I have experienced very odd behaviour when searching with member:1.2.840.113556.1.4.1941
with escaped characters.
It seems that the search fails when the search term is escaped 'properly', but succeeds when the search term is not escaped!
In contrast, a plain search using member
works whether the search term is escaped or not.
Here's a PowerShell example.
function Find-AdObjects([string]$Filter) {
$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher
$DirectorySearcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry
$DirectorySearcher.SearchScope = [System.DirectoryServices.SearchScope]::Subtree
$DirectorySearcher.PropertiesToLoad.Add('distinguishedname') > $null
$DirectorySearcher.PageSize = 100
$DirectorySearcher.Filter = $Filter
$SearchResultCollection = $DirectorySearcher.FindAll()
foreach ($r in $SearchResultCollection) {
$r.Properties['distinguishedname']
}
$SearchResultCollection.Dispose()
$DirectorySearcher.Dispose()
}
$UserDn = 'CN=Rees\, John,OU=Tier3,DC=big,DC=com'
$EscapedUserDn = 'CN=Rees\5C, John,OU=Tier3,DC=big,DC=com'
# Returns expected results with escaped search term
Find-AdObjects "(&(member=$EscapedUserDn))"
# Returns same results even though search term is NOT escaped correctly
Find-AdObjects "(&(member=$UserDn))"
# Returns NO results even though search term is escaped correctly
Find-AdObjects "(&(member:1.2.840.113556.1.4.1941:=$EscapedUserDn))"
# Returns recursive results even though search term is NOT escaped correctly
Find-AdObjects "(&(member:1.2.840.113556.1.4.1941:=$UserDn))"
So I do not see an acceptable workaround, since there does not seem to be a reliable way to escape a DN that could contain a variety of special characters: \*()