AD User commands filter

Feb 7, 2012 at 4:56 PM
Edited Feb 7, 2012 at 5:49 PM

The AD user commands like AddUserToGroup do a query to find users.  They query something like this

2012-02-07 10:18:33.4513|DEBUG|MaikKoster.Deployment.AD.Controller|Executing query "(&(objectClass=user)(|(cn=<username>)(sAMAccountName=<username>)(distinguishedName=<username>)))".

I find this to be incorrect.  The problem is that all computers have an objectclass of user.  So objectclass=user is not valuable.  Instead, the filter to find users should include a (!(objectClass=computer)) to exclude computers.  At least in my AD, all computers have the user and computer values in objectClass.   All users have user, but not computer. Looking on Google, I find that this is common.  This is an issue for me because I have some objects where there is both a user and computer object named the same. 


I think the LDAP queries in the User functions should be modified to exclude objectClass=computer. 

Alternately, I can specify the DN of the user I want to add so there is no confusion.  My problem is that  I am going to have to do a LDAP query of my own to obtain the DN.

 I hope I am explaining this OK.

Apr 24, 2012 at 2:00 PM
Edited Apr 24, 2012 at 2:04 PM

You are absolutely right. Computer inherits from User, so the search for Users should exclude computers. I will update the queries and it should be included in the next release. If you need a copy earlier, please get back to me and I will send you the updated bits.



Apr 25, 2012 at 2:48 PM

Thanks Maik.  I have added a measure to work arround this issue in my environment.  I am gathering the targeted user's Distinguished Name using an ADSI query and then passing that value to your webservice.  Because DNs have to be unique, I always get the intended user account. Once I discovered that I could pass the DN to the webservice instead of just the username, the problem became way less critical for me.  I am very excited to see the new release of the webservice and the MDT Front End, but I can wait to get it along with everyone else unless you want some testing and feedback, however I don't have my lab on 2012 yet.

Thanks for your great contribution to the SCCM/OSD/MDT community. 


Dec 27, 2012 at 8:23 PM

Maik, if the offer still stands to send me the bits where this issue is corrected, I am now at a spot where it would be useful to have the corrected version.  Thanks.