Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows Server 2003 / Active Directory / July 2005

Tip: Looking for answers? Try searching our database.

Searching for an AD attribute value

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
mikeyrad@gmail.com - 27 Jul 2005 15:01 GMT
I need to search for a value in AD that may or may not exist...I don't
know what the attribute name would be, all I know is the value.  How
would I use ldp to find any object that has an attribute with a given
value?

Thanks!
Reply to this Message
Al Mulnick - 27 Jul 2005 15:17 GMT
Can you reword that?  You want to find a value of an attribute that you
don't know the name of? Can you give an example to help clarify?

>I need to search for a value in AD that may or may not exist...I don't
> know what the attribute name would be, all I know is the value.  How
> would I use ldp to find any object that has an attribute with a given
> value?
>
> Thanks!
Reply to this Message
mikeyrad@gmail.com - 27 Jul 2005 15:33 GMT
Say you're looking at an account using adsiedit, attribute "givenName"
and the Value is "James".

If I wanted to use ldp to search active directory for all objects that
have the value "James" but I did not know that the attributename is
"givenName", what would be the syntax for it?
Reply to this Message
Al Mulnick - 27 Jul 2005 16:06 GMT
Ah.  I was afraid that was what you meant.

As Joe Kaplan mentioned, that's not something that LDAP is really designed
to do (nor is any db technology that I'm aware of).  It's considered a very
expensive query if you don't know the attribute that the value may exist in
because at some point in the query you'll have to enumerate each possible
attribute for each possible value to see if it matches your query.

A strategy that might be effective is to look at how your updates occur and
from that look at the possible attributes that could have been updated with
'James' and then query for each of those. You'd then have to cull through
that result to figure out which ones are the ones you want.

For example, you could query the domain for all givenNames equal to 'James'
and collect the results.  Then query for all sn equal to 'James' and collect
the results.  Then all displaynames equal to (or containing would be more
appropriate) 'James' and so on for the fields that may have been updated.

The alternative would be to more broadly search.  Figure out all possible
attributes that have a string value (since we know that 'James' is a string
you're looking for; although you may have to broaden that a little just in
case :) for your objectClass and then query for each of those in the domain
and find your data that way.

Yuck.

What makes you want to even look for the data this way?  Any particular
problem that comes up?

Al
> Say you're looking at an account using adsiedit, attribute "givenName"
> and the Value is "James".
>
> If I wanted to use ldp to search active directory for all objects that
> have the value "James" but I did not know that the attributename is
> "givenName", what would be the syntax for it?
Reply to this Message
mikeyrad@gmail.com - 27 Jul 2005 16:17 GMT
Actually yea it is a specific problem that came up.  We're using a
blackberry redirector software to redirect all of a users emails over
to his blackberry.  The problem is it's got a PIN associated with it,
that I'm assuming is stored in AD since it picks up that same PIN no
matter what PC you install it on, and it's the wrong PIN.  The software
doesn't actually give you the option to change the PIN, so I was hoping
to find where it's stored and delete it.  I know the PIN, but not the
attribute.
Reply to this Message
mikeyrad@gmail.com - 27 Jul 2005 16:20 GMT
Oh and it's not actually in the users object...I checked that. :)
Reply to this Message
Al Mulnick - 27 Jul 2005 16:35 GMT
Likely it's in the BES :)

> Oh and it's not actually in the users object...I checked that. :)
Reply to this Message
mikeyrad@gmail.com - 27 Jul 2005 16:43 GMT
That would make sense...if we were running BES.  :)

It's just a piece of software that runs on the local workstation, and
works with outlook to redirect emails.  Seems to store the PIN in AD
tho' which is kinda weird.
Reply to this Message
Al Mulnick - 27 Jul 2005 16:48 GMT
Interesting that it would store the PIN in the AD vs the device or even the
BES server (if you were using one).
Maybe the profile or perhaps it was encrypted or otherwise obscured if
stored in AD?
Did you also check the computer object to be sure it wasn't there?

> That would make sense...if we were running BES.  :)
>
> It's just a piece of software that runs on the local workstation, and
> works with outlook to redirect emails.  Seems to store the PIN in AD
> tho' which is kinda weird.
Reply to this Message
mikeyrad@gmail.com - 27 Jul 2005 17:08 GMT
Yea I couldn't find it in the user object, definetly not the computer
object since the software sees the PIN no matter what computer you
install it on....you just have to create a profile pointing to the
users profile, and tell the software to use that profile...and it finds
the pin code.  Probably stored in the mailbox somehow...I don't know
how to find it tho'.  :/
Reply to this Message
Al Mulnick - 27 Jul 2005 19:51 GMT
Try one of the BB newsgroups.  You can't be the first person to have run
across that issue.

Al
> Yea I couldn't find it in the user object, definetly not the computer
> object since the software sees the PIN no matter what computer you
> install it on....you just have to create a profile pointing to the
> users profile, and tell the software to use that profile...and it finds
> the pin code.  Probably stored in the mailbox somehow...I don't know
> how to find it tho'.  :/
Reply to this Message
Joe Kaplan (MVP - ADSI) - 27 Jul 2005 15:19 GMT
I don't think you can.  LDAP filters assume you know the name of the
attribute.

You could do something kind of hideous and create a giant search filter that
tests the attribute value against every attribute defined for the class in
question that matches the syntax.  Hopefully you know the class and can
reduce the list somewhat based on that.

Joe K.

>I need to search for a value in AD that may or may not exist...I don't
> know what the attribute name would be, all I know is the value.  How
> would I use ldp to find any object that has an attribute with a given
> value?
>
> Thanks!
Reply to this Message
Joe Richards [MVP] - 30 Jul 2005 00:00 GMT
You would need to dump every attribute of every object to a file and then grep
the file.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

> I need to search for a value in AD that may or may not exist...I don't
> know what the attribute name would be, all I know is the value.  How
> would I use ldp to find any object that has an attribute with a given
> value?
>
> Thanks!
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.