How to use LDAP user filtering on Barracuda anti-spam service

I am using the Barracuda ESS service for anti-spam, and I have it set up with LDAP lookup for the user accounts. Currently, when I synchronize the users from my AD to the Barracuda, It creates user accounts for all the mailboxes, distribution groups, etc. that I don't want. So this forces me to leave synchronize automatically turned off.

Looking at the settings in Barracuda, I can set custom user filtering. (See screen shot below.) However, I can't figure out the correct syntax to put in this filter. At this point, I don't care if the filter bases it on users in a specified OU or users who are members of a specific security group. I can't get anything to work.

I'm hoping this is a simple request, and I just don't know LDAP well enough to figure it out. So any help is appreciated. Here's the Barracuda settings screenshot:

ESS Screenshot
Here's the text from the Barracuda help screen for that field:
User Filter
Filter used to limit the accounts that the Barracuda Email Security Service creates when an LDAP query is made.

    Example 1: Your list of valid users on your directory server includes 'User1', 'User2', 'User3', 'BJones', 'RWong', and 'JDoe', and you create the User Filter (name=*User*). In this case, the service only creates accounts for 'User1', 'User2', and 'User3'.
    Example 2: You create the User Filter (mail=* which only pulls users matching the domain "". Any attribute that is available for reading on your LDAP server can be used in the user filter.
Eric JackIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
so even (mail=*    will not work?

If this is the case, you got a faulty product or there are layer 8 issues
Eric JackIT ManagerAuthor Commented:
Oh, that works. But not the way I want it to. After syncing with that filter, it adds users for every conference room, distribution group, health mailbox, etc. because they all have * email addresses. That's why I'm trying to filter based on an OU or security group membership or something.
Jian An LimSolutions ArchitectCommented:
Okay, at least the product is not broken which make things easier.

let's try this

CEOs need to know what they should worry about

Nearly every week during the past few years has featured a headline about the latest data breach, malware attack, ransomware demand, or unrecoverable corporate data loss. Those stories are frequently followed by news that the CEOs at those companies were forced to resign.

Eric JackIT ManagerAuthor Commented:
Sorry for the delay in responding. Between a couple days off for PAX East and then New England getting walloped by that storm, I was out of the office.

That doesn't seem to be working for some reason. I've input it as:


to match my specific AD information. But when I run a syncronize on the Barracuda service, it says 0 users updated. Even after deleting one user from Barracuda and then expecting the sync to re-add him.

Jian An LimSolutions ArchitectCommented:
the memberof is wrong.

in AD, click on view/advanced features
double click on the group again and click on attribute editor
lookup distinguishedName
copy paste that line out (which should be equal to the above)
Eric JackIT ManagerAuthor Commented:
Doh! I had "ou=users" because I assumed it was checking to see what users in the users ou had the sg-barracuda security group. Well, even after changing it as you stated, I still can't get this working. Even Barracuda support seems to be stumped.

In the meantime, I'm "manually" adding any new users by making the filter say (mail=username*) where username is the new person and then it imports just the new user. It works, but it's just one more step to add to my new user process. It would have been nicer for automatic sync.
Jian An LimSolutions ArchitectCommented:
do one thing

run get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*,ou=users,dc=company,dc=com))}

and see whether it return any.

If it does, then at least we confirm, LDAP query is working, just barracuda have issues.
If you did not get anything, then is the query having issues, we need to root cause it
Eric JackIT ManagerAuthor Commented:
Run that from where?
Jian An LimSolutions ArchitectCommented:
that is a  powershell script.
you can run from your machine (if you have activedirectory module) or from domain controller
Eric JackIT ManagerAuthor Commented:
Um, I must be doing something wrong:

PS C:\Users\ejack-a> run get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*
At line:1 char:102
+ ... cn=SG-Barracuda,ou=Security,dc=tx,dc=com))}
+                    ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument
Jian An LimSolutions ArchitectCommented:
remove the run


get-adobject -ldapfilter  ....... 

Open in new window

Eric JackIT ManagerAuthor Commented:
Okay, I must still have something wrong in the syntax.

