a list. assume that you want to locate and save the list of all users whose mailnickname starts with Jeff. you can run the following command.
C: \> ldifde-d "DC = witaylorroot, Dc = com"-f c: \ output.txt-R "(& (objectclass = user) (mailnickname = Jeff *))
In this example, you will find three objects, and then output all of them to the output.txt file. if you output results of nearly a thousand users, the output results file will become very large. there is another option. you can use the-l (lower-case l) switch to specify the attributes to be output. distinguished name will always be output, but if you do not want anything else, you can add-l nothing to the end of the string, which will streamline output results. the following is an example:
C: \> ldifde-d "DC = witaylorroot, Dc = com"-f c: \ output.txt-l nothing-R "(& (objectclass = user) (mailnickname = Jeff *))
Consider that in this case, you want to use the ldifde export referenced earlier, but only want to includeHomemdbAttribute in the output. You must use the following command.
If you want to includeHomemdbAttribute to the result. You need to run the following command:
C: \> ldifde-d "DC = witaylorroot, Dc = com"-f c: \ output.txt-L "homemdb"-R "(& (objectclass = user) (mailnickname = Jeff *))
DN: Cn = Jeff, ou = 55 users, Dc = witaylorroot, Dc = com changetype: Add homemdb: Cn = private information store (witaylornt4ex55), Cn = first storage group, CN = informationstore, Cn = witaylornt4ex55, Cn = servers, Cn = witaylormixedsite, Cn = administrative groups, Cn = witaylororg, Cn = Microsoft Exchange, Cn = Services, Cn = configuration, dc = witaylorroot, Dc = com
DN: Cn = jeff2, Cn = users, Dc = witaylorroot, Dc = com changetype: Add homemdb: Cn = private information store (witaylornt4ex55), Cn = first storage group, CN = informationstore, Cn = witaylornt4ex55, Cn = servers, Cn = witaylormixedsite, Cn = administrative groups, Cn = witaylororg, Cn = Microsoft Exchange, Cn = Services, Cn = configuration, dc = witaylorroot, Dc = com
DN: Cn = jeff3, Cn = users, Dc = witaylorroot, Dc = com changetype: Add homemdb: Cn = private information store (witaylornt4ex55), Cn = first storage group, CN = informationstore, Cn = witaylornt4ex55, Cn = servers, Cn = witaylormixedsite, Cn = administrative groups, Cn = witaylororg, Cn = Microsoft Exchange, Cn = Services, Cn = configuration, dc = witaylorroot, Dc = com
If you perform an output operation without specifying the attributes to be output, you will want to use the-n switch to remove the included values under normal circumstances. this helps prevent the output file from becoming too large.
4. Use LDAP query in admodify
Note: This tool is not commonly used. It can only be obtained after case, so it will not be translated. It is listed here.
To obtain the admodify tool, contact Microsoft Product Support Services. For more information about how to contact Microsoft Product Support Services, see the Microsoft Help and Support Web site.
To obtain the admodify tool from a third-party web site, see the following gotdotnet Web site: admodify. Net: Workspace home.
Admodify is a tool that Microsoft Product Support Services uses on a daily basis. with large Active Directory environments, it is not always easy to add an entire organizational unit (OU) That cocould have thousands of users in it to the list on the right side, and then parse through all of them to find the users you need to change. there is an alternative. on the first screen, chooseModify existing user attributesAnd clickNext. OnModify Active Directory usersScreen, there isAdvancedButton.
If you clickAdvancedButton,Custom LDAP FilterDialog box appears. in this dialog box, you type the LDAP filter that you want to use. in this example, you only want to list the groups that are mail-enabled. it wowould look like the following.
Next, clickOK. Select the ou or the domain where you want admodify to search. If you want it to look in lower-level containers within the one you selected, make sure to selectTraverse subcontainers when enumerating users. ClickAdd to list, And then clickYesWhen warned about how long it cocould take. The objects that meet the criteria you specified shoshould now appear in the right pane.
From here, highlight the objects that you want to modify, and continue with the Wizard.
Translated from:
LDAP query Basics
Http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx
Link:
Ldifde-export/import data from Active Directory-ldifde commands
Http://support.microsoft.com/kb/555636/en-us