LDAP Query Filter Question 2

[jefegrande]

I am trying to get all of my users in Active Directory that are not in the Disabled Accounts OU. I thought that the following would work, but it does not.

(&(objectClass=user) (!(ou=Disabled Accounts)))

I'm using this filter for a Coldfusion application using the CFLDAP tag.
Any help is greatly appreciated.
Thanks.

Mark F

 

[djtech2k]

It is not possible to filter on OU that way and your syntax is wrong. There is only a couple workaround ways to filter based on OU:

1) If there is another attribute on the user objects that can be filtered on, eg disabled, location, etc.

2) Depending on the structure of your ldap, you can change the base of your ldap search so that the "disabled ou" is not in the sidrctory tree being searched.

3) You can write code outside of your filter to only consider objects not in that ou. It would have to be an "If Then" statement.

 

[WhoKilledKenny]

It is not possible to filter on OU because it is not a property of the objectClass user. Since you are stuck with using an LDAP query, How about the following:

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

This will return all Active users. Another suggestion would be to create a security group "Disabled Users" and add your disabled accounts to that. Then you could query base on who is not a member of that group by specifying the DN of the group:
(!(memberOf=CN=DisabledAccounts,OU=DisabledUsers,DC=Domain,DC=com))


Jesse Hamrick

http://www.powershellpro.com