Characters with Accents and LDAP search

  • Last Post 03 July 2019
SWD1 posted this 23 October 2006

st1\:*{behavior:url(#default#ieooui) }

Hi all,

I’m using
the following script to find a user which works
fine so long as
the CN value doesn’t contain a
character with an accent, in the example below I’ve used Léo Apotheker, unfortunately the letter é
produces an ‘Object not found
error’. Does anyone have any
idea what is going on here? Is the problem with VBScript or AD?

Many thanks


Set dso =

Set objUser = dso.OpenDSObject( _

Apotheker,OU=Staff,DC=Domain,DC=Com", _


"password", _


= Disabled


-------------------------------------------------------------------This email is from Oldham Sixth Form College, but expresses the viewsof the sender and not necessarily the views of the college. The emailand any files transmitted with it are confidential to the intendedrecipient at the e-mail address to which it has been addressed. It maynot be disclosed or used by any other than that addressee, nor may itbe copied in any way. If received in error, please quoting the name of the sender.This message has been scanned for viruses by F-Secure Anti-Virus.Please note that we cannot accept any responsibility for anytransmitted viruses. It is, therefore, your responsibility to scanattachments (if any).

Order By: Standard | Newest | Votes
listmail posted this 02 November 2006

st1\:* {
BEHAVIOR: url(#default#ieooui)
@page Section1 {size: 595.3pt 841.9pt; margin: 72.0pt 90.0pt 72.0pt 90.0pt; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
A:link {
COLOR: blue; TEXT-DECORATION: underline
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
A:visited {
COLOR: purple; TEXT-DECORATION: underline
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
SPAN.EmailStyle17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-compose
DIV.Section1 {
page: Section1

I don't have any problem running that script and binding to
an ID with accents...

O'Reilly Active Directory Third Edition -


Thiago.Pereira posted this 13 April 2017

Pick one

LDAP Query to Find Enabled Users


Sent from my iPhone


gazzadownunder posted this 13 April 2017

This should do the trick, I haven't tested but it should put you on the right track.
 (&(objectclass=user)(objectcategory=user)(!postOfficeBox=SRV)(company=PSEBAS)( !userAccountControl:1.2.840.113556.1.4.803:=2))
On Apr 13, 2017 10:45 AM, adriaoramos@xxxxxxxxxxxxxxxx wrote:
Please, I need to search all user in my company that are active, don’t have the word SRV in P O BOx attribute and PSEBA Sin company attribute  . I created this ldap search, but there is something wrong in it. Can anyone help me with it?

(|(sAMAccountType=805306368)(&(isDeleted=TRUE)(objectClass=user)(!(objectClass=computer)&(objectClass=user)(!postOfficeBox=SRV)(objectClass=user)(company=PSEBAS)&(objectClass=user) userAccountControl:1.2.840.113556.1.4.803:=2))))

Imprima apenas o Essencial - Prefira as opções Frente & Verso e Branco & Preto

SABESP 3Rs: Reduzir/Reutilizar/Reciclar

Antes de imprimir pense em sua responsabilidade e compromisso com o MEIO AMBIENTE.

Este ambiente esta sujeito a monitoramento.

This environment can be checked

AVISO LEGAL As informações contidas nesse e-mail e documentos anexos são dirigidas exclusivamente ao(s) destinatário(s) acima indicados, podendo ser confidenciais e/ou legalmente privilegiadas. Qualquer tipo de utilização dessas informações por pessoas não autorizadas esta sujeito as penalidades legais. Caso você tenha recebido essa mensagem por engano, envie por favor uma mensagem ao remetente, apagando-a em seguida.

LEGAL ADVICE This message is for use by the intended recipient and contains information that may be privileged, confidential and/or under applicable law. If you are not the intended recipient, you are hereby formally notified that any use, copying or distribution of this e-mail, in whole or in part, is strictly prohibited. Please notify the sender by return e-mail and delete this e-mail from your system.


darren posted this 14 April 2017

On a related note, do NOT queries still kill use of indexing in AD? I know that was the mantra many moons ago but curious if it’s still the case.





DonH posted this 14 April 2017

The presence of a NOT clause doesn’t completely kill indexing, but the NOT clause itself cannot be indexed.  The problem is that attributes that you do not have read access to are supposed to behave as if they have no values.  On a “positive” search clause the DSA can filter out results that show up in the index but that you shouldn’t be able to see, but with a NOT clause it has no way to add in the results that aren’t really in that section of the index but because of security restrictions should appear to be so. DonH 


bdesmond posted this 02 July 2019

The filter you’re trying to construct is not possible. You’ll need to do the filtering based on string length client side.


As an aside, the ! operator makes this very inefficient. If you have a large directory you might want to revisit how/what you’re doing here.



Brian Desmond


(w) 312.625.1438 | (c) 312.731.3132




amulnick posted this 02 July 2019

You only want to find active users that are non-managers that have the postofficebox attribute populated with a string or set of numbers that begin with '5' and have 6 chars or less?  
Is this a recurring query or a one and done?  The approach may be different depending. 


adriaoramos posted this 03 July 2019

Good afternoon I need help with a ldap search. I need to create a like this: (&(!(|(Title=man)(Title=office)(userAccountControl:1.2.840.113556.1.4.803:=2)))(|(postOfficeBox=1)(postOfficeBox=2)(postOfficeBox=3)(postOfficeBox=4)(postOfficeBox=5)(postOfficeBox=6)(postOfficeBox=7)(postOfficeBox=8)(postOfficeBox=9)(postOfficeBox=0)))

But I need to display only users with attribute “postOfficeBox” starting in 5 and that have 6 characters or less. But only starting in 5 the other have no limit

Is there a way to filer that?

barkills posted this 03 July 2019

As Brian Desmond said, no, there’s no way to do that in an LDAP search filter. If you need credentials, Brian wrote a book on AD & I wrote a book on LDAP.



And as Brian indicated, you can do what you need client-side. If it was me, I’d write a PS script using the AD module, leveraging the LDAP filter which gets you most of the way, then loop through the results dropping any result that had

more than 6 characters.


You haven’t said whether this approach would work for your use case, so I don’t know whether it is lack of scripting skills or if your use case won’t allow client-side scripting (or some other reason) is why you are dismissing the previous

answers you got. But if you shared more, then maybe you’d get more.



Brian Arkills

Author of LDAP Directories Explained