Recipe 4.8 Searching with an Attribute-Scoped Query

This recipe requires the Windows Server 2003 forest functional level.

4.8.1 Problem

You want to retrieve attributes of objects that have been set in a multivalued-linked attribute, such as the member attribute on group objects. An attribute-scoped query can do this in a single query, instead of the previous method, which required multiple.

4.8.2 Solution Using a graphical user interface
  1. Follow the steps in Recipe 4.3 to enable an LDAP control.

  2. Select the Attribute Scoped Query control (you can select controls by name with the Windows Server 2003 version of LDP). For the Windows 2000 version of LDP, add a control with an OID of 1.2.840.113556.1.4.1504.

  3. For Value, enter the multivalued attribute name (e.g., member).

  4. Click the Check in button.

  5. Click OK.

  6. From the menu, select Browse Search.

  7. For BaseDN, type the DN of the object that contains the multivalued DNs.

  8. For Scope, select Base.

  9. For Filter, enter an LDAP filter to match against the objects that are part of the multivalued DN attribute.

  10. Click Run. Using a command-line interface

At the time of publication of this book, no CLI tools supported attribute-scoped queries. Using VBScript

At the time of publication of this book, you cannot use attribute-scoped queries with ADSI, ADO, and VBScript. In an ADO search, you can use the ADSI Flags property as part of a Connection object to set the search preference, but there is no way to set the attribute that should be matched, which must be included as part of the LDAP control.

4.8.3 Discussion

When dealing with group objects, you may have encountered the problem where you wanted to search against the members of a group to find a subset or to retrieve certain attributes about each member. This normally involved performing a query to retrieve all of the members, and additional queries to retrieve whatever attributes you needed for each member. This was less than ideal, so an alternative was developed for Windows Server 2003.

With an attribute-scoped query, you can perform a single query against the group object and return whatever properties you need from the member's object, or return only a subset of the members based on certain criteria. Let's look at the LDAP search parameters for an attribute-scoped query:

Attribute Scoped Query Control Value

The value to set for this control should be the multivalued DN attribute that you want to iterate over (e.g., member).

Base DN

This should be the DN of the object that contains the multivalued DN attribute (e.g., cn=DomainAdmins,cn=users,dc=rallencorp,dc=com).


This should be set to Base.


The filter will match against objects defined in the Control Value. For example, a filter of (&(objectclass=user)(objectcategory=Person)) would match any user objects defined in the multivalued DN. You can also use any other attributes that are available with those objects. The following filter would match all user objects that have a department attribute equal to "Sales": (&(objectclass=user)(objectcategory=Person)(department=Sales))


This should contain the list of attributes to return for object matched in the multivalued DN.

4.8.4 See Also

MSDN: Performing an Attribute Scoped Query and MSDN: Searching with ActiveX Data Objects (ADO)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List