memberOf property usin CSVDE

I am curios as to why I can not specify a memberOf filter when using CSVDE.
For example:

csvde -f users.csv -r "(memberOf=C*)"

This returns nothing. Also, the command tool appears to be inconsistent.
When I issue the following I get mostly users, but also some computers:

csvde -f users.csv -r "(objectClass=user)"


Strange. Does anyone have an idea whet might be wrong or a good reference
that does more than give the syntax of the command.

I'm not real familiar with csvde, but LDAP filters in general can't use
wildcards in distinguished name-syntax attributes such as member and
memberOf. Therefore, I would not be surprised that the search returns
nothing.

It looks like you are trying to export every user who is a member of at
least one group (besides primary group). I don't really know how you could
do that query.

Joe K.

"paulcerv" <paulcerv@discussions.microsoft.com> wrote in message
news:61D91CD3-0DA5-4C97-A36C-20528DFFE008@microsoft.com...
>I am curios as to why I can not specify a memberOf filter when using CSVDE.
> For example:
>
> csvde -f users.csv -r "(memberOf=C*)"
>
> This returns nothing. Also, the command tool appears to be inconsistent.
> When I issue the following I get mostly users, but also some computers:
>
> csvde -f users.csv -r "(objectClass=user)"
>
>
> Strange. Does anyone have an idea whet might be wrong or a good reference
> that does more than give the syntax of the command.

Thanks Joe, I'll script it instead.

"Joe Kaplan (MVP - ADSI)" wrote:

> I'm not real familiar with csvde, but LDAP filters in general can't use
> wildcards in distinguished name-syntax attributes such as member and
> memberOf. Therefore, I would not be surprised that the search returns
> nothing.
>
> It looks like you are trying to export every user who is a member of at
> least one group (besides primary group). I don't really know how you could
> do that query.
>
> Joe K.
>
> "paulcerv" <paulcerv@discussions.microsoft.com> wrote in message
> news:61D91CD3-0DA5-4C97-A36C-20528DFFE008@microsoft.com...
> >I am curios as to why I can not specify a memberOf filter when using CSVDE.
> > For example:
> >
> > csvde -f users.csv -r "(memberOf=C*)"
> >
> > This returns nothing. Also, the command tool appears to be inconsistent.
> > When I issue the following I get mostly users, but also some computers:
> >
> > csvde -f users.csv -r "(objectClass=user)"
> >
> >
> > Strange. Does anyone have an idea whet might be wrong or a good reference
> > that does more than give the syntax of the command.
>
>
>

DN-valued attributes cannot be searched using wildcards. You could read it
from the other end: search for all groups starting with C, and read their
member attribute -- that would give you the list of users. Or you can export
all users belonging to a specific group by specifying the full group DN in
the filter below.

As for (objectClass=user) -- computer class is a subclass of user class.
Therefore, each computer object is also a user object -- look at their
objectClass value. That's why you are getting computers. There are two ways
to get around this:

1) use (&(objectClass=user)(!(objectClass=computer))) to explicitly exclude
computer objects

or

2) use (objectCategory=person). This one is more efficient because
objectCategory is an indexed attribute, while objectClass is not indexed by
default.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"paulcerv" <paulcerv@discussions.microsoft.com> wrote in message
news:61D91CD3-0DA5-4C97-A36C-20528DFFE008@microsoft.com...
> I am curios as to why I can not specify a memberOf filter when using
CSVDE.
> For example:
>
> csvde -f users.csv -r "(memberOf=C*)"
>
> This returns nothing. Also, the command tool appears to be inconsistent.
> When I issue the following I get mostly users, but also some computers:
>
> csvde -f users.csv -r "(objectClass=user)"
>
>
> Strange. Does anyone have an idea whet might be wrong or a good reference
> that does more than give the syntax of the command.

you'd actually not find the link to the primary group in memberOf - it will
only show you the backlinks to the groups you're explicitely a member of
(the ADUC UI also adds the primary group to the list on the "Member Of" tab
of a user)

you should be more lucky to query for all groups of a specific name and then
dump their member attribute.

btw, computers are user-objects, better to use "objectCategory=person" - but
this will also return contacts. If you don't want these you could use the
following filter: &(objectCategory=person)(!(objectClass=contact))

/Guido

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:uX8f3AH5EHA.4004@tk2msftngp13.phx.gbl...
> I'm not real familiar with csvde, but LDAP filters in general can't use
> wildcards in distinguished name-syntax attributes such as member and
> memberOf. Therefore, I would not be surprised that the search returns
> nothing.
>
> It looks like you are trying to export every user who is a member of at
> least one group (besides primary group). I don't really know how you
could
> do that query.
>
> Joe K.
>
> "paulcerv" <paulcerv@discussions.microsoft.com> wrote in message
> news:61D91CD3-0DA5-4C97-A36C-20528DFFE008@microsoft.com...
> >I am curios as to why I can not specify a memberOf filter when using
CSVDE.
> > For example:
> >
> > csvde -f users.csv -r "(memberOf=C*)"
> >
> > This returns nothing. Also, the command tool appears to be
inconsistent.
> > When I issue the following I get mostly users, but also some computers:
> >
> > csvde -f users.csv -r "(objectClass=user)"
> >
> >
> > Strange. Does anyone have an idea whet might be wrong or a good
reference
> > that does more than give the syntax of the command.
>
>

Personally I'm not a fan of using a not operator in a query if possible.

