Filtering via OU

TheMSsForum.com: The Microsoft Software Forum

Hi folks,

Quick question. I wish to do a search on a whole domain, but I wish to
exclude specific domains.

My current search is this:

' Retrieve lastLogon attribute for each user on each Domain Controller.
For k = 0 To Ubound(arrstrDCs)
strBase = "<LDAP://" & arrstrDCs(k) & "/" & strDNSDomain & ">"
strFilter = "(&(objectCategory=person)(objectClass=user))"
strAttributes = "distinguishedName,lastLogon,description"
strQuery = strBase & ";" & strFilter & ";" & strAttributes &
";subtree

(thanks to Richard Mueller for large bits of the script)

Basically, I wish to exclude say two OUs called OU=disabled
users,DC=domain,DC=com & OU=resource accounts,OU=users,DC=domain,DC=com
- how is this done? I can get a filter using "memberof", but that is
member of a group rather than a member of a OU sadly.

Thanks in advance!

Rich
Top

Re: Filtering via OU by Richard

Richard
Wed May 10 13:36:51 CDT 2006

Hi,

The only attribute of user objects that indicates the parent container/OU is
distinguishedName (DN), and you cannot use wildcard filters on DN. The best
you can do is revise the base of the search. This would probably require
several separate searches. For example, if your AD structure is:

dc=Domain,dc=com
ou=disabled users
ou=users
ou=resource accounts
ou=others
ou=West
ou=East

You would need 3 searches with:

strBase = "<LDAP://" & arrstrDCs(k) & "/ou=West,dc=domain,dc=com>"
strBase = "<LDAP://" & arrstrDCs(k) & "/ou=East,dc=domain,dc=com>"
strBase = "<LDAP://" & arrstrDCs(k) &
"/ou=others,ou=users,dc=domain,dc=com>"

And, if there are users in ou=users, you would need a 4th search with:

strBase = "<LDAP://" & arrstrDCs(k) & "/ou=users,dc=domain,dc=com>"

and use "base" for the scope of the search in place of "subtree" (so you
seach ou=users, but not child containers).

An alternative is to retrieve all users in the domain, then in the loop
where you enumerate the user objects, parse for the parent OU and skip users
in the 2 OU's. In brief:

Dim strParent
Do Until objRecordSet.EOF
strDN = objRecordset.Fields("distinguishedName")
strParent = Mid(strDN, InStr(UCase(strDN), ",OU=) + 1)
If (LCase(strParent) <> "ou=disabled,dc=domain,dc=com") _
And (LCase(strParent) <> "ou=resource
accounts,ou=users,dc=domain,dc=com") Then
...

End If
objRecordset.MoveNext
Loop

If the user is in a container, such as "cn=users", the variable strParent
above will be the DN of the user (since the string "OU=" will not be in the
DN). The If statement will still allow you to only consider users not in
either of the 2 specified OU's.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

<rhfreeman@gmail.com> wrote in message
news:1147279957.570866.33930@j73g2000cwa.googlegroups.com...
> Hi folks,
>
> Quick question. I wish to do a search on a whole domain, but I wish to
> exclude specific domains.
>
> My current search is this:
>
> ' Retrieve lastLogon attribute for each user on each Domain Controller.
> For k = 0 To Ubound(arrstrDCs)
> strBase = "<LDAP://" & arrstrDCs(k) & "/" & strDNSDomain & ">"
> strFilter = "(&(objectCategory=person)(objectClass=user))"
> strAttributes = "distinguishedName,lastLogon,description"
> strQuery = strBase & ";" & strFilter & ";" & strAttributes &
> ";subtree
>
> (thanks to Richard Mueller for large bits of the script)
>
> Basically, I wish to exclude say two OUs called OU=disabled
> users,DC=domain,DC=com & OU=resource accounts,OU=users,DC=domain,DC=com
> - how is this done? I can get a filter using "memberof", but that is
> member of a group rather than a member of a OU sadly.
>
> Thanks in advance!
>
> Rich
>


Top

Re: Filtering via OU by rhfreeman

rhfreeman
Thu May 11 08:51:12 CDT 2006

Hey Richard,

Just like to say thanks your scripts, they are great. :)

Ok, no easy way then! I'll create an array of OUs to ignore or
something like that and go through them for each user. It'll add a bit
of overhead, but I should be able to get it to work.

Thanks for your input!

Rich

Top