Re: Filtering via OU

---

• From: "Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 10 May 2006 13:36:51 -0500

---

Hi,

The only attribute of user objects that indicates the parent container/OU is
distinguishedName (DN), and you cannot use wildcard filters on DN. The best
you can do is revise the base of the search. This would probably require
several separate searches. For example, if your AD structure is:

dc=Domain,dc=com
ou=disabled users
ou=users
ou=resource accounts
ou=others
ou=West
ou=East

You would need 3 searches with:

strBase = "<LDAP://"; & arrstrDCs(k) & "/ou=West,dc=domain,dc=com>"
strBase = "<LDAP://"; & arrstrDCs(k) & "/ou=East,dc=domain,dc=com>"
strBase = "<LDAP://"; & arrstrDCs(k) &
"/ou=others,ou=users,dc=domain,dc=com>"

And, if there are users in ou=users, you would need a 4th search with:

strBase = "<LDAP://"; & arrstrDCs(k) & "/ou=users,dc=domain,dc=com>"

and use "base" for the scope of the search in place of "subtree" (so you
seach ou=users, but not child containers).

An alternative is to retrieve all users in the domain, then in the loop
where you enumerate the user objects, parse for the parent OU and skip users
in the 2 OU's. In brief:

Dim strParent
Do Until objRecordSet.EOF
strDN = objRecordset.Fields("distinguishedName")
strParent = Mid(strDN, InStr(UCase(strDN), ",OU=) + 1)
If (LCase(strParent) <> "ou=disabled,dc=domain,dc=com") _
And (LCase(strParent) <> "ou=resource
accounts,ou=users,dc=domain,dc=com") Then
...

End If
objRecordset.MoveNext
Loop

If the user is in a container, such as "cn=users", the variable strParent
above will be the DN of the user (since the string "OU=" will not be in the
DN). The If statement will still allow you to only consider users not in
either of the 2 specified OU's.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

<rhfreeman@xxxxxxxxx> wrote in message
news:1147279957.570866.33930@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi folks,

Quick question. I wish to do a search on a whole domain, but I wish to
exclude specific domains.

My current search is this:

' Retrieve lastLogon attribute for each user on each Domain Controller.
For k = 0 To Ubound(arrstrDCs)
strBase = "<LDAP://"; & arrstrDCs(k) & "/" & strDNSDomain & ">"
strFilter = "(&(objectCategory=person)(objectClass=user))"
strAttributes = "distinguishedName,lastLogon,description"
strQuery = strBase & ";" & strFilter & ";" & strAttributes &
";subtree

(thanks to Richard Mueller for large bits of the script)

Basically, I wish to exclude say two OUs called OU=disabled
users,DC=domain,DC=com & OU=resource accounts,OU=users,DC=domain,DC=com
- how is this done? I can get a filter using "memberof", but that is
member of a group rather than a member of a OU sadly.

Thanks in advance!

Rich

.

---

• Follow-Ups:
  • Re: Filtering via OU
    • From: rhfreeman

• References:
  • Filtering via OU
    • From: rhfreeman

• Prev by Date: Re: Editing txt file.
• Next by Date: Re: Missing home dir when account created by vbscript
• Previous by thread: Filtering via OU
• Next by thread: Re: Filtering via OU
• Index(es):
  • Date
  • Thread

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)