Thursday, February 28, 2008

Create a Saved Query that Displays Group Members


Saved Queries in Active Directory Users and Computers (ADUC) allow you to create simple or advanced LDAP queries against the Active Directory that can be saved, reused and edited. Examples might be a query displaying all locked out users in the domain or all the users who have a mailbox on a particular Exchange server and have the word "Manager" in their title.


A client I worked with needed a query that displayed all the members of a certain (large) group. This would allow him to select all the users at once and move their mailboxes to another server.


Try as he might, he couldn't get the query to display the group's members. It turns out this is because the group name must be entered using its distiguished name. Here's how to do it:


  • Use ADSIEdit.msc (in the Windows Support Tools) and navigate to the group

  • View the properties of the group to reveal the distinguishedName attribute value and copy it to the clipboard (shown above)

  • Open ADUC, right-click Saved Queries and select New query

  • Enter a name for your query, "Accounting Group Members"

  • Click the Define Query button

  • Select Users, Contacts, and Groups from the Find: dropdown list

  • Click the Advanced tab

  • Click Field > User > Member of

  • With the condition of "is (exactly)", paste the group's distinguishedName into the Value field and click Add

  • Click OK twice to complete the query

8:53 AM