LDAP Query to get all objects that are of objectCategory user or decend from user

0
votes

I am trying to find a objectCategory query that will return all the "users" in my active directory.

I thought this would be as simple as (objectCategory=user). And while that does return the bulk of my users, it does not return them all.

I have some Group Managed Service Accounts (gMSA) in my Active Directory. They have the objectCategory of msDS-GroupManagedServiceAccount. When I look up msDS-GroupManagedServiceAccount it indicates that it has fields derived from user.

That leads me to to believe that msDS-GroupManagedServiceAccount is a subclass of user. Which leads to my question:

Is there a way to indicate that I want all objects that are of objectCategory user AND all objects that descend from objectCategory user?

2
active-directoryldapldap-query
Can you do it with an objectClass match? That would work, as all parent classes are present too.user207421

2 Answers

1
votes

Search by objectClass instead of objectCategory:

(objectClass=user)

The objectClass attribute started being indexed in Windows Server 2008, so as long as you're running 2008+, it will be just as fast as searching by objectCategory.

0
votes

Not a complete answer to your bolded question, but a workaround for for your particular case would be to use an or expression.

(|(objectCategory=person)(objectCategory=msDS-GroupManagedServiceAccount))