fine tuning a DirectorySearcher.Filter

M

mike

I'm needing a bit of help to fine tune my Filter property for a
DirectorySearcher. My context here is for a company phone directory. A
user enters the string they want to search for (in txtSearch) and hits
the Fire button.

The problem is that this picks up disabled accounts which I'd rather
didn't happen. I basically grabbed this string straight from somewhere
but don't really know what "anr " means.

ds.Filter = "(&(anr=" & txtSearch.Text & ")(objectCategory=person))"

I tried to change it to the following

ds.Filter = "(&(anr=" & txtSearch.Text & ")(objectCategory=person)
(AccountDisabled=false))"

but my search now returns zero results, no matter what. I got this
property name from the ADSI SDK on microsoft.com.

Can anyone help?

Thanks
Mike
 
M

Marc Scheuner

Hi Mike
I'm needing a bit of help to fine tune my Filter property for a
DirectorySearcher. My context here is for a company phone directory.
The problem is that this picks up disabled accounts which I'd rather
didn't happen. I basically grabbed this string straight from somewhere
but don't really know what "anr " means.

ANR = Ambiguous Name Resolution - this allows you to search for a name
without explicitly specifying which attribute to look it - it will
look in the most common ones for you (displayName, givenName, sn,
SAMACcountName and so forth).
ds.Filter = "(&(anr=" & txtSearch.Text & ")(objectCategory=person)
(AccountDisabled=false))"

The idea is right - the syntax is wrong :)

Unfortunately, the "account disabled" is encoded in the
"userAccountControl" property in LDAP, and there's no easy and nice
way to specify that.

If you look at a good book, e.g. Joe Kaplan/Ryan Dunn's ".NET
Developer's Guide to Directory Services Programming", you'll find that
you *can* specify these kind of filters, too - it's just not very
pretty.....

This filter here will select all the DISABLED accounts - that's those
that have the bit #2 in UserAccountControl set to true.

(userAccountControl:1.2.840.113556.1.4.803:=2)

So in your case,you'd want to have the opposite of this:

ds.Filter = "(&(anr=" & txtSearch.Text & ")(objectCategory=person)
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"


Hope this works for you

Marc
 
M

mike

Thanks Marc

Works a treat. I wasn't sure about the ! - I was thinking it might
have been C# specific. I'm a VB.NET nerd. But it worked. I just don't
really understand what I've just done, that's all. Might have to check
out that book you mentioned.

Cheers
Mike
 
M

Marc Scheuner

Hi Mike
Works a treat. I wasn't sure about the ! - I was thinking it might
have been C# specific. I'm a VB.NET nerd. But it worked.

No, it's just the rather weird LDAP filter syntax - and that's *not*
language specific :)
I just don't really understand what I've just done, that's all.

OK, two things: the "userAccountControl" is a general LDAP property
that every user (and group) object has - it contains a set of flag
telling you a number of things about a user - including whether the
account is disabled or not.

The ugly string of numbers "1.2.840.113556.1.4.803" is another LDAP
weirdity - it's the "OID" for the "bitwise AND" operation (also called
LDAP_MATCHING_RULE_BIT_AND).

So basically, all you're telling the filter here is that the
"userAccountControl" flag should have bit #2 set to ON - i.e. the
account should be disabled. Putting a "!" (LDAP NOT) before it just
negates it.

Does that make things a bit clearer? It's weird alright - that's what
pure low-level LDAP looks like :) MS has done a great job at nicely
abstracting that with ADSI and System.DirectoryServices - it just
keeps popping up in some odd places.....
Might have to check out that book you mentioned.

Definitely worth a look, and an excellent resource on .NET S.DS
programming - highly recommended !

Marc
 
M

mike

Once again, thanks a lot Marc. Some of what you said rings a (rather
dim) bell or two. I mess around a bit with VBScript, WMI and ADSI -
this is how I create all my user accounts and was expecting .NET to be
just as straight forward. I just looked up the AccountDisabled
property in the ADSI SDK. Alas...

Ha, I just checked - in this backwater we call Australia, the book is
even in stock locally.

Cheers
Mike
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top