LDAP Filter to exclude a sub OU?

I have a need to exclude a sub OU from a search base.  CUCM is LDAP integrated to Active Directory.  The directory search basically OU=Users, DC=company,DC=local.  There is a couple of OU's located under the Users container (OU=service, OU=special).  A third party manages this companies AD and is not willing to make any changes to the structure.  Does anyone have a suggestion for a filter that will work to filter out the users in the OU=special?  I have tried several things but the ones i thought would work are:
1. (&(objectClass=user)(!(OU=special)))  have tried this with the full search base as well
2. (!(&(objectClass=user)(OU=special)))
Any help would be appreciated.

Hi gpword,
I dont think you can exlcude a sub OU, at least I could never get it working.
A few options you can use.
1. Add all the users in the "Special" OU to a group and then exclude that group - I use this option and it works
(&(ipPhone=*)(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(!(memberOf=cn=GrouptoExclude,ou=XXXX,ou=XXXXX,DC=domain,DC=local)))
2. As above you could utilise the ipPhone field and only sync users who have this set or only sync users who are a member of a particular group below
(&(ipPhone=*)(objectclass=user)(memberOf=cn=USERStoSYNC,ou=XXXX,ou=XXXX,DC=domain,DC=local)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
The above examples also exclude disabled accounts, computer objects and inlcude only users with the ipPhone field set.
Thanks,

Similar Messages

  • Any way to use filter to exclude tables in navagation pane?

    Is there any way to use filter to exclude a set of tables from the table list in the navagation pane? I have a number of tables (15+) starting with the same prefix eg. AB123 that I would like eliminate from the list. They sort right to the top and I always have to scroll down, and go through the show more dialog to see the entire list.
    I am sure I'm missing something, but not sure what. Help Center has nothing to offer.
    Thanks
    Glenn

    This has been mentioned on the forum before - basically the need for more elaborate ways to filter (multiple conditions as well as 'not like'). It is on our list for future consideration, meaning post-production.
    -- Sharon
    Message was edited by:
    sbkenned

  • Creating LDAP filter in authorization rule OAM 10G

    Hi,
    I want to set up a LDAP filter in Authorization rule based on which i will redirect users to specific URL's. what is the syntax to writing LDAP filters in OAM authorization policy. Any pointers to documentation will be appreciated.
    Also i want to know whether authorizations always follow authentication. i.e. my redirection will be successful only after a user is authenticated in end application based on the headers we send out after successful authentication.
    Please Help
    Thanks
    Edited by: 904630 on Dec 27, 2011 5:34 AM
    Edited by: 904630 on Dec 27, 2011 5:36 AM

    Open Identity server console and check the attribute's Display Name and type in Object classes section. I recently faced a similar issue and it got fixed after providing these two values.
    Hope it works for your as well :)

  • VSOM 7.0.1 LDAP Filter AD

    Hello!
    LDAP server settings are as follows: 
    Name: SFC.LOCAL
    Host Name: 192.168.104.252
    port: 389
    Member of: %USERID%@sfc.local
    Database search for users: OU=Accounts,DC=sfc,DC=local
    User ID attribute: sAMAccountName
    How to create a filter selecting users from a specific location in aerarhii AD?
    People are on the way: 
    OU=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local
    try like this: 
    search path: OU=Accounts,DC=sfc,DC=local
    Filter: (&(sAMAccountName=%USERID%)(memberOf=CN=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local))
    Runtime Error: The user with the given name is not found in the LDAP filter by (&(sAMAccountName=drozdov.alexander)(memberOf=CN=SPK,OU=Offices,OU=Delegate,OU=Common,OU=Accounts,DC=sfc,DC=local))
    in it may be inaccurate filter configuration?

    Hello Alex,
    Here is the example to do LDAP serach filter configuration. Let me know if this help
    •General Settings
    Hostname: ds.cisco.com
    Port: 389
    Principal: %USERID%@cisco.com
    User Search Base: ou=Cisco Users,dc=cisco,dc=com
    Userid Attribute: sAMAccountName
    •LDAP Search Filter:
    Select a Cisco mailing list you are on from mailer.cisco.com, and substitute its name for <anyMailer> in the Filter below
    Search Path: ou=Cisco Users,dc=cisco,dc=com
    Filter: (&(sAMAccountName=%USERID%)(memberOf=CN=<anyMailer>,OU=Mailer,OU=Cisco Groups,DC=cisco,DC=com))
    Br,
    Nadeem Ahmed

  • Smart Folders: Possible to exclude specific sub-folders?

