I'm having a debate with myself.  I'm just starting to understand LDAP Queries and wanted to pose a couple of questions because I can't seem to find the right information anywhere.

I get I can write an LDAP query that starts at the root of my Active Directory and return all the users in my AD environment.

Now..what if I want to traverse my directory and say give me all users in my Active Directory environment EXCEPT for the users in OU=Test,DC=somecity,DC=company,DC=com?


isn't working.  That returns all users regardless of their OU affiliation.  

Am I using the & operator incorrectly?  I also tried (what I thought was): give me all the users in the given OU...that didn't work either?


Any suggestions or assistance will be greatly apprciated!


asked 10/28/2011 04:36

TxCellarRat's gravatar image

TxCellarRat ♦♦

2 Answers:
You didn't find anything because you can't do it :)

This came up a few years ago on another forum and I suggested using adfind with the -excldn switch because It allows you to exclude objects with the given string in the DN.

Later in the thread Chris Dent (Chris-Dent on this site) responded

*****Quote from Chris not taking credit for his great answer******
ou (organizational-unit-name) is not set by default for almost
everything (except OUs) and wildcards are not permitted for attributes
of type DN because they're constructed attributes (see

Which is a pretty negative answer I'm afraid. I don't believe there is a
way to filter out (or filter on) specific OUs in an Ldap Filter.


Then Joe (creator of adfind) responded, I have this thread bookmarked :)

*********Great answer from Joe**********

Correct, the only objects that will have the OU attribute populated are the
OU objects. You also cannot use wildcards for the DN and in fact DN isn't an
attribute even, it is distinguishedName. As Mike mentioned, AdFind has the
-excldn switch for this specific case and it does all the processing at the
client, it looks at every DN returned and if there is a match to the -excldn
string, it mutes it from the output. If it could have been done at the LDAP
query level, certainly I would have written it that way as would be more

What you could do is if this is for a specific application is to set up a
special ID for that app to use and the permissions for that ID (via a group)
are set to not be able to see the OU (or OUs) that you need excluded. In
general I hate DENY ACEs but this is one case where I have seen a few times
in the wild where it made some sort of sense.





mkline71's gravatar image


Well, if Active Directory supported extensible match, then you could do this.

It it painful from MS documentation to determine if they do or not.


answered 2011-10-28 at 12:54:16

jwilleke's gravatar image


Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments



Asked: 10/28/2011 04:36

Seen: 213 times

Last updated: 11/15/2011 10:14