LDAP Query for specific AD groups and OU

I have been struggling to put together an effective LDAP filter/query for the purpose of importing specific user profiles into SharePoint.

I've been using both the Advanced Search feature of Active Directory Users and Computers and LDIFDE to see what results are being returned, but I am obviously missing something because I'm either getting NO results or TOO many.

In a nutshell, I need two LDAP queries which return:

1) Active users who belong to "Security Group A" AND to the "Office" OU (or any sub OU/branch of "Office")
2) Active users who DO NOT belong to the 'Users' built-in container (or any of the sub-containers/branches of "Users" - these were created when we migrated from Exchange 2000 to 2003)

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Naga Bhanu Kiran KotaCommented:

i think this post on EE would be of help for you to run a query


revert back with what is the kind of query you are running so as to understand the query you are using.

drewberryliciousAuthor Commented:
I read that post before posting my question.  Unfortunately it was far too complex for my current skill-set.  

Essentially what I need is a LDAP filter using the syntax shown below retrieve all the users which meet the criteria I originally specified

"(&(objectCategory=Person)(objectClass=User)(memberof:1.2.840.113556.1.4.1941:=(OU=Users,OU=Domain Accounts,DC=domain,DC=com)))
drewberryliciousAuthor Commented:
Allow me to be a little more specific....

In our environment, all active staff members belong within OU=Office (or a sub-OU of Office).  I have included screen shots with display the various users displayed below.  As shown in the following screen-shots, there are 7 users which meet this criteria.

I need to develop an LDAP filter which retrieve ONLY these users, but despite my best efforts (and a myriad of research), Ive not as yet been successful.  

My first real question is whether or not it is possible to filter users based on their OU member alone.    

Assuming this is possible, I am of the impression that the following query (based on http://sharepointsherpa.com/2008/03/14/sharepoint-2007-ldap-user-filters-for-limiting-user-profile-import/) should return users belong to the Office OU

(&(objectCategory=Person)(objectClass=User)(memberof:1.2.840.113556.1.4.1941:=(CN=Authenticated Users,OU=Office,DC=domain,DC=local)))

I dont really understand what the numbers stand for, but I thought that I had the disitinguished name correct, based on my LDP.exe query (see attached image).

I then tried similar variations of the query which I found at http://mindsharpblogs.com/wayne/archive/2005/06/15/497.aspx, but the results were the same (ie: there werent any)

(&(objectCategory=Person)(objectClass=User)(memberOf=OU=Amsterdam, OU=Office,DC=domain,DC=local))
(&(objectCategory=Person)(objectClass=User)(memberOf=OU=PC Users,OU=HQOU=Office,DC=domain,DC=local))

If it is not possible to filter AD users by OU only, my second strategy would be to EXCLUDE users which belong to the USERS Container and sub-containers? (the sub-containers are legacy of migration from Exchange 2000 to 2003 ) I  tried the following, but it returned nothing.


The other alternative would be to only extract users who belong to the AD Group called Actresses  but Ive had no luck with this either.


Please help, Im pulling out my hair over this one.

Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Naga Bhanu Kiran KotaCommented:

i think this post will give you more insight into how to base your sharepoint imports. This is a good tool on how to use ldfide and how to import user profiles from the sharepoint central admin site


drewberryliciousAuthor Commented:
Thanks, but that's the post I referenced in my last response and I'm still not having any luck after following it.
drewberryliciousAuthor Commented:
Do you know if it's possible to include/exclude users in an LDAP query based on their OU and/or security group?
Naga Bhanu Kiran KotaCommented:

I was revisting this post again, and i found one of the user comments

re: Importing only a specific group into sharepoint profile database (via LDAP)  3/17/2008 2:15 PM  Katherine

Hi Wayne,
We found that the syntax you offered above:
(&(objectCategory=Person)(objectClass=User) | (memberOf=CN=Corporate East,OU=Administrative,OU=Distribution Lists,OU=East,DC=domain,DC=local)(memberOf=CN=Corporate West,OU=Administrative,OU=Distribution Lists,OU=West,DC=domain,DC=local)(memberOf=CN=Corporate EMEA,OU=Administrative,OU=Distribution Lists,OU=EMEA,DC=domain,DC=local))

requires a paren before the OR separator (pipe) and a final closing paren, like this:

(&(objectCategory=Person)(objectClass=User)(|(memberOf=CN=Corporate East,OU=Administrative,OU=Distribution Lists,OU=East,DC=domain,DC=local)(memberOf=CN=Corporate West,OU=Administrative,OU=Distribution Lists,OU=West,DC=domain,DC=local)(memberOf=CN=Corporate EMEA,OU=Administrative,OU=Distribution Lists,OU=EMEA,DC=domain,DC=local)))

can you confirm if you have already made the corrections and checked the results

drewberryliciousAuthor Commented:
I think the problem is that I'm trying to create a filter based on OU alone - and I just don't think that this is possible.

For example - this filter (based on a distribution list) works perfectly:
(&(objectCategory=Person)(objectClass=User)(memberOf=CN=Communications,CN=Distribution Lists,CN=Users,DC=foundation,DC=org))

However OU based filter returns nothing.
(&(objectCategory=Person)(objectClass=User)(memberOf=OU=HQ Consultants & Temps,OU=HQ Users,OU=HQ,OU=Office,DC=foundation,DC=org))
drewberryliciousAuthor Commented:
I've now managed to create the two separate filters I need - I just haven't successfully joined the two statements together.

Okay, so filter 1 is:

(&(objectCategory=Person)(objectClass=User)(memberOf=CN=Team,CN=Security Groups,CN=Users,DC=foundation,DC=org))

And filter 2 is:


How do I combine two into a single statement?
Naga Bhanu Kiran KotaCommented:

you can replace the (objectClass=User) with (objectClass=User)(|(!cn=_*)(!cn=svc*)(!cn=hello*))


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.