    I want to create a smart folder that shows all documents opened in the past two weeks within my user folder, but I want to exclude my browser cache and various Library files.
    Is there a way to exclude certain sub-folders from a smart search? I'd like to figure this out because it would be really useful to me in other ways too.
    Thanks.

    Unless you have done a little hack you should not see any files from your ~/Library folder in a search, unless you explicitly tell Spotlight to display system files. Browser files are included if you start your search from the Spotlight icon. But if you start with a search window by invoking it with Command-F that won't happen. There is no way I know of to exclude sub-folders in a search. Try this and see if it returns what you want:
    1. Open your home folder
    2. Hit Command-F
    3. Select your home folder rather than the idiotic default of This Mac in the search toolbar
    4. Underneath that you should see Kind:is:Any--click the double arrows and change Any to Documents
    5. Click the + button
    6. Select "Last opened date" from the drop down menu, then "with last" and fill in 2, then select "weeks" from the final drop down menu
    Be aware that the definition of "Documents" is pretty much everything, from Word docs to html files, to jpegs, tiffs, text files, pdfs, and so on.
    Francine
    Francine
    Schwieder

  • How to create LDAP filter-based rule to check Group membership in OAM

    Hi folks,
    I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
    ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
    This works fine.
    Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
    ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
    While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
    Can someone steer me to the right direction as to what do I need to do:
    1. Change/fix the ldap query
    2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
    3. Do smth else
    Any help is greatly appreciated.
    Thank you, Roman

    You can create two authorization rules
    First for user with attribute
    and second for group
    and then in authorization expression you can have AND of these two.
    Regarding your query...
    First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
    All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
    Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
    If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
    Hope this helps,
    Sagar

  • How to Exclude a sub directorys from polling using FileAdapter of BPEL Proc

    Hi all,
    I have a BPEL process with file adapter which is polling to root folder .
    I want to exclude File polling for some of the sub folder of the BPEL process.
    How to exclude file polling for sub folder i know the option is available for file name not for folder.
    Thanks
    Phani

    dude, you have to give the exact name of the folder you want to poll to,
    you can also pass the location of the folder at runtime/dynamically.
    In 10 G only single location can be polled by single file adapter
    in 11 g we can poll different folders by single file adapter
    However I doubt that there can be selective polling to multiple folder.

  • Functiion module for hierarchy of classes excluding a sub tree.

    Hi,
    I am working on a custom transaction for hierarchy of classes by cloning standard CLHP transction.
    There were some FMs which will give all the subclasses  of a class or all super classes of sub class.
    for ex.FM: CLHI_STRUCTURE_CLASSES.
    But my requirement is to get all the lower level classes except a specified class( excluding its subclasses also if any).
    Thanks in advance,
    Satya.

    Hi Stephen,
    Yes this is what the org unit I want to exclude is called. I'm actually wondering when the filtering is supposed to happen. Is it at the extraction of the data in the FM? I took a look at the FM  /NAKISA/OC_OU_STRUCTURE and I could not see a filtering logic anywhere in the code. I saw some authority checks though, and I'm wondering if the following method would work:
    - in the SAP side, exclude the org unit from the area of responsibility of the RFC user (an RFC user is used in all the data connections)
    - modify the parameters of the /NAKISA/OC_OU_STRUCTURE FM so that an area of responsibility check is performed (parameter AOR_CHECK set to 'X') on the RFC user (parameter IM_UNAME set to the RFC User's uname).
    What do you think?
    Thanks
    M.E.

  • Building a report filter that excludes non-business hours and weekends

    Hi All,
    I need to know if this can be done in Answers:
    I have built a system in CRM that captures timestamps when SRs are moved into and out of stages in the SR resolution lifecycle. Then I have a report that uses timestampdiff to calculate the time that a SR spends in each SLA metric window (Respond, Diagnose, Resolve). The report currently displays only the hard difference based on a 24 hour clock.
    We need to be able to build a filter that will exclude any non-business hours (say outside of 9:00 to 5:00) and weekends, so that if my Respond window is 2 hours and an issue is recorded with a Response Start timestamp of 4:00pm, the report would show that if the Response Stop timestamp is at 9:30am the next business day, the SR met the required SLA.
    Does anyone know if this can be done? If so, any insight on how to build it? I've seen a document that explains how to exclude weekends from workflow, but can the same thing be done in reporting?
    This is a very urgent request and any help here is greatly appreciated.
    Thanks!

