A little LDAP help needed

[Clayton Sutton]

Can someone tell me what the "&" means in the below query? After I add it
into "Saved Queries" in AD Users and Computers it adds a second "&".


(&(msExchHideFromAddressLists=TRUE)(objectClass=User))

(&(&(msExchHideFromAddressLists=TRUE)(objectClass=User)))

Just trying to understand the LDAP syntax.


TIA,


Clayton

 

[Al Mulnick]

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/creating_a_query_filter.asp

It likely should not be adding the extra ampersand, but that would just be
saying And And. In your case, it's saying match all objects that are of
objectClass is equal to User AND msExchHideFromAddressLists is equal to
TRUE.

Al

 

[Todd J Heron]

It basically says show all users who are hidden from Exchange address lists.

 

[Joe Kaplan \(MVP - ADSI\)]

In addition to what Todd and Al said, the extra (&) in the second filter is
totally extraneous.

Joe K.

 

[Clayton Sutton]

Well when I copy and paste the code into the "Saved Queries" text and click
it places the second "&" it's self. I am just trying to understand the "&"
in the first place. What is it there for? Is if a verable of some kind?
It makes no sense at the begaining of the line to me.


Clayton

 

[Joe Kaplan \(MVP - ADSI\)]

The & and | operators are simply a way of creating queries that have
compound filter components.

For example, if you want to find users with last name of Jones, you might
do:
(&(objectCategory=person)(objectClass=user)(sn=Jones))

The three filter components are grouped together inside an (&...), meaning
that they must all be true. If we only cared if one of those was true, we
would group them in an (|....).

This grouping thing in LDAP filters can get nested many levels deep to
create more and more complex filter expressions. For example, I could do:
(&(objectCategory=person)(objectClass=user)(|(sn=Jones)(sn=Smith)))

to find all of the users whose last name is Jones or Smith. You can keep
nesting as much as you want.

I have no idea why the tool you are using adds the extra (&...) wrapper
around the query. It is redundant and adds no value in the query you
showed. It also doesn't hurt though. I'm sure there's a reason for it
having to do with the way the tool works, but I don't know.

Joe K.

 

[Clayton Sutton]

Thank you Joe,

Your expiation was the best I've gotten so far. In other settings I would
expect to see something like:

(objectCategory=person) & (objectClass=user) & (sn=Jones)

Not THAT I understand! But putting the *&* in front was confusing to me.
In LDAP it's kinda like a powerful *&* wrapper. Do you know of any LDAP
documents that show all of the "wrappers"?


Clayton

 

[Joe Kaplan \(MVP - ADSI\)]

Microsoft's documentation isn't bad:

http://msdn.microsoft.com/library/d.../ad/ad/creating_a_query_filter.asp?frame=true

The section in my book is ok too, but it is still 4 months away from the
shelves.

Other books that cover LDAP will have similar explanations.

Joe K.

 

[Clayton Sutton]

Thank your VERY much Joe,

You have been really helpful!


Clayton