LDAP exclude sub OU from search

active-directory ldap ldap-query
17,080

Solution 1

An LDAP search is composed of 4 elements:

  1. The node from which you ask to begin the search (the Distinguish Name of the node)
  2. The scope of your search (base, onelevel, subtree)
  3. The filter of your search (e.g. (objectClass=user))
  4. The attributes you want to retrieve.

In Active Directory, there exists no "natural" way to exclude an OU from a recursive search.

Regarding LDAP, on the theoretical point of view, ExtensibleMatch exists and enables what you want to do, but it's not supported in Active Directory.

Solution 2

For me, I needed to easily exclude disabled users from ldap search results or anything else that would show these user accounts along side enabled (active) accounts. I denied list content access for the Disabled Users OU which leaves the OU visible but the contents are not. The result is that people searches from, let's say, bound Mac clients using the Contacts app will no longer see 'ghost' users.

Solution 3

I'm doing something similar. I first use a search for 'objectclass=organizationalunit' with the search scope set to 'OneLevel'. Code looks something like this:

DirectoryEntry oDE = new DirectoryEntry("LDAP://DC=ChildDomain,DC=RootDomain")
        using (DirectorySearcher ds = new DirectorySearcher(oDE))
        {
            ds.PropertiesToLoad.Add("dn");
            ds.SearchScope = SearchScope.OneLevel;
            ds.Filter = "(objectClass=OrganizationalUnit)";
            ds.PageSize = 30;

Then I use a foreach loop to cycle through the results and compare the distinguished name of each result with the one OU I'm excluding. If the OU's dn matches, I continue to the next result. If not, then I take some action.

Share:
17,080

Related videos on Youtube

Codded
Author by

Codded

Updated on June 04, 2022

Comments

  • Codded
    Codded almost 2 years

    Say If I had a structure like the following:

    How can I exclude A and B2?

    _users
|__A
|__B
   |__B1
   |__B2
   |__B3
|__C
|__D

    ou=users, dc=domain, dc=co, dc=uk;

  • Nathan Tuggy
    Nathan Tuggy about 9 years
    Doing something similar to what? Generally, answers should stand alone, quoting and linking to any other answers or external resources they use.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAP search not finding entries in child OUs
How to do ldapsearch with multiple filters?
Query Active Directory/LDAP, find users in nested organizational unit
LDAP Filter - Find all users of specific OU
Active Directory LDAP Query by sAMAccountName and Domain
What are CN, OU, DC in an LDAP search?
Query to list all users of a certain group
How to escape a string in C#, for use in an LDAP query
What are the other alternative to test a LDAP connection on linux machine
How to retrieve DirectoryEntry from a DirectoryEntry and a DN