LDAP filter in query not working

Problem - service accounts and disabled user accounts still appear in the
results.

First - here's my AD structure:

DOMAIN
|_ADMIN (OU)
| |_Prevent GAL Export (group)
|
|
|_DEPTS (OU)

I made a global group and added in all the disabled user accounts and
service accounts, so I could exclude them from an LDAP query I use to
generate my Address Book export for our partner agencies.

Now, here's my LDAP query

(&(&(&(& (mailnickname=*) (|
(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) )))(objectCategory=user)(!memberOf=Prevent GAL Export)))

When I run the query the disabled user accounts and service accounts still
appear in the results.

I'm confused at this point. Help!!

If it helps.
Your query, roughly translated says to do the following:

Find all objects with a mailnickname and either an objectcategory of Person
and class of user that also has either a homeMDB value or a
msExchHomeServerName value or an object that is of objectCategory of user
AND doesn't have a memberOf value of Prevent GAL Export (spaces?)

Couple of thoughts:
Prevent GAL Export should be the DN not the friendly name. Something like
"cn=preventgalexpo,ou=admin,dc=domain,dc=com" for example.
Your query should return a lot of objects. Basically all user objects with
a mailnickname and either a homeMDB or msExchHomeServerName would pretty
much come back or if it didn't match the group name you put in there (which
because it's not a DN would be just about all objects that have a
mailnickname value greater than null, right?)

To exclude disabled user objects from the query, you would want to follow
something like this and preface it with a NOT operator like you did in the
query already:
(from:
http://www.microsoft.com/technet/scr...5/hey0512.mspx)
(userAccountControl:1.2.840.113556.1.4.803:=2)). And this just happens to be
that something else. It might look like gibberish, but this actually tells
our script to search for objects (in this case, users) where bit 2 in the
userAccountControl attribute has been enabled. We won't spend any time
discussing bitmask attributes here; for a brief discussion see the Reading
User Account Password Attributes section of the Microsoft Windows 2000
Scripting Guide. For now all we have to know is that if bit 2 is enabled
then the user account is disabled.


Does that help?

Al



"Brandon Baker" <BrandonBaker@discussions.microsoft.com> wrote in message
news:FC4B4F5C-152B-4AEA-B814-5786749A390E@microsoft.com...
> Problem - service accounts and disabled user accounts still appear in the
> results.
>
> First - here's my AD structure:
>
> DOMAIN
> |_ADMIN (OU)
> | |_Prevent GAL Export (group)
> |
> |
> |_DEPTS (OU)
>
> I made a global group and added in all the disabled user accounts and
> service accounts, so I could exclude them from an LDAP query I use to
> generate my Address Book export for our partner agencies.
>
> Now, here's my LDAP query
>
> (&(&(&(& (mailnickname=*) (|
> (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))
> )))(objectCategory=user)(!memberOf=Prevent GAL Export)))
>
> When I run the query the disabled user accounts and service accounts still
> appear in the results.
>
> I'm confused at this point. Help!!
>
>
>

Awesome answer AL - this totally fixed the query. Give this man a medal.

"Al Mulnick" wrote:

> If it helps.
> Your query, roughly translated says to do the following:
>
> Find all objects with a mailnickname and either an objectcategory of Person
> and class of user that also has either a homeMDB value or a
> msExchHomeServerName value or an object that is of objectCategory of user
> AND doesn't have a memberOf value of Prevent GAL Export (spaces?)
>
> Couple of thoughts:
> Prevent GAL Export should be the DN not the friendly name. Something like
> "cn=preventgalexpo,ou=admin,dc=domain,dc=com" for example.
> Your query should return a lot of objects. Basically all user objects with
> a mailnickname and either a homeMDB or msExchHomeServerName would pretty
> much come back or if it didn't match the group name you put in there (which
> because it's not a DN would be just about all objects that have a
> mailnickname value greater than null, right?)
>
> To exclude disabled user objects from the query, you would want to follow
> something like this and preface it with a NOT operator like you did in the
> query already:
> (from:
> http://www.microsoft.com/technet/scr...5/hey0512.mspx)
> (userAccountControl:1.2.840.113556.1.4.803:=2)). And this just happens to be
> that something else. It might look like gibberish, but this actually tells
> our script to search for objects (in this case, users) where bit 2 in the
> userAccountControl attribute has been enabled. We won't spend any time
> discussing bitmask attributes here; for a brief discussion see the Reading
> User Account Password Attributes section of the Microsoft Windows 2000
> Scripting Guide. For now all we have to know is that if bit 2 is enabled
> then the user account is disabled.
>
>
> Does that help?
>
> Al
>
>
>
> "Brandon Baker" <BrandonBaker@discussions.microsoft.com> wrote in message
> news:FC4B4F5C-152B-4AEA-B814-5786749A390E@microsoft.com...
> > Problem - service accounts and disabled user accounts still appear in the
> > results.
> >
> > First - here's my AD structure:
> >
> > DOMAIN
> > |_ADMIN (OU)
> > | |_Prevent GAL Export (group)
> > |
> > |
> > |_DEPTS (OU)
> >
> > I made a global group and added in all the disabled user accounts and
> > service accounts, so I could exclude them from an LDAP query I use to
> > generate my Address Book export for our partner agencies.
> >
> > Now, here's my LDAP query
> >
> > (&(&(&(& (mailnickname=*) (|
> > (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))
> > )))(objectCategory=user)(!memberOf=Prevent GAL Export)))
> >
> > When I run the query the disabled user accounts and service accounts still
> > appear in the results.
> >
> > I'm confused at this point. Help!!
> >
> >
> >
>
>
>