Examples from this forum have taught me how to return all users in a specific organizational unit. I'd like to filter out some of these users that exist for the purpose of internal application use, vendor applications, training, etc.

I'd like to display the filtered results in my web application. So here's my question...What is a good way to filter out users in a given OU that should not be displayed in a web application?

Would a security group like "ExcludeFromWebApp" be a good idea?

Does anyone have code examples. I'm using ASP.NET 1.1 and C#.

Thanks!

 

Without a distinguishing attribute on the objects you don't want (or a location that is different), it becomes more difficult to do this filtering, since by definition they must be different for a filter to work.  You could add them to a security group and filter them by the 'memberOf' attribute, but that is a little clunky to look at and might not perform as good as other options:

 "(&(objectClass=user)(objectCategory=person)(!(memberOf=CN=SomeGroup,OU=blah...)))"
 

Thanks for the quick response Ryan. I haven't been successful getting that to work.
The code I'm using returns all users, including two users that are members of the group "ExcludeFromWebApp". One user is in "TESTDEPARTMENT" the other user is in another department. With the filter in place, they should have been excluded. I realize that the "qry" and "ldapPath" are in different OUs, but moving the security group to the same OU as the "TESTDEPARTMENT" didn't seem to make a difference.

Here's an example of my code, can you spot anything that might be throwing the results off?

string qry = "(&(objectClass=user)(objectCategory=person)(!(memberOf=CN=ExcludeFromWebApp,OU=DEPARTMENT," + strDC +")))";
string[] columns = new string[]{"cn", "sAMAccountName"};
string ldapPath = "LDAP://" + dcservername + "/OU=TESTDEPARTMENT,OU=DEPARTMENT," + strDC;

DataSet ds = ADSearch(qry, columns, ldapPath);

public DataSet ADSearch(string sFilter, string[] columns, string path)
{
 DataSet userDS;
 
 DirectoryEntry deParent = new DirectoryEntry(path);
 deParent.Username = username;
 deParent.Password = password;
 deParent.AuthenticationType = AuthenticationTypes.Secure;

 DirectorySearcher ds = new DirectorySearcher(
  deParent,
  sFilter,
  columns,
  SearchScope.Subtree);

 ds.PageSize = 1000;

 using(deParent)
 {
  //setup the dataset that will store the results
  userDS = new DataSet("userDS");

  DataTable dt = userDS.Tables.Add("users");
  DataRow dr;

  //add each parameter as a column
  foreach(string prop in columns)
  {
   dt.Columns.Add(prop, typeof(string));
  }

  using (SearchResultCollection src = ds.FindAll())
  {
   foreach(SearchResult sr in src)
   {
    dr = dt.NewRow();

    foreach(string prop in columns)
    {
     if(sr.Properties.Contains(prop))
     {
      dr[prop] = sr.Properties[prop][0];
     }
    }
  
    dt.Rows.Add(dr);
   }
  }
 }
 return userDS;
}

The filter looks right.  If it is not working, it might be because you have the DN of the group wrong in the filter.  The group itself does not need to be located in the same OU - it can be anywhere.  I just tested this myself and it does work.  Again, just check your DN carefully for the group and make sure it is exact.  If you need to, find the group in a tool like ldp.exe and copy the DN to make sure you have it right.

dunnry:

The filter looks right.  If it is not working, it might be because you have the DN of the group wrong in the filter.  The group itself does not need to be located in the same OU - it can be anywhere.  I just tested this myself and it does work.  Again, just check your DN carefully for the group and make sure it is exact.  If you need to, find the group in a tool like ldp.exe and copy the DN to make sure you have it right.

 I found the group using ldp.exe and copied the DN so that the spelling was correct.

One of the results looked like:
"CN=ExcludeFromWebApp,OU=DEPARTMENT,DC=company,DC=org"

So I copied that and continued to use ldp.exe to create a new query with the following:

Base Dn: OU=TESTDEPARTMENT,OU=DEPARTMENT,dc=company,dc=org
Filter: (&(objectClass=user)(objectCategory=person)(!(memberOf=CN=ExcludeFromWebApp,OU=DEPARTMENT,DC=company,DC=org)))

Here's a sample of the results, it still included a user that should have been filtered out:
-----------
***Searching...
ldap_search_s(ld, "OU=TESTDEPARTMENT,OU=DEPARTMENT,dc=company,dc=org", 2, "(&(objectClass=user)(objectCategory=person)(!(memberOf=CN=ExcludeFromWebApp,OU=DEPARTMENT,DC=company,DC=org)))", attrList,  0, &msg)
Result <0>: (null)
Matched DNs:
Getting 183 entries:
>> Dn: CN=testuser,OU=TESTDEPARTMENT,OU=DEPARTMENT,dc=company,dc=org
 7> memberOf: CN=ExcludeFromWebApp,OU=DEPARTMENT,DC=company,DC=org; CN=Another Group,OU=DEPARTMENT,DC=company,DC=org;
 1> canonicalName: company.org/DEPARTMENT/TESTDEPARTMENT/testuser;
 1> cn: testuser;
 1> distinguishedName: CN=testuser,OU=TESTDEPARTMENT,OU=DEPARTMENT,dc=company,dc=org;
 4> objectClass: top; person; organizationalPerson; user;
 1> name: testuser;
*
*
*
-----------

I also tried to reverse the logic to find users that are in the group with the following...
Filter: (&(objectClass=user)(objectCategory=person)(memberOf=CN=ExcludeFromWebApp,OU=DEPARTMENT,DC=company,DC=org))

It returns no results, even though there are two users in this group.

Update... I've got it working, thank you for the syntax Ryan.

The filter worked great when I queried new or existing security groups that were outside of the "OU=DEPARTMENT". Any security group contained in or below "DEPARTMENT" wouldn't return correct results when I ran the query (I verified the DN for each query). Everything worked fine once I moved to a security group contained within ANY OU at the same level as "DEPARTMENT. 

Interesting... If I have time, I might try to replicate what you are seeing.  I don't believe it should be doing that (the group's location should be irrelevant).  I wonder if something else is not at play there.  At least it is working for you now...  good luck.

Problem solved.

The OU had a reserved character in the name. Once I used the escape character in the query it worked great!

I found the escape characters I needed here: http://technet2.microsoft.com/WindowsServer/en/library/4b5a80fa-9446-46fc-b1fd-edaf784a5de41033.mspx?mfr=true  

Hi Ryan,

I have a problem, First of all i am getting the list of all the Organizational Units using LDAP in a web application page in ASP.NET 2.0.

If u have observed along with others u will get "Account" too. Now i want that when i click on "Account" i get the list of its users, like we get when we click on Account in "Active Directory Management" ie Administrative Tools --> Active Directory Users and Computers. in windows server 2003.

 
Pls could u guide me how to get this Account users list in a web page?

Thanking u in Advance

You could also mail me at g12garg@gmail.com

Gaurav Garg