Intelligent Message Filter, Content Filter, can do more...

WinDeveloper IMF Tune
WinDeveloper IMF Tune
  • Home
  • General
  • Extracting Information from Active Directory (Part 2)

Extracting Information from Active Directory (Part 2)

Alexander Zammit

Alexander Zammit Photo

Software Development Consultant. Involved in the development of various Enterprise software solutions. Today focused on Blockchain and DLT technologies.

  • Published: Feb 27, 2007
  • Category: General
  • Votes: 3.0 out of 5 - 1 Vote
Cast your Vote
Poor Excellent

An Active Directory export may easily return an overwhelming number of results. Filtering the exported objects, limiting the set of returned properties, and loading the data in Excel or Access allows us to stay in control.

In the first part of this article we learnt how to perform basic directory exports. We did this by identifying the distinguished name DN of the object or container and dumping everything to a file. However when dealing with a large number of objects, it is normal to require a little more control on what is exported. For example if we are only interested in email addresses, we don't have to export all the object properties. Also we might only be interested in users from a specific department.

Selective Object Export

Let's say we want to export all users from all organizational units OUs. We could use one of the following commands:
ldifde -d dc=vertical,dc=local -f c:\temp\allusers.txt -r (objectClass=user)
csvde -d dc=vertical,dc=local -f c:\temp\allusers.txt -r (objectClass=user)

Here I started the export from the root of the Domain Naming Context (dc=vertical,dc=local) but filtered the exported objects using the -r parameter. Without the filter we would have exported all objects as from the root. This leads to a few questions. How do we construct these filtering conditions? What is objectClass by the way?

The filter is a condition that must be tested against all objects that are about to be exported. "objectClass" is a property name and "user" is the required property value for the object to be exported. Constructing these conditions can get very complex for the following reasons:

  1. We need to understand the meaning of the properties used in the filter (objectClass in this example).

  2. We need to understand how to correctly encode these filters. This becomes complex especially when combining multiple conditions with the AND, OR and NOT operators.

Constructing complex conditions by hand is something I prefer to avoid. We don't really have to either, since Exchange provides us with a nice wizard. Start by opening the Exchange System Manager and browse to the address lists.

ESM Address Lists

Open the properties for the All Users address list, to get an idea of how a complex filter condition looks like.

All Users Address List Filter

We could easily reuse this filter to see which users match the All Users Address List. I will just replace the filter in the previous commands with the one copied from the ESM. Note that I also enclosed the filter in double quotes.
ldifde -d dc=vertical,dc=local -f c:\temp\allusers.txt -r "(& (mailnickname=*)(| (& (objectCategory=person) (objectClass=user) (!(homeMDB=*)) (!(msExchHomeServerName=*))) (& (objectCategory=person) (objectClass=user) (| (homeMDB=*) (msExchHomeServerName=*) ))))"

We can also use the ESM to create a filter from scratch. Right click the All Address Lists and select New | Address List.

New Address List

Enter a Filter Name and click on the Filter Rule button.

Filter Construction UI

This takes us to the standard Active Directory Search dialog. Use this to identify the objects of interest starting from the Find drop-down list at the top. Even though the Exchange team meant this to create an address list filter, we could construct filters for any type of AD object under the Domain Naming Context.

Click the Find Now button to see which objects match the filter and click OK when ready. Clicking Finish in the Create Exchange Address List will save the new list. Now we can get to the filter raw text by opening the newly created address list object properties. When done just delete the new address list.

Copyright © 2005 - 2024 All rights reserved. is not affiliated with Microsoft Corporation