Searching Active Directory

Forego scripting—try this LDAP query in the ADUC.

Bill, does Microsoft really want to be an enterprise product? Why in the world can't I do a search for a group in Active Directory Users and Computers using a partial string? It seems that the find function only supports a search using the beginning of a string or the end of a string.

I finally had to write a tiny script to search for group names for myself using VBScript and the Instr function. How sad is that? Does Microsoft really want to be enterprise software? Do they realize how many groups medium to large companies have? Or am I missing something? Any insight would be appreciated.
—Name withheld by request

Answer: The Find window in AD Users and Computers doesn't expose internal string searches directly because they are computationally expensive for the domain controller.

That being said, you can construct your own LDAP query for internal portions of strings without resorting to scripts. Here's how:

  1. Open the Find window in ADUC.
  2. In the Find dropdown field, select Custom Search.
  3. Click the Advanced tab. This shows a field for entering a custom LDAP search.
Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

If you're accustomed to VBScript, then you'll find LDAP search syntax to be a little counterintuitive because all Boolean operators go to the front of the expression. For example, here's a search for all user accounts that have the letters "min" somewhere in the name:

(&(objectcategory=user)(name=*min*))

In a pristine instance of Active Directory, this search would return Administrator in the pick list in the Find window.

If you want to find every user, group, and contact with the letters "count" in the Description field, here's the syntax (this would be all one entry with no line endings):

(&(|(objectcategory=user)(objectcategory=group)
(objectcategory=contact))(description=*count*))

If you don't like doing all that typing each time you want to fire off a search, then load the Windows Server 2003 admin tools (adminpak.msi) on a Windows XP SP1 machine and use that version of ADUC to manage your Windows 2000 domains. This tool has a Saved Queries feature that permits you to create little folders that return the search results in graphical form in the right pane of the ADUC window.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus

Reader Comments:

Tue, Mar 8, 2005 Rajesh Shetye Anonymous

Hi Bill,
The artical is very good. I want some more information. What is the procedure to get all machine names from userlist.

Tue, Jan 4, 2005 TS midwest

Excellent! I had been looking for a way to do this for a while.

Wed, Mar 10, 2004 Mike Welborn Anonymous

User and Contact are not valid objectcategories. They will both be translated into the objectcategory they actually are so both

objectcategory=user
objectcategory=contact

would degrade to

objectcategory=CN=Person,CN=Schema,CN=Configuration,DC=Domain,DC=com

I do wish there eas a documented list of valid Object Categories for scripters. Even RFC 2254 is missing this information. The only way to create one for yourself is to use ADSI Edit on each object.

Tue, Aug 26, 2003 Ron Rosenkoetter Kansas

Very interesting solution although not very practical (being able to save queries in Windows 2003 will help a lot).

Another solution is a command line tool a friend showed me called dsquery that comes with Windows XP (not sure if it's on Windows 2000 machines as well).

dsquery user -name *min*

This will also return the Administrator user (and all others with min in their name). I do think it's ridiculous that one cannot search for a partial string easily inside the ADUC GUI (easily being the key word). Is the computational load really that great?

Wed, Jul 2, 2003 Anonymous Anonymous

usefull but with limitations

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.