Searching Active Directory

Forego scripting—try this LDAP query in the ADUC.

Bill, does Microsoft really want to be an enterprise product? Why in the world can't I do a search for a group in Active Directory Users and Computers using a partial string? It seems that the find function only supports a search using the beginning of a string or the end of a string.

I finally had to write a tiny script to search for group names for myself using VBScript and the Instr function. How sad is that? Does Microsoft really want to be enterprise software? Do they realize how many groups medium to large companies have? Or am I missing something? Any insight would be appreciated.
—Name withheld by request

Answer: The Find window in AD Users and Computers doesn't expose internal string searches directly because they are computationally expensive for the domain controller.

That being said, you can construct your own LDAP query for internal portions of strings without resorting to scripts. Here's how:

  1. Open the Find window in ADUC.
  2. In the Find dropdown field, select Custom Search.
  3. Click the Advanced tab. This shows a field for entering a custom LDAP search.
Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

If you're accustomed to VBScript, then you'll find LDAP search syntax to be a little counterintuitive because all Boolean operators go to the front of the expression. For example, here's a search for all user accounts that have the letters "min" somewhere in the name:

(&(objectcategory=user)(name=*min*))

In a pristine instance of Active Directory, this search would return Administrator in the pick list in the Find window.

If you want to find every user, group, and contact with the letters "count" in the Description field, here's the syntax (this would be all one entry with no line endings):

(&(|(objectcategory=user)(objectcategory=group)
(objectcategory=contact))(description=*count*))

If you don't like doing all that typing each time you want to fire off a search, then load the Windows Server 2003 admin tools (adminpak.msi) on a Windows XP SP1 machine and use that version of ADUC to manage your Windows 2000 domains. This tool has a Saved Queries feature that permits you to create little folders that return the search results in graphical form in the right pane of the ADUC window.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

Featured