(&(objectCategory=person)(objectClass=user)
but this will bring all services and disabled accounts, to filter these accounts you can use the following methods -
To remove disabled accounts - (!userAccountControl:1.2.840.113556.1.4.803:=2) - removes disabled accounts
To remove service accounts (accounts with Password Expiration disabled)
(!userAccountControl=65536)
or
(!userAccountControl:1.2.840.113556.1.4.803:=65536) //in my case this one worked
Here is your LDAP query with these filter -
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536))
There might be cases where you want to filter out a particular group, let say you want to exclude users from a group named - FilterGroup, under MYOU, in this case the query will be as follows -
(&(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!memberOf=CN=FilterGroup,OU=MYOU,DC=mydomain,DC=local)))
Some more examples -
Include only the accounts with valid email addresses
(&(objectCategory=Person)(objectClass=User)(mail=*com)
Exclude accounts that don’t have a first name
(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(!givenName=*)))
Thanks to -
Some more resources -MSDN – Active Directory Search Filter Syntax
Using MOSS 2007 I have used your example to filter based on group membership. When trying to do this in SharePoint 2010 it appears I am unable to do this. Have you been able to figure out a way?
ReplyDeleteFor SharePoint 2010 please see this post -
ReplyDeletehttp://isharepoint2010.blogspot.com/2010/10/user-profile-filtering-options-with.html