    Exclude weekends you can do but not business hours but perhaps you can create something....if timestampdiff(Days) greater than 1 then take off 16 hours....Mike Lairsons book has the formula for excluding weekends and I think someone may have posted it in this forum if you search for it.
    cheers
    alex

  • Filter value - exclude option

    Hi,
    We have created a query with Vendor Number as Filter and We have excluded few vendor numbers (attributes). This query is working fine now.
    But, whenever any new vendor numbers are added, we would like to have automatic exclusion for any vendor number having the description for example
    " CHICAGO SUPPLIER ....".
    Regards,
    Murali

    Hi,
    It seems you already have 2 threads about the same issue...can you please close them with appropriate comments, or state why the suggestions provided are not working out for you:
    https://forums.sdn.sap.com/click.jspa?searchID=1389348
    https://forums.sdn.sap.com/click.jspa?searchID=1389348

  • Filter value -  Exclude option -  Help urgently

    Hi,
    We have created a query with Vendor Number as Filter and We have excluded few vendor numbers (attributes). This query is working fine now.
    But, whenever any new vendor numbers are added, we would like to have automatic exclusion for any vendor number having the description for example
    " CHICAGO SUPPLIER ....".
    Please advise.
    Advance Thanks.
    BW Learner

    Ther is  something called text variable, which I never used might be of some help for you...
    http://help.sap.com/saphelp_nw04/helpdata/en/85/e0c73cccbdd45be10000000a114084/content.htm
    Using Text Variables
    Use
    Text variables represent a text and can be used in descriptions of queries, calculated key figures and structural components.
    When the system is replacing text variables, if it finds no values or multiple values for the reference characteristic and is thus unable to determine a unique value, the technical name is output as the result: &<technical name of the text variable>&
    Procedure
    Selecting existing text variables
    Choose  to select an existing text variable.
    Changing existing text variables
           1.      If want to change an existing text variable, select the text variable in the Description field and click with the left mouse button on the selected text variable.
           2.      From the context menu that appears below the field, choose Change Text Variable. The SAP BW Variables Editor appears.
    For more information, see Changing Variables in the Variable Editor.
    Creating new text variables
           1.      In the Description field, enter an ampersand &.
           2.      From the context menu that appears automatically, choose New Text Variable. The SAP BW Variables Wizard appears.

  • How to setup an LDAP filter in OpenDirectory

    Hello,
    I hope I am posting to the right forum.
    I have an existing central directory managed by LDAP.
    The users can authenticate against my LDAP server.
    In the LDAP directory, the users have a special attribute, making a list of machines and services they can or cannot access.
    How to configure OpenDirectory to apply a filter to the LDAP records, so only users with a given value (lets say "macosx" in a given attribute) can authenticate?
    For example, on another machine (FreeBSD) I have the following in pal_ldap configuration:
    nssbasepasswd ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th?one?csimAccountPermission=sambalogin
    where csimAccountPermission=sambalogin is the filter and only users with that key will be able to use samba service.
    TIA,
    Olivier

    Please try this forum, its for OS X server.
    http://discussions.apple.com/category.jspa?categoryID=96

  • Q: UCM Ldap filter not finding groups

    Hi There,
    I am setting up UCM and am having problems with group(roles) being set by the ldap provider.
    The users authorizes, but the ldap search returns no groups.
    LDAP mapping of roles gives the following error every time...
    userstorage 09.03 10:06:59.806 IdcServerThread-34 Loaded extended info for user ucm_user
    userstorage 09.03 10:06:59.806 IdcServerThread-34 Loading Attributes for user ucm_user
    userstorage 09.03 10:06:59.806 IdcServerThread-34 UseFullGroupName false
    userstorage 09.03 10:06:59.807 IdcServerThread-34 UseGroupFilter true
    userstorage 09.03 10:06:59.807 IdcServerThread-34 Searching for groups containing user CN=ucm_user,OU=city,OU=Users-Active,DC=abc,DC=com
    userstorage 09.03 10:06:59.807 IdcServerThread-34 Using search filter (&(objectclass=group)(member=CN\3ducm_user\2cOU\3dcityr\2cOU\3dUsers-Active\2cDC\3dabc\2cDC\3dcom))
    userstorage 09.03 10:06:59.807 IdcServerThread-34 Searching for groups based at DN ou=Users-Active,dc=abc,dc=com
    userstorage 09.03 10:06:59.904 IdcServerThread-34 No groups found for user CN=ucm_user,OU=city,OU=Users-Active,DC=abc,DC=com
    userstorage 09.03 10:06:59.905 IdcServerThread-34 Adding default network account '#none" to CN=ucm_user,OU=city,OU=Users-Active,DC=abc,DC=com
    userstorage 09.03 10:06:59.905 IdcServerThread-34 Attributes loaded
    userstorage 09.03 10:06:59.905 IdcServerThread-34 LdapProvider.checkCredentials() finished in 0.182 seconds.
    Using a freeware ldap gui (ldapadmin.exe), I can run the query just fine, the groups are found.
    Has anyone seen this before?
    Thanks

