Home/ Questions/Q 615697
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T18:14:53+00:00

I am trying to query nearly all users in Active Directory. My normal users

  • 0

I am trying to query nearly all users in Active Directory.
My normal users are in various OUs, and I want to retrieve those. But my system users are stored in the Users CN, and I don’t want to retrieve those.

It looks a lot like another question, but their answer didn’t help me. I’m using the hint provided here, but its not helping out either.

I am querying in Active Directory using JNDI. My query is:

(&(objectClass=user)(!(cn:dn:=Users)))

This means all objects of class user, which are not in the Users subtree. Yet, this query nevertheless returns something like this:

CN=__vmware__,CN=Users,DC=SIREDRM,DC=com

So, why is that filter not working? How else can I make it work?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    With (!(distinguishedName=*,CN=Users= DC=mydomain,DC=com)), you are trying to use an attribute with DN syntax [Object(DS-DN)], for these LDAP attributes, you cannot use wildcards in LDAP filters.

    Attribute “distinguishedName”:
    http://msdn.microsoft.com/en-us/library/ms675516%28VS.85%29.aspx

    LDAP Syntax “Object(DS-DN)”
    http://msdn.microsoft.com/en-us/library/ms684431%28VS.85%29.aspx

    In the second link, you will find the statement about the forbidden wildcard.

    In general, you could use an LDAP extensible matching rule for excluding some containers from a subtree search, in your case the syntax would be similar to this

    (!(cn:dn:=Users))

    or something like that. The bad thing: AD doesn’t support these kind of extensible match either:
    http://msdn.microsoft.com/en-us/library/cc223241%28PROT.10%29.aspx
    Read the first paragraph.

    So the conclusion is: YOU CANNOT DO THIS WITH ONE SINGLE FILTER IN AN ACTIVE DIRECTORY ENVIRONMENT. Sorry.

    The only solution appears to be to use a client-side tool. The script here from Microsoft will show you how to exactly what you need (except you want Users, not Computers).

    http://blogs.technet.com/heyscriptingguy/archive/2004/12/07/how-can-i-return-a-list-of-all-my-computers-except-those-in-a-specified-ou.aspx

    The other thing you could look at is a virtual directory to act as a proxy to AD, which would allow you to configure filters and permissions without touching AD.

    (mostly copied from the hyphen site)

    • 0