LDAP Query

[jazzyjeff]

Hey All,

I am banging my head against a wall here trying to get an LDAP query to work, so I am hoping someone can help me out. 

GOAL: I'm trying to map drives using Item Level targeting.

CURRENT SOLUTION: An Autoit login script runs, determines the user that logs in, looks at the users group membership. If a User is a member of a group that contains the string "User-LAX" Then it will map \\server1\shareA.  If a User is a member of a group that contains the string "User-ORD" Then it will map \\server2\shareB. With the power of scripting this is easy to achieve.

PROBLEM: The active directory setup is extremely large and complex, and perhaps has not been designed with a lot of thought for situations like this. There are multiple buildings, and each building has a user code used in Security Group names i.e. User-LAX-HR, User-ORD-HR, User-LAX-Accounting, User-ORD-Accounting etc. So if they are a member of a group that contains "User-LAX", it will map the UNC path \\server1\shareA. That's the aim. Now there are potentially hundreds of groups that begin with "User-LAX", so while I could easily run an LDAP Query on each group called "User-LAX", this would take me forever to build a group policy containing all the different possibilities.

RESEARCH: I have discovered that I cannot do LDAP Query's on a distinguished name using a wild card, which really messes things up. This is how I would like the query to work, but I know it doesn't so i am looking for an alternative. &(objectcategory=user)(memberof=*User-LAX*))

POTENTIAL SOLUTION: I have just thought about this as a potential solution as I type this out, and that would be to build a script that would find all the groups that begin with "User-LAX", and then export all the members of those groups and make them members of a new groups called "User-LAX-XDrive" and then I can use ILT to map drives based on that new group membership.

 

To be honest the above solution seems like the easiest way right now, but perhaps there is something else I can do with an LDAP Query that I am missing? 

I'm reluctant to dive straight in and create a new security group, because while my previous job I was given full responsibility to do that, I'm not sure if I am given that same trust here at my new job. However, If it needs to be done then it needs to be done.

Any feedback is appreciated.

[water]

memberOf is a distinguished name attribute. You can't search it with a wildcard search.  It must be an exact match.
Means: Retrieve all the groups the user is a member of and then process the returned array.

[jazzyjeff]

Thanks Water. I think I will use the approach to create a new group and make the members of the current groups a member of the new group, and then map drives using Item Level Targeting on the new security group.