Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How can I write an ldap query to include all users from my active directory except those in a certain OU?

Posted on 2011-10-28
Medium Priority
Last Modified: 2013-12-24
I'm having a debate with myself.  I'm just starting to understand LDAP Queries and wanted to pose a couple of questions because I can't seem to find the right information anywhere.

I get I can write an LDAP query that starts at the root of my Active Directory and return all the users in my AD environment.

Now..what if I want to traverse my directory and say give me all users in my Active Directory environment EXCEPT for the users in OU=Test,DC=somecity,DC=company,DC=com?


isn't working.  That returns all users regardless of their OU affiliation.  

Am I using the & operator incorrectly?  I also tried (what I thought was): give me all the users in the given OU...that didn't work either?


Any suggestions or assistance will be greatly apprciated!


Question by:TxCellarRat
LVL 57

Accepted Solution

Mike Kline earned 2000 total points
ID: 37047260
You didn't find anything because you can't do it :)

This came up a few years ago on another forum and I suggested using adfind with the -excldn switch because It allows you to exclude objects with the given string in the DN.

Later in the thread Chris Dent (Chris-Dent on this site) responded

*****Quote from Chris not taking credit for his great answer******
ou (organizational-unit-name) is not set by default for almost
everything (except OUs) and wildcards are not permitted for attributes
of type DN because they're constructed attributes (see

Which is a pretty negative answer I'm afraid. I don't believe there is a
way to filter out (or filter on) specific OUs in an Ldap Filter.


Then Joe (creator of adfind) responded, I have this thread bookmarked :)

*********Great answer from Joe**********

Correct, the only objects that will have the OU attribute populated are the
OU objects. You also cannot use wildcards for the DN and in fact DN isn't an
attribute even, it is distinguishedName. As Mike mentioned, AdFind has the
-excldn switch for this specific case and it does all the processing at the
client, it looks at every DN returned and if there is a match to the -excldn
string, it mutes it from the output. If it could have been done at the LDAP
query level, certainly I would have written it that way as would be more

What you could do is if this is for a specific application is to set up a
special ID for that app to use and the permissions for that ID (via a group)
are set to not be able to see the OU (or OUs) that you need excluded. In
general I hate DENY ACEs but this is one case where I have seen a few times
in the wild where it made some sort of sense.




Expert Comment

ID: 37049717
Well, if Active Directory supported extensible match, then you could do this.


It it painful from MS documentation to determine if they do or not.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Blockchain technology enhances society similar to the Internet. Its effects are broad, disruptive, and will boost global productivity.
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question