    Please see the attached link under primaryGroupID, which states that the
    Domain Users group is not part of the memberOf attribute.
    http://msdn.microsoft.com/en-us/library/ms677943.aspx
    That explains why the mapping fails for any Domain Users as seen in the debugs

  • LDAP - Filter on groups (iPlanet)

    We connected Weblogic to our LDAP server (iPlanet type) and successfully imported all users and groups.
    No we want to filter on the users being in one group (we are not interested in all users)
    With an ActiveDirectory LDAP Provider you can set at the All Users filter & User From Name filter:
    (&(sAMAccountName =*)(memberOf= CN=OBIEE,OU=Security,OU=Groups,OU=COMP1,DC=COMPANY,DC=com)(objectclass=person))
    With this filter in place, only users that are member of "CN=OBIEE,OU=Security,OU=Groups,OU=COMP1,DC=COMPANY,DC=com" will be able to login.
    Now we are migrating the LDAP server from ActiveDirectory to iPlanet.
    The structure of this system is:
    GROUPS
    GRP OBIEE
    uniqueMember:MVL
    uniqueMember:DFG
    USERS
    uniqueMember: MVL
    The relation between users and groups is stored on group level.
    Does anyone know if this is possible and what the structure of the filter is?
    Thanks in advance.

    Have you already found a work around?
    Depending on your DIT, I'd assume you could set your base lower, and just do a search for (!(objectclass=SAccount)).
    Also, you've probably checked it a number of times already, but could there be a spelling error? Have you tried using the wildcard on your ! filter, so that it reads:
    (&(objectclass=customAccount)(!(objectclass=customSA*)))
    Good luck!

  • Hos to setup a LDAP filter in OpenDirectory

    Hello,
    I hope I am posting to the right forum.
    I have an existing central directory managed by LDAP.
    The users can authenticate against my LDAP server.
    In the LDAP directory, the users have a special attribute, making a list of machines and services they can or cannot access.
    How to configure OpenDirectory to apply a filter to the LDAP records, so only users with a given value (lets say "macosx" in a given attribute) can authenticate?
    For example, on another machine (FreeBSD) I have the following in pal_ldap configuration:
    nssbasepasswd ou=People,ou=csim,dc=cs,dc=ait,dc=ac,dc=th?one?csimAccountPermission=sambalogin
    where csimAccountPermission=sambalogin is the filter and only users with that key will be able to use samba service.
    TIA,
    Olivier

    Please try this forum, its for OS X server.
    http://discussions.apple.com/category.jspa?categoryID=96

Maybe you are looking for

  • Report 6i/Webdb -Not able to display the report in the browser - rep- 3002 error.

    Would someone tell what I missed, I have set up the following: 1) a report using report builder on NT 2) my database is in Unix 3) my report server is started in NT 4) I run webdb listener for the following code: http://myweb.com/cgi/rwcgi60.exe?serv

  • Forums Maintenance - January 15, 2008

    Hello Everyone, In my discussions with Lithium (our forum vendor) regarding performance, they have suggested some maintenance on the forums that could help with our community's performance.  The maintenance is to "trim" floated threads and boards (no

  • PDF Convert to Excel

    I exported a PDF file to convert to excel and the information is all over the place. Not in the right columns. How do I fix this?

  • Help Fix 26473 Corrupt blocks in system09.dbf

    How to Format Corrupted Block Not Part of Any Segment [ID 336133.1] I'm following the above doc to fix 26K corrupt blocks in system09.dbf in Step 7 of the Doc it says: +" First find the *extent size* by querying dba_free_space "+ +65536 = If its 64 K

  • Sent messages synching but not sending

    For some reason, messages will no longer send (no Sending icon appears). They stick in my Outbox indefinitely. If I send from .Mac online, however, they synch to the Sent folder. Connection Doctor shows everything working fine. Any ideas?