

Unfortunately the MsExchVersion is not displayed so we will have to select another value and manually change the query down the road. Now we can pick from most of the attributes the Active Directory Users and Computers snap-in is aware of. Select the Fields dropdown and then select User options. Now we need to select some fields for our query. Click the Find drop down menu and select Custom Search. This will give us a clean LDAP filter to use. In the New Query window, type in the name and description and then click on the Define Query button. Open Active Directory Users and Computers and Right Click on the “Saved Queries” node, Select New, and Select Query as shown below. I found some handy posts about using “Search Folders” in the Active Directory Users & Computer Snap-in to build a query.

Below are the steps I followed:īuilding the LDAP query wasn’t as bad as I thought it would be. Building a valid LDAP query and getting it to work with GPP was difficult because I am not an LDAP guru.

Using an LDAP query I should be able to target specific group policy settings only to users with mailboxes on Exchange 2010. The value of an Exchange 2010 mailbox is “44220983382016” which correlates to “0.10 (14.0.100.0)” as the ExchangeVersion value from the “get-mailbox USERNAME | Select Name,ExchangeVersion” Exchange powershell command. Microsoft increments this value with every version of Exchange. It turns out the easiest way to determine if a user is on Exchange 2010, without using powershell, is by an LDAP query against the “msExchVersion” attribute on the user object in Active Directory. Group Policy Preferences (“GPP”) targeting does not support powershell queries so I had to come up with another method of selecting only users with mailboxes on 2010 using the tools available in GPP targeting. Hopefully the techniques I used will be helpful to others looking to do the same.Ī client needed to apply Current User registry keys only to users with mailboxes running on Exchange 2010 as part of their Exchange 2003 to Exchange 2010 migration. Microsoft’s own documentation on the topic is rather lacking, you can find it here. A lack of information on the web about actually implementing LDAP filters led to this post.

Remember that LDAP SearchRequest have several parameters that affect the Search Responses LDAP Errors # LDAP Errors, or more correctly, LDAP Result Codes are needed when SearchRequest worked or what went wrong.I recently had to assist a client with GPO development for applying various registry keys using LDAP filters for Group Policy Preferences targeting. SearchRequest are more than LDAP SearchFilters # Search Filters for Bit Fields #īy using LDAP filters it's also possible to find objects for which a specific bit either is or is not set within a bit field.
#Ldap query tool powershell how to
How to find and retrieve the LDAP schema from a LDAP server. Some examples that are specific or often used with Microsoft's Active Directory. These are some LDAP Query Advanced Examples LDAP Query Examples for AD # These are some simple examples of LDAP search Filters. Ldapwiki have many example SearchRequests linked below to show using LDAP Searches efficiently. Usually LDAP Searches are what are how most people interact with the LDAP Server.
