We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

LDAP: using a filter to avoid a sub OU in Active Directory

DrStalker
DrStalker asked
on
Medium Priority
8,956 Views
Last Modified: 2013-12-24

I have an application that pulls user information from an OU in Active Directory. The parameters it takes are a base for the search and a filter string.

I have an OU I want to pull information from, but there is a sub OU I want to avoid:

Wanted: users from OU=People,DC=mydomain,DC=com
Not Wanted: users from OU=Evil,OU=People,DC=mydomain,DC=com

I know that this could be done by rewriting the application performing the import to stop it searching sub-OUs, but is there any way to do this with an LDAP filter on the search? Something like (DistinguishedName !contains "Evil") or similar that will let me exclude users based on the path to the user, rather than filtering on a property of the user.
Comment
Watch Question

To return all user objects you'd us an LDAP filter like the following:

"(&(objectClass=user))"

Because Microsoft's implementation of LDAP does not recognize OUs as directory objects you can't just skip specific OUs in your search.  What you can do is filter out objects with specific OUs as part of their distinguished name.  Just more work for the same result.  An LDAP filter that returns all user objects except those with the EVIL ou in their distinguished names would look like this:

"(&(objectClass=user)(!(ou:dn:=evil)))"
PowerShell Developer
CERTIFIED EXPERT
Top Expert 2010
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
bluntTonyHead of ICT
Top Expert 2009
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Thanks for the help, I'll purge the entries with SQL after they are imported (delete from table where DN like '%OU=Evil%') as a workaround.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.