I am trying to query nearly all users in Active Directory. My normal users are in various OUs, and I want to retrieve those. But my system users are stored in the Users CN, and I don't want to retrieve those.
It looks a lot like another question, but their answer didn't help me. I'm using the hint provided here, but its not helping out either.
I am querying in Active Directory using JNDI. My query is:
(&(objectClass=user)(!(cn:dn:=Users)))
This means all objects of class user
, which are not in the Users
subtree. Yet, this query nevertheless returns something like this:
CN=__vmware__,CN=Users,DC=SIREDRM,DC=com
So, why is that filter not working? How else can I make it work?
With (!(distinguishedName=*,CN=Users= DC=mydomain,DC=com)), you are trying to use an attribute with DN syntax [Object(DS-DN)], for these LDAP attributes, you cannot use wildcards in LDAP filters.
Attribute "distinguishedName": http://msdn.microsoft.com/en-us/library/ms675516%28VS.85%29.aspx
LDAP Syntax "Object(DS-DN)" http://msdn.microsoft.com/en-us/library/ms684431%28VS.85%29.aspx
In the second link, you will find the statement about the forbidden wildcard.
In general, you could use an LDAP extensible matching rule for excluding some containers from a subtree search, in your case the syntax would be similar to this
(!(cn:dn:=Users))
or something like that. The bad thing: AD doesn't support these kind of extensible match either: http://msdn.microsoft.com/en-us/library/cc223241%28PROT.10%29.aspx Read the first paragraph.
So the conclusion is: YOU CANNOT DO THIS WITH ONE SINGLE FILTER IN AN ACTIVE DIRECTORY ENVIRONMENT. Sorry.
The only solution appears to be to use a client-side tool. The script here from Microsoft will show you how to exactly what you need (except you want Users, not Computers).
http://blogs.technet.com/heyscriptingguy/archive/2004/12/07/how-can-i-return-a-list-of-all-my-computers-except-those-in-a-specified-ou.aspx
The other thing you could look at is a virtual directory to act as a proxy to AD, which would allow you to configure filters and permissions without touching AD.
(mostly copied from the hyphen site)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With