Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to use ldap search to get computers from m...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to use an LDAP search to find computers located in multiple groups. I tried something like this, but I cant get the syntax correct or even know if it's possible. I'm trying to find all computers in the patch1 and patch2 groups.
| ldapsearch domain=mydomain.com search=(&(objectClass=computer)(memberOf="CN=Patch1, OU=Patches,OU=Wintel,DC=Mydomain,DC=com) AND (memberOf="CN=Patch2, OU=Patches,OU=Wintel,DC=Mydomain,DC=com) ) attrs=name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want accounts that are in both patch1 and patch 2? Try this:
(&(objectClass=computer)(memberOf=CN=Patch1,OU=Patches,OU=Wintel,DC=Mydomain,DC=com)(memberOf=CN=Patch2, OU=Patches,OU=Wintel,DC=Mydomain,DC=com))
When you query ldap, the sections enclosed in parentheses will set by the initial operator, this case "AND" (&), so what you're asking for is:
( (objectClass=computer) AND (memberOf=CN=Patch1,OU=Patches,OU=Wintel,DC=Mydomain,DC=com) AND memberOf=CN=Patch2,OU=Patches,OU=Wintel,DC=Mydomain,DC=com) )
If, for example, you wanted to find computers that were either in one group or the other, instead of both, the query would be:
(&(objectClass=computer)(|(memberOf=CN=Patch1,OU=Patches,OU=Wintel,DC=Mydomain,DC=com)(memberOf=CN=Patch2,OU=Patches,OU=Wintel,DC=Mydomain,DC=com)))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you want "objects that are computers AND (are in group1 OR are in group2)"
(&(objectClass=computer)(|(memberOf="CN=Patch1,OU=Patches,OU=Wintel,DC=Mydomain,DC=com") (memberOf="CN=Patch2,OU=Patches,OU=Wintel,DC=Mydomain,DC=com")))
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you want accounts that are in both patch1 and patch 2? Try this:
(&(objectClass=computer)(memberOf=CN=Patch1,OU=Patches,OU=Wintel,DC=Mydomain,DC=com)(memberOf=CN=Patch2, OU=Patches,OU=Wintel,DC=Mydomain,DC=com))
When you query ldap, the sections enclosed in parentheses will set by the initial operator, this case "AND" (&), so what you're asking for is:
( (objectClass=computer) AND (memberOf=CN=Patch1,OU=Patches,OU=Wintel,DC=Mydomain,DC=com) AND memberOf=CN=Patch2,OU=Patches,OU=Wintel,DC=Mydomain,DC=com) )
If, for example, you wanted to find computers that were either in one group or the other, instead of both, the query would be:
(&(objectClass=computer)(|(memberOf=CN=Patch1,OU=Patches,OU=Wintel,DC=Mydomain,DC=com)(memberOf=CN=Patch2,OU=Patches,OU=Wintel,DC=Mydomain,DC=com)))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not able to get your first example to work without an error. I can do this below with quotes:
(&(objectClass=computer)(memberOf="CN=Patch1,OU=Patches,OU=Wintel,DC=Mydomain,DC=com"))
I tried to do:
(&(objectClass=computer)(memberOf="CN=Patch1,OU=Patches,OU=Wintel,DC=Mydomain,DC=com")(memberOf="CN=Patch2,OU=Patches,OU=Wintel,DC=Mydomain,DC=com"))
that is not working either.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try it without quotes ... and if there's still a problem, try
(&(objectClass=computer)(memberOf=*))
As a starting point, and you can also add a name filter with a wildcard ...
(&(objectClass=computer)(memberOf=*)(name=WKS-*))
When you're stuck it's not a bad idea to find to a point where your query works, then start narrow it down.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have tried every combination I can think of. This works fine:
)
If I try to add something like (&(objectClass=computer)(memberOf=)(name=*wintel)) to the search it will show similar data, but only with servers that contain the name wintel.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| ldapsearch search="(&(objectCategory=computer)(|(memberOf=CN=Patch1,OU=Patches,OU=Wintel,DC=Mydomain,DC=com)(memberOf=memberOf=CN=Patch2, OU=Patches,OU=Wintel,DC=Mydomain,DC=com)))" | stats values(memberOf) as memberOf, count(memberOf) as group_count by name
This should list computers that are members of either group - from that you can see if you have the bisection of computers that exist in both groups. If you search for just members of one group do you get any results?
| ldapsearch search="(&(objectCategory=computer)(memberOf=CN=Patch1,OU=Patches,OU=Wintel,DC=Mydomain,DC=com))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did it! thanks so much.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
