LDAP: using a filter to avoid a sub CN in Active Directory

Question

I am trying to query nearly all users in Active Directory. My normal users are in various OUs, and I want to retrieve those. But my system users are stored in the Users CN, and I don't want to retrieve those.

It looks a lot like another question, but their answer didn't help me. I'm using the hint provided here, but its not helping out either.

I am querying in Active Directory using JNDI. My query is:

(&(objectClass=user)(!(cn:dn:=Users)))

This means all objects of class user, which are not in the Users subtree. Yet, this query nevertheless returns something like this:

CN=__vmware__,CN=Users,DC=SIREDRM,DC=com

So, why is that filter not working? How else can I make it work?

Answer 1

With (!(distinguishedName=*,CN=Users= DC=mydomain,DC=com)), you are trying to use an attribute with DN syntax [Object(DS-DN)], for these LDAP attributes, you cannot use wildcards in LDAP filters.

Attribute "distinguishedName": http://msdn.microsoft.com/en-us/library/ms675516%28VS.85%29.aspx

LDAP Syntax "Object(DS-DN)" http://msdn.microsoft.com/en-us/library/ms684431%28VS.85%29.aspx

In the second link, you will find the statement about the forbidden wildcard.

In general, you could use an LDAP extensible matching rule for excluding some containers from a subtree search, in your case the syntax would be similar to this

(!(cn:dn:=Users))

or something like that. The bad thing: AD doesn't support these kind of extensible match either: http://msdn.microsoft.com/en-us/library/cc223241%28PROT.10%29.aspx Read the first paragraph.

So the conclusion is: YOU CANNOT DO THIS WITH ONE SINGLE FILTER IN AN ACTIVE DIRECTORY ENVIRONMENT. Sorry.

The only solution appears to be to use a client-side tool. The script here from Microsoft will show you how to exactly what you need (except you want Users, not Computers).

http://blogs.technet.com/heyscriptingguy/archive/2004/12/07/how-can-i-return-a-list-of-all-my-computers-except-those-in-a-specified-ou.aspx

The other thing you could look at is a virtual directory to act as a proxy to AD, which would allow you to configure filters and permissions without touching AD.

(mostly copied from the hyphen site)