PS C:\Users\ejack-a> get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*,o
At line:1 char:98
+ ... cn=SG-Barracuda,ou=Security,dc=tx,dc=local))}
+                    ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument

PS C:\Users\ejack-a>
Jian An LimSolutions ArchitectCommented:
did you have active directory powershell imported?


import-module activedirectory

Open in new window

Eric JackIT ManagerAuthor Commented:
Same error even after running the import-module command. Here's an actual screenshot of the PowerShell window. Is it saying the error is the comma after Barracuda? Is this a simple syntax error?

Jian An LimSolutions ArchitectCommented:
i thought your group is as below?

Open in new window

Eric JackIT ManagerAuthor Commented:
No, same exact error even adding the ou=groups to the syntax.
Jian An LimSolutions ArchitectCommented:
Try the follow

get-adobject -ldapfilter {&(objectCategory=Person)(mail=*}

Open in new window

get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)}

Open in new window

is any of the above works?
command on my end works well so i am trying to think what could go wrong.
Eric JackIT ManagerAuthor Commented:
Still not working. Two different errors on each of those. BTW, you had an extra ) on your first command.

PS C:\Users\ejack-a> get-ADObject -ldapfilter {&(objectCategory=Person)(mail=*}
get-ADObject : The search filter cannot be recognized
At line:1 char:1
+ get-ADObject -ldapfilter {&(objectCategory=Person)(mail=*}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-ADObject], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8254,Microsoft.ActiveDirectory.Management.Commands.GetADObject

PS C:\Users\ejack-a> get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)}
At line:1 char:52
+ get-adobject -ldapfilter {(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx, ...
+                                                    ~
Missing argument in parameter list.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingArgument

Open in new window

Jian An LimSolutions ArchitectCommented:
i miss a (

get-adobject -ldapfilter {(mail=*}

Open in new window

also try
get-adobject -ldapfilter "(mail=*"

Open in new window

then tell me what windows Dc are you on please
Eric JackIT ManagerAuthor Commented:
Both of those work. I'm using Windows Server 2012 R2 Standard. So the previous commands must have a syntax error somewhere. I'm just not familiar enough to know what.
Jian An LimSolutions ArchitectCommented:
I am on the same platform so it is definitely going to work

get-adobject -ldapfilter {(&(objectCategory=Person)(mail=*}

get-adobject -ldapfilter "(&(objectCategory=Person)(mail=*"

try this?

then try this?

get-adobject -ldapfilter "(memberOf=cn=SG-Barracuda,ou=Security,OU=Groups,dc=tx,dc=local)"
Eric JackIT ManagerAuthor Commented:
Okay, so each of those get commands worked. It seems like there's a problem when you try to combine those different commands into one.
Jian An LimSolutions ArchitectCommented:
get-adobject -ldapfilter "(&(objectCategory=Person)(mail=*,ou=Security,OU=Groups,dc=tx,dc=local))"

Open in new window

last round. will this work?

If you want to try to use the memberof method in barracuda, and see whether it pull it correctly?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eric JackIT ManagerAuthor Commented:
Sorry it has taken so long to respond. That last command works in Powershell. It also seems to work in Barracuda. Sort of.

Barracuda will add in a missing user. But it will not remove a user that is no longer a member of the SG-Barracuda security group. And the Barracuda also removes any linked accounts (in other words, if I add the IT distribution list to my email within Barracuda, it removes it everything the sync is run.)

Overall, I think this issue is now a Barracuda support problem. I appreciate the troubleshooting to get the LDAP lookup command working.
Eric JackIT ManagerAuthor Commented:
After a brief conversation with Barracuda support, I was told that the LDAP sync will never remove users. So that addresses that. And I also learned that since I'm linking the disto groups manually to user accounts within Barracuda, they are getting wiped out during the LDAP sync because those links don't exist in the sync. Makes sense...

Now I just need to figure out how to "link" my distribution groups to a user at the Exchange level so the LDAP sync to Barracuda copies it. Otherwise, the spam reports for emails hitting the disto groups don't reach anyone!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.