[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 9559
  • Last Modified:

LDAP Query - Filter For OU or CN

I am generating an LDAP query for Exchange Mailbox Management. The current query returns all mailbox-enabled users and then filters specific groups and individual users via the '!' operator. Now I need to change this to also filter for any users that are within a particular container or OU. I've been searching around and have not found a decent way of doing this. I've tried using the distinguished name with a wildcard (i.e. distinguishedName=CN=*,OU=MyOU,DC=Domain,DC=TLD).

Does anyone have any ideas?
0
Broxoth
Asked:
Broxoth
  • 3
  • 3
1 Solution
 
LauraEHunterMVPCommented:
For something like that I would use adfind (free download from www.joeware.net/freetools) -

The -excldn switch will exclude from search results any DN containing a particular string
The -incldn switch will only return results containing a particular string in the DN

So adfind -default -f "<whatever LDAP filter you want>" -incldn Users will only return objects that have the string "Users" somewhere in their DN.  Or adfinf -default -f "<ldap filter>" -excldn Users will return all objects -except- those that have the string "users" somewhere in their DN.
0
 
BroxothAuthor Commented:
That's cool but I wouldn't be able to use this for Mailbox Management processing on an Exchange server.
0
 
Chris DentPowerShell DeveloperCommented:

Sorry, there are no filters for OU's in LDAP queries. A great shame.

Filtering based on Group Membership isn't so good either. We have to use the Custom Attributes to achieve anything which would ordinarily be covered by OU / Group filtering.

Chris
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
BroxothAuthor Commented:
I've actually had good success with group membership filtering but that is absolutely ridiculous that MS doesn't have a way to filter by OU or Group built into the AD schema within the GUI itself. Well, if anyone comes up with something, let me know. Thanks!
0
 
Chris DentPowerShell DeveloperCommented:

I only mention groups because of this one:

http://support.microsoft.com/kb/304516

It's specific to Recipient Policies and is certainly worth being aware of.

Otherwise I agree, it's far from helpful that OU Filtering cannot be done. In most other situations you would set the base of the LDAP Search to the OU in question. If only that worked with Recipient Policies as it does with Query-Based Distribution Lists.

Chris
0
 
BroxothAuthor Commented:
Very good info in the KB. Thanks! So your company uses the custom attributes for Recipient Policies?
0
 
Chris DentPowerShell DeveloperCommented:

We do, yes. It's not as convenient and requires some maintenance if you need to swap around addresses, but does provide very reliable results.

Chris
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now