LDAP OR what?

Using LDAP OR in Address lists.

This has bugged me for a little while.

Imagine the following scenario…

You have several departments, or entities, or even companies hosted in a single Exchange 2003 organisation.

You want to provide each with their own seperate address list. Out of the box you get four

  • All contacts
  • All groups
  • All users
  • Public folders

By default, the LDAP Query options in ESM use a logical AND, and this can be restrictive.

Let me give you my real world example.

I have a seperate mailbox store database SG1DB2 just for the members of a specific department in a university, where the GAL contains over 60 thousand student mailboxes.

This dept is happy with the GAL, we don’t have to do anything clever with permissions or address list views, but they have requested that in addition to the four address lists displayed above, that I create a fifth departmental list.

So I right click All Address Lists in ESM, and select New, Address List… and give it an Address List name: and select Filter Rules…

On the General tab I tick the box for Users with Exchange mailbox and on the Storage tab, under Mailboxes in this mailbox store: I select SG1DB2.

OK, Finish and we’re done, everybody is happy, especially me, ‘cos it was easy.

Then, the phone rings, and now this department thinks it would be kinda nice if the department address list also contains the department distribution groups.

So I open ESM, right click my newly created address list and get Properties.

I select Modify… and go to the Advanced tab

I drop down Field to Group and in my case select Name,?under Condition:?I select starts with, and in Value: I type ABC, because in my case all of the departmental groups in question start with ABC.

I select Add and OK, and then to check my work I select Preview… and guess what, empty address list. It’s blank!

What happens here is that I’m now looking for all of the users in SG1DB2 that are also a group starting with ABC! ESM has used a logical AND filter in the LDAP query, and of course the results are useless.

So now I have to figure out the LDAP filter to give me all mailboxes in a particular mailbox store, OR any department starting with ABC.

The LDAP for AND is &. For OR it’s |

The simplest way to do this, and?I appreciate it depends on the complexity of the LDAP query you are trying to perform, is to do the following.

Do two seperate queries.

The first one is for mailboxes in a particular mailbox store, which is where we started. On the Properties for the address list, you can select the LDAP query and copy it to notepad.

(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(homeMDB=CN=SG1DB2,CN=First Storage Group,CN=InformationStore,CN=EXCH01,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=University,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=UNI,DC=LOCAL)) ))))

Next, I Remove the query, and click Modify… and from the Find: drop-down list select Custom Search

Now I re-enter my query for Group?Name starts with ABC, press Add? and OK

Now select this new LDAP query and copy it into the same notepad, on the next line down.


Now, nearly there. We know that LDAP for OR is | so we need to stick these two conditions together.

(| (Condition one)(Condition two))

Open and close brackets with an OR statement, that’s it, and it’s far easier than trying to figure out how to do it from within the options available in ESM.

One final step. Now that we have our LDAP query:

(| (&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(homeMDB=CN=SG1DB2,CN=First Storage Group,CN=InformationStore,CN=EXCH01,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=University,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=UNI,DC=LOCAL)) ))))(&(objectCategory=group)(cn=ABC*)))

we need to get ESM to use it, and that’s not so simple.

In theory it’s a question of creating a Custom Search and simply pasting the new query into the advanced tab, but I get some funnies when I try this, it either doesn’t accept the paste, or it does but it modifies it to include an additional (& at the start, neither of which work for me, the list always previews as empty!

So, open ADSIEDIT, and browse the Configuration container.

CN=Services, CN=Microsoft Exchange, CN=Organisation Name, CN=Address Lists Container, CN=All Address Lists.

Right click the address list in question and get Properties

Find the purportedSearch attribute, and Edit

Press Clear and paste the new LDAP in here. OK twice, close ADSIEDIT and we’re done.

Now when you preview the Address List in ESM, it should contain mailboxes in a particular store, OR groups that start with ABC!

Simple 😉