In this case, if you only want users, you can use the objectClass to
differentiate.
Contacts are objectClass = contact
Users are objectClass = user
Both are objectCategory = Person
(computers are objectClass=computer and can be interchanged for user,
contact, etc)

In CSVDE you can specify what attributes you want it to return, so you can
return a list of users AND they're groups using a similar command:
csvde -f c:\output.txt -d "dc=vmdomain,dc=com" -r
"(&(objectCategory=Person)(objectClass=User))" -l memberof,cn

That query would give you a list of all users in the search scope (subtree
IIRC by default) and for each user class object it will return the memberof
and cn attribute values. You *could* then go back and see that for each
user, they are a member of the following groups etc.

If you wanted contacts you'd change objectClass to Contact vs. User. If you
wanted both, you could add objectClass=* or use an OR operator for the
query.

The other way would be to query each group and return the member attribute.
Each group would then tell you which users it contained. I think Guido is
trying to tell you that below.

Does that help at all? Are you seeing the reference you want? CSVDE is not
going to give you ldap filter reference, it will instead give you command
line reference about how to run the command on a command line.

For filter references, www.rlmueller.net has some good references. For some
script examples that deal with group memberships and how to get information
for a single user, you can take a look at http://www.houseofqueues.com at
the code examples.

There are plenty of others out there as well.

Al



"Guido G" <guidoDOTgrillenmeierAThpANOTHERDOTcom> wrote in message
news:eEJKYrN5EHA.3756@TK2MSFTNGP14.phx.gbl...
> you'd actually not find the link to the primary group in memberOf - it
> will
> only show you the backlinks to the groups you're explicitely a member of
> (the ADUC UI also adds the primary group to the list on the "Member Of"
> tab
> of a user)
>
> you should be more lucky to query for all groups of a specific name and
> then
> dump their member attribute.
>
> btw, computers are user-objects, better to use "objectCategory=person" -
> but
> this will also return contacts. If you don't want these you could use the
> following filter: &(objectCategory=person)(!(objectClass=contact))
>
> /Guido
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:uX8f3AH5EHA.4004@tk2msftngp13.phx.gbl...
>> I'm not real familiar with csvde, but LDAP filters in general can't use
>> wildcards in distinguished name-syntax attributes such as member and
>> memberOf. Therefore, I would not be surprised that the search returns
>> nothing.
>>
>> It looks like you are trying to export every user who is a member of at
>> least one group (besides primary group). I don't really know how you
> could
>> do that query.
>>
>> Joe K.
>>
>> "paulcerv" <paulcerv@discussions.microsoft.com> wrote in message
>> news:61D91CD3-0DA5-4C97-A36C-20528DFFE008@microsoft.com...
>> >I am curios as to why I can not specify a memberOf filter when using
> CSVDE.
>> > For example:
>> >
>> > csvde -f users.csv -r "(memberOf=C*)"
>> >
>> > This returns nothing. Also, the command tool appears to be
> inconsistent.
>> > When I issue the following I get mostly users, but also some computers:
>> >
>> > csvde -f users.csv -r "(objectClass=user)"
>> >
>> >
>> > Strange. Does anyone have an idea whet might be wrong or a good
> reference
>> > that does more than give the syntax of the command.
>>
>>
>
>

Actually, that's why I said "besides the primary group" in my response. As
you clarified, it is not available in memberOf. I should have been more
clear.

Joe K.

"Guido G" <guidoDOTgrillenmeierAThpANOTHERDOTcom> wrote in message
news:eEJKYrN5EHA.3756@TK2MSFTNGP14.phx.gbl...
> you'd actually not find the link to the primary group in memberOf - it
> will
> only show you the backlinks to the groups you're explicitely a member of
> (the ADUC UI also adds the primary group to the list on the "Member Of"
> tab
> of a user)
>
> you should be more lucky to query for all groups of a specific name and
> then
> dump their member attribute.
>
> btw, computers are user-objects, better to use "objectCategory=person" -
> but
> this will also return contacts. If you don't want these you could use the
> following filter: &(objectCategory=person)(!(objectClass=contact))
>
> /Guido
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:uX8f3AH5EHA.4004@tk2msftngp13.phx.gbl...
>> I'm not real familiar with csvde, but LDAP filters in general can't use
>> wildcards in distinguished name-syntax attributes such as member and
>> memberOf. Therefore, I would not be surprised that the search returns
>> nothing.
>>
>> It looks like you are trying to export every user who is a member of at
>> least one group (besides primary group). I don't really know how you
> could
>> do that query.
>>
>> Joe K.
>>
>> "paulcerv" <paulcerv@discussions.microsoft.com> wrote in message
>> news:61D91CD3-0DA5-4C97-A36C-20528DFFE008@microsoft.com...
>> >I am curios as to why I can not specify a memberOf filter when using
> CSVDE.
>> > For example:
>> >
>> > csvde -f users.csv -r "(memberOf=C*)"
>> >
>> > This returns nothing. Also, the command tool appears to be
> inconsistent.
>> > When I issue the following I get mostly users, but also some computers:
>> >
>> > csvde -f users.csv -r "(objectClass=user)"
>> >
>> >
>> > Strange. Does anyone have an idea whet might be wrong or a good
> reference
>> > that does more than give the syntax of the command.
>>
>>
>
>