LDAP: using a filter to avoid a sub OU in Active Directory?

Well, I'm not entirely sure what you're after but if you use the filter (!(distinguishedName=*,OU=Evil,OU=People,DC=mydomain,DC=com)) along with a Subtree search scope then you won't get any users from the "Evil"-sub-OU returned. However, the entire Evil-sub-OU will still be searched (generally not a problem because of fast LDAP search response times though) If you're using System. DirectoryServices(.Protocols) in .

NET you could also set the SearchScope to OneLevel to only search in the People-OU (and no child-OUs). But that won't work if you have any "OU=Good,OU=People,DC=mydomain,DC=com The third option would be to query the People-OU for all sub-OU:s (objectClass=organizationalUnit) and then issue multiple search requests; one for each of them (except the "Evil" one) Edit: geoffc - that will be really difficult to implement. By default all authenticated users have read access to all objects in Active Directory.

Just setting a "Deny Read" on the Evil OU won't do the trick because the read right for authenticated users is set on the individual user object (in this case) and thus has precedence over the Deny ACL set on the OU. You will essentially have to set the Deny Read ACL on each of the objects in the Evil-OU and always make sure new objects added to the directory get the same Deny rights set. You could edit the Active Directory schema and remove the rights for Authenticated Users but that will break a lot of other things (including Exchange) and is not supported by Microsoft.

Well, I'm not entirely sure what you're after but if you use the filter (!(distinguishedName=*,OU=Evil,OU=People,DC=mydomain,DC=com)) along with a Subtree search scope then you won't get any users from the "Evil"-sub-OU returned. However, the entire Evil-sub-OU will still be searched (generally not a problem because of fast LDAP search response times though). If you're using System.

DirectoryServices(.Protocols) in . NET you could also set the SearchScope to OneLevel to only search in the People-OU (and no child-OUs). But that won't work if you have any "OU=Good,OU=People,DC=mydomain,DC=com"... The third option would be to query the People-OU for all sub-OU:s (objectClass=organizationalUnit) and then issue multiple search requests; one for each of them (except the "Evil" one).

Edit: @geoffc - that will be really difficult to implement. By default all authenticated users have read access to all objects in Active Directory. Just setting a "Deny Read" on the Evil OU won't do the trick because the read right for authenticated users is set on the individual user object (in this case) and thus has precedence over the Deny ACL set on the OU.

You will essentially have to set the Deny Read ACL on each of the objects in the Evil-OU and always make sure new objects added to the directory get the same Deny rights set. You could edit the Active Directory schema and remove the rights for Authenticated Users but that will break a lot of other things (including Exchange) and is not supported by Microsoft.

4 A for effort, but wildcard searches don't work with data of type DN, in particular distinguishedName. – Anton Tykhyy Apr 26 '10 at 16:07.

That will become a problem for ongoing management, tracking which user accounts can read which OUs; if possible I'd like to do this without having to recode the import tool (that will have a big delay because the requried people are not currently available) or implementing a special workaround (such as a post-import stored procedure that deletes the entries from the DB) and stick to the current config, where the LDAP search filter needs to do the restrictions. – DrStalker Jul 9 '09 at 1:30.

The objectClasses organizationalUnit and its descendant inetOrgPerson allow the attribute ou to be present in an entry. Add an ou attribute with value evil to the objects subordinate to the ou=evil branch and include the assertion (!(ou=evil)) to the search filter to limit responses from the candidate list to those that do not contain an attribute ou with the value evil. Alternatively, the LDAP Assertion Control could be used on requests in the same fashion to ensure that requests that contain an ou with the value evil are not processed.

Professional quality directory servers that are LDAP compliant will support both of these methods.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.