Searching Active Directory
Forego scripting—try this LDAP query in the ADUC.
- By Bill Boswell
- July 01, 2003
does Microsoft really want to
be an enterprise product? Why in the world can't I do a search for a group
in Active Directory Users and Computers using a partial string? It seems
that the find function only supports a search using the beginning of a
string or the end of a string.
I finally had to write a tiny script to search for group names for myself
using VBScript and the Instr function. How sad is that? Does Microsoft
really want to be enterprise software? Do they realize how many groups
medium to large companies have? Or am I missing something? Any insight
would be appreciated.
—Name withheld by request
Answer: The Find window in AD Users and Computers doesn't
expose internal string searches directly because they are computationally
expensive for the domain controller.
That being said, you can construct your own LDAP query for internal portions
of strings without resorting to scripts. Here's how:
- Open the Find window in ADUC.
- In the Find dropdown field, select Custom Search.
- Click the Advanced tab. This shows a field for entering a custom LDAP
Help from Bill
Got a Windows or Exchange question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to Bill at mailto:email@example.com;
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
If you're accustomed to VBScript, then you'll find LDAP search syntax
to be a little counterintuitive because all Boolean operators go to the
front of the expression. For example, here's a search for all user accounts
that have the letters "min" somewhere in the name:
In a pristine instance of Active Directory, this search would return
Administrator in the pick list in the Find window.
If you want to find every user, group, and contact with the letters "count"
in the Description field, here's the syntax (this would be all one entry
with no line endings):
If you don't like doing all that typing each time you want to fire off
a search, then load the Windows Server 2003 admin tools (adminpak.msi)
on a Windows XP SP1 machine and use that version of ADUC to manage your
Windows 2000 domains. This tool has a Saved Queries feature that permits
you to create little folders that return the search results in graphical
form in the right pane of the ADUC window.
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.