Thursday, August 27, 2009

LDAP filters for MOSS User Profile Import

A typical query for bringing users from AD to MOSS will be -

(&(objectCategory=person)(objectClass=user)

but this will bring all services and disabled accounts, to filter these accounts you can use the following methods -
To remove disabled accounts -
(!userAccountControl:1.2.840.113556.1.4.803:=2) - removes disabled accounts

To remove service accounts (accounts with Password Expiration disabled)
(!userAccountControl=65536)
or
(!userAccountControl:1.2.840.113556.1.4.803:=65536) //in my case this one worked

Here is your LDAP query with these filter -

(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536))

There might be cases where you want to filter out a particular group, let say you want to exclude users from a group named - FilterGroup, under MYOU, in this case the query will be as follows -

(&(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!memberOf=CN=FilterGroup,OU=MYOU,DC=mydomain,DC=local)))

Some more examples -

Include only the accounts with valid email addresses
(&(objectCategory=Person)(objectClass=User)(mail=*com)

Exclude accounts that don’t have a first name
(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(!givenName=*)))

 Thanks to -
Some more resources -
MSDN – Active Directory Search Filter Syntax
Posted by at

1 comment:

Anonymous said...

Hi,

Thanks for sharing your insightful thoughts and suggestions - very cool and helpful indeed.

In the spirit of sharing helpful information, thought I'd mention that one of my Microsoft colleagues informed us about a cool FREE tool from a Microsoft partner, that offers over 50 super-helpful Active Directory security reports, such as which accounts are locked out, which accounts are set to expire in the next few days, which security groups are nested, where all a user may have permissions etc.

The tool is called Gold Finger, and it is developed by a company called Paramount Defenses. You can download it from http://www.paramountdefenses.com/goldfinger.php

Why bother writing complicated scripts, using unsupported command-line tools or paying for such tools, when you can use a 100% AUTOMATED, GUI based, FREE solution that is not only SUPPORTED but also ENDORSED by Microsoft?!

If you're into Active Directory security, then this tool is a must-have. Thought I'd share this helpful tip with you!

Sincerely,
JohnM

September 11, 2009 at 5:55 PM

Post a Comment

Subscribe to: Post Comments (Atom)