LDAP Query Excluding OU RRS feed

  • Question

  • We are using a service that imports users based on LDAP Queries.

    Ordinarily, we are not having a problem doing one Query for OU, but I would rather have 1 query that would do the same function, if possible.

    Here's the scenario:  The LDAP Query finds Users in Specific OUs. Here's the layout

    --- OU ROOT

          -----------OU A


          -----------OU H

    We're searching for Active Users with 


    As I mentioned, one query per OU does work, but we have users in like 20+ OUs. I would like to include say OU A, OU B, OU C, and OU D ONLY to this list and exclude the others. This is what I've been having trouble with.

    Been reading where you can't do an LDAP Query and us OU Membership as a Filter. Here's what I've been trying to no avail.

    (&(objectCategory=user)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) (&(objectClass=organizationalUnit)(!(OU=OU A))))

    (&(objectCategory=user)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)) (!(ou:dn:=OU B)))

    (&(objectCategory=user)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) (| (&(objectClass=OU B)(OU=users)) (&(objectClass=organizationalUnit)(OU=OU A)))

    Could you do a LDAP Query using the "OR" operator using the memberof attribute?

    Wednesday, June 12, 2019 2:01 PM

All replies

  • First of all, users are not members of an OU. The DN of an OU is never included in the memberOf attribute. And if you are filtering on users, you cannot filter on the ou attribute, as this is an attribute of OU objects only.

    As you may be aware, any filter on a DN syntax attribute cannot include any wildcard characters. And the base of any query can only include the DN of one container (an OU or container or domain).

    The only solution is to retrieve all enabled users in your base, then enumerate the results and consider only those where the distinguished names of the users is in your specified OUs. Or, if you want to consider just 4 OUs, then 4 queries will work. Each query can have but one base.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, June 12, 2019 2:29 PM
  • That makes sense. I was thinking of something like that.  

    How would the syntax for getting all users in our base and then enumerating the results for only those with the distinguished name of the users in a specific OU?

    Wednesday, June 12, 2019 4:03 PM
  • Depends on your scripting language and methods. Are you using ADO objects or DirectorySearcher, in VBScript or PowerShell? Or are you using the AD modules in PowerShell and the -LDAPFilter parameter?

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, June 12, 2019 5:22 PM