I've basically forgotten everything I ever learned about querying AD, and now I have a need to retrieve the list of users in one particular dept (DAAS). I've determined that there is an Organizational Unit called DAAS. I just can't figure out how to limit the list to that OU.
This string works, but retrieves the entire organization;
strQueryDL = "<LDAP://" & strDefaultNamingContext & ">;(&(objectCategory=person)(objectClass=user));distinguishedName;subtree"
This string doesn't work;
strQueryDL = "<LDAP://" & strDefaultNamingContext & ">;(&(objectCategory=person)(objectClass=user)(OU=DAAS));distinguishedName;subtree"
This string doesn't work, either;
strQueryDL = "<LDAP://OU=DAAS" & strDefaultNamingContext & ">;(&(objectCategory=person)(objectClass=user));distinguishedName;subtree"
Where does that darn OU belong in this string?
Thanks! DC
Entries don't have to contain the OU attribute just because it's somewhere in their DN. They only are required to have their RDN value in them. If this makes no sense, see below<\a>.
You can find out the DN of all of the subtrees whose dn starts with ou=daas with
strQueryDL = "<LDAP://" & strDefaultNamingContext & ">;(&(objectCategory=organizationalunit)(OU=DAAS));distinguishedName;subtree"
Once you have that, you can use that DN where you have strDefaultNamingContext.
There's also a extensible search form that can specify a search is to be performed against the DN rather than the attributes, but I don't know if it works in AD. If it does work in AD, that form would be:
strQueryDL = "<LDAP://" & strDefaultNamingContext & ">;(&(objectCategory=person)(objectClass=user)(OU:dn:=DAAS));distinguishedName;subtree"
A DN is made up of a bunch of DN components. Each component is an attribute value pair, joined with an =. You can join components at the same level with a +, but usually you just chain them with ,. Components at the same level are unordered. The bit from the start of the DN to the , is the RDN, and must be represented on the entry. Everything else in the DN is the superior DN. If the entry is not the top level entry in its tree, the superior DN must be represented by its own entry, but none of those values need to be on the subordinate entries.
Exactly what all that means is another question, and it has been asked before, multiple times, and I'm looking through the different ones to find out which has the best answer... or whether I should submit an answer. Once I finish that search, I'll replace this text with a link.