Active Directory provides a powerful way of retrieving data through the use LDAP filters. Directory Synchronization exposes two filters during the creation of a synchronization profile: User OU Filter and Group OU Filter whose defaults are:
- Users: (&(!(adminDescription=Created By DirSync))(|(objectClass=Person)(objectClass=room))(!(objectClass=computer)))
- Groups: (&(!(adminDescription=Created By DirSync))(objectClass=Group))
These filters are per organizational unit and apply to sub-OUs when the Sync Sub-OUs option is selected.
Modifying these filters requires a basic understanding of the attributes, their value representations, and their data types. LDAP filters support any number of options including filtering by date ranges, wildcards, and the use of bitmasks as in the userAccountControl property.
The use of the objectClass and objectCategory properties can greatly reduce the number of records retrieved resulting in improved performance. You may use other attributes to further restrict your results.
- Selecting users that are part of the ‘Accounting’ department:
- Selecting mailbox-enabled users:
- Selecting mail-enabled users and contacts:
- Selecting users created after January 1, 2011:
- Selecting distribution lists:
The following are common examples of queries and their LDAP query syntax.
Binary Tree recommends that you use the Active Directory Users and Computers management console to test your filters to prevent Directory Synchronization from failing due to an invalid filter.