Force Left Nav To at least 200 Pixels wide
Force Body To at least 500 Pixels high
SharePoint MindsharpBlogs > Daniel A. Galant > Posts

 Single Post
Mar 05
Published: March 05, 2009 00:03 AM by  Daniel Galant   Powered by: Mindsharp and Summit 7

Often times when importing users from our Active Directory domains into SharePoint we simply configure a standard connection and let the import roll. The problem with this is that we end up with a lot of accounts floating around in our SharePoint that we neither need nor want. Service Accounts, disabled user accounts and such are just as much "users" as our active "I need access" users are. So how can we setup the SharePoint profile import to only pull those accounts that we really need into our SharePoint deployment and filter out the riff-raff and chaff?

LDAP filter queries provide the answer to most of our problems, when properly configured. It is best to set these up before you ever perform that first import as this will save you from having to clean out the unwanted profiles that were pulled over the first time. But even if you have already made the initial pull, setting up filtering will keep them from coming back once deleted.

Before we can configure an LDAP filter you need to understand a little bit about how these filters are constructed and some of the options that you have at your disposal. To begin with, there are a few operators that can be leveraged within a query to control how and what is compared within the query itself.

The "!" means NOT as in !apples (not apples).

The "&" means AND as in (&(peanut_butter)(jelly)) (peanut butter and jelly).

The | means OR as in (|(this)(that)) (this or that).

The "=" means EQUALS (IS) as in right=right (right is right).

Next, you need to be able to inform the query of the type of object you are looking for. Since you are generally trying to import User information for your SharePoint profiles, this part is relatively simple. You want to find the User class of the Person object type so we tell LDAP to look for objects where the Category is person and the Class is user. This is then formatted as (&(objectCategory=person)(objectClass=user)). Do you see how we take the question and then format it into the query?

At this point if you were to simply pass this question on to Active Directory you'll end up with exactly what you don't want, all of your User objects. So now you need to add some of the conditions that are available to refine the question somewhat. Let's say you have created all your Service accounts with a last name of Service to distinguish them in your Active Directory. LDAP refers to the last name attribute as the Surname (sn), so we rephrase our question to be:

I want all the objects where the category is person and the class is user but where the last name is not Service.

This would then become: (&(objectCategory=person)(objectClass=user)(!sn=service)).

You can also use the * as a wildcard if you need to. In this example, what if some of your Service accounts use Service as the last name, others have a first name (givenName) that start with SQL (SQLsa, SQLconnect, SQLuser, etc.), or MOSS. In this case the question is a little more complicated but still doable.

I want all the objects where the category is person and the class is user but the last name is not Service, or the first name does not start with SQL or MOSS.

This would then become (&(objectCategory=person)(objectClass=user)(!(|(sn=service)(givenName=sql*)(givenName=moss*)))).

Notice in this case we first group all the NOTs into an OR condition, (NOT(OR(item1)(item2)(item3))). This is telling the query do not take item 1,2 or 3.

Wonderful as this might be, how do you handle all those normal user accounts that are simply disabled? They don't have a common first or last name or even any character in common that wouldn't also exclude any number of truly active users. That's a great question. Well, they do have one attribute in common, they're disabled. To exclude these accounts you can add a condition to also exclude accounts that are disabled. The condition for this is:

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

so adding this into our earlier statement we get:

(&(objectCategory=person)(objectClass=user)(!(|(sn=Service)(givenName=sql*)(givenName=moss*)(userAccountControl:1.2.840.113556.1.4.803:=2)))).

As you can see, it is possible, with a little planning, both in your Active Directory naming convention and the SharePoint import filter, to pull only the Users that you need into your SharePoint profile store. Unfortunately it is not possible to use an Active Directory OU as a filter parameter for the LDAP query, that would make things even easier. Instead, you can create multiple connections into your AD to pull from different OUs. I'll show you how to do this in another post coming soon.

 Comments
Exclude OU's
Hi, Our domain name is ESI.NET and we have users that reside in 5 OU's. How do I create a search filter for all users only in 3 of the 5 OU's? I have seen some posts out there with examples but I just can't seem to make one work. I would like to INCLUDE users that reside in OU's DC and RK and VB. I would like to EXCLUDE users that reside in OU's LB and NN. Can anyone help? Regards, Terry

Comment
Great Job. Truly blogging is a boon to developers

 Add Comment
* Required Field
Your Name *
Your Blog Url
Message Subject *
Message Body *