LDAP query for all users in sub OUs within a particular OU

10
votes

The active directory I have to deal with is laid out as such: the domain contains many OUs. One of these OUs is named "Primary OU". Within this OU are several OUs named with location of global offices (ie "Chicago" "Paris").

Any user account that is an actual flesh and bone person is put into the OU named for the office they work in as their primary OU. Any user account that is an alias, generic account, or otherwise not directly tied to a real person, has the "Primary OU" OU set as their primary OU.

Data-wise, this primary OU distinction is the only thing that indicates which users are real people, and which users are not. There is no group that contains only real people, no indicator in any field that they are real people or not, and making any changes to active directory or any user accounts is strictly forbidden.

My task is writing a query that will only get all actual flesh and bone people.

Unfortunately LDAP is not exactly my strong suit and the only way I've come up with is searching each of these office sub OUs individually and putting all the results together, but there are a lot of offices and it would require a change to the query if any offices were added, which I need to avoid.

Is there a way to query all users within a particular OU's "sub" OUs, but not return any users directly in the parent OU?

2
active-directoryldap
What programming environment? .NET ?? .NET 2.0 or .NET 3.5 ??marc_s
I'm looking for the LDAP query, but I will ultimately be using the DirectorySearcher object in .NET 3.5 to execute the querykscott

2 Answers

13
votes

Yes, sure - you would need to:

1) Bind to the particular OU

DirectoryEntry myOU = new DirectoryEntry("LDAP://OU=MyOU,......,DC=MyCompany,DC=com");

2) Enumerate all its sub-OU's

DirectorySearcher subOUsearcher = new DirectorySearcher(myOU);
subOUsearcher.SearchScope = SearchScope.OneLevel; // don't recurse down
subOUsearcher.Filter = "(objectClass=organizationalUnit)";

foreach(SearchResult subOU in subOUsearcher.FindAll())
{
   // stick those Sub OU's into a list and then handle them
}

3) One-by-one enumerate all the users in each of the sub-OU's and stick them into a global list of users

DirectorySearcher userSearcher = new DirectorySearcher(myCurrentSubOu);
userSearcher.SearchScope = SearchScope.OneLevel; // don't recurse down
userSearcher.Filter = "(objectClass=user)";

foreach(SearchResult user in userSearcher.FindAll())
{
  // stick those users into a list being built up
}

4) Return that list

Marc

6
votes
// Create a new DirectorySearcher that starts at the root.
// You can start it anywhere you want though
//     by providing a value in the DirectoryEntry constructor.
DirectorySearcher searcher = new DirectorySearcher(new DirectoryEntry());

// Set the scope to Subtree in order to search all children.
searcher.SearchScope = SearchScope.Subtree;

// Set the filter to only look for Organizational Units
//     that have the name you are looking for.
searcher.Filter = "(&(objectClass=organizationalUnit)(name=" + ouName + "))";

// If you are looking for only one result then do the following two things.
SearchResult result = searcher.FindOne();

DirectoryEntry newDir = result.GetDirectoryEntry();