Exclude using LDAP filter for active directory source

Hello,
Currently, we have a use case where we have a user account in active directory on premise and would like to be excluded from pulled into sailpoint.

His DN is CN=EX123,OU=Design,OU=Employees,DC=Company,DC=com

Our current user search scope in sailpoint active directory ldap filter is:
(&(objectCategory=person)(objectClass=user))

Search dn: DC=Company,DC=Com

I would like to be able exclude this user from being pulled into sailpoint or the OU/folder itself.

I read some documentation here - Account and Group Settings

and

What would be the best way to do this?

Thank you.

try the following:

(&
  (objectCategory=person)
  (objectClass=user)
  (!distinguishedName:dn:=OU=Design,OU=Employees,DC=Company,DC=com)
)

I adjusted the parenthesis because it was giving errors due to it

(&
  (objectCategory=person)
  (objectClass=user)
  (!(distinguishedName:dn:=OU=Design,OU=Employees,DC=Company,DC=com))
)

After adjusting, errors went away but it did not exlude ou=design folder after account aggregation.

rather than the OU, specify the full dn of the user.

We will have more users like this. I was looking to see if I can put them in an exclusion folder rather than updating ldap filter each time.

Having the same kind of issue. I’m trying to exclude an OU during aggregation the KAs and LDAP filters suggest not using DN wildcards for exception OU. Any advice here would be great.

try putting a wild card for the container context with the “*” included

(!distinguishedName:dn:=*OU=Design,OU=Employees,DC=Company,DC=com)

I did that too. Odd, it didn’t work.

(&(objectCategory=person)(objectClass=user)(!(distinguishedName:dn:=*OU=Design,OU=Employees,DC=Company,DC=com)))

Tthis worked.

(&(objectClass=User)(objectcategory=person)(!(|(msDS-parentdistname=OU=Design,OU=Employees,DC=company,DC=com))))

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.