How can I write an ldap query to include all users from my active directory except those in a certain OU?

Posted on 2011-10-28
Last Modified: 2013-12-24
I'm having a debate with myself.  I'm just starting to understand LDAP Queries and wanted to pose a couple of questions because I can't seem to find the right information anywhere.

I get I can write an LDAP query that starts at the root of my Active Directory and return all the users in my AD environment.

Now..what if I want to traverse my directory and say give me all users in my Active Directory environment EXCEPT for the users in OU=Test,DC=somecity,DC=company,DC=com?


isn't working.  That returns all users regardless of their OU affiliation.  

Am I using the & operator incorrectly?  I also tried (what I thought was): give me all the users in the given OU...that didn't work either?


Any suggestions or assistance will be greatly apprciated!


Question by:TxCellarRat
    LVL 57

    Accepted Solution

    You didn't find anything because you can't do it :)

    This came up a few years ago on another forum and I suggested using adfind with the -excldn switch because It allows you to exclude objects with the given string in the DN.

    Later in the thread Chris Dent (Chris-Dent on this site) responded

    *****Quote from Chris not taking credit for his great answer******
    ou (organizational-unit-name) is not set by default for almost
    everything (except OUs) and wildcards are not permitted for attributes
    of type DN because they're constructed attributes (see

    Which is a pretty negative answer I'm afraid. I don't believe there is a
    way to filter out (or filter on) specific OUs in an Ldap Filter.


    Then Joe (creator of adfind) responded, I have this thread bookmarked :)

    *********Great answer from Joe**********

    Correct, the only objects that will have the OU attribute populated are the
    OU objects. You also cannot use wildcards for the DN and in fact DN isn't an
    attribute even, it is distinguishedName. As Mike mentioned, AdFind has the
    -excldn switch for this specific case and it does all the processing at the
    client, it looks at every DN returned and if there is a match to the -excldn
    string, it mutes it from the output. If it could have been done at the LDAP
    query level, certainly I would have written it that way as would be more

    What you could do is if this is for a specific application is to set up a
    special ID for that app to use and the permissions for that ID (via a group)
    are set to not be able to see the OU (or OUs) that you need excluded. In
    general I hate DENY ACEs but this is one case where I have seen a few times
    in the wild where it made some sort of sense.



    LVL 6

    Expert Comment

    Well, if Active Directory supported extensible match, then you could do this.

    It it painful from MS documentation to determine if they do or not.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    This article explains all about SQL Server Piecemeal Restore with examples in step by step manner.
    Creating and Managing Databases with phpMyAdmin in cPanel.
    Video by: Steve
    Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now