Filtering what Accounts are being brought in from AD by group

Hey guys, I’m trying to filter my AD Connector so it only pulls the Accounts that are members of specific AD groups. Any advice as to how to accomplish this? See attached the screenshot of how I’ve currently got the Source configured (I’ve highlighted the group I’m trying to pull the members of)

1 Like

Modify the LDAP Search Filter with the below to get all accounts that are meberOf your group CN=RPT-BNK… :

(&(objectClass=user)(!(useraccountcontrol=<your value>))
  (memberOf=CN=RPT-BNK.....DC=local))
1 Like

Thank you sir! That solved it. I do have one more question if I may. I also want to limit the number of Entitlements that are being pulled when I do an Entitlement Aggregation. Here is the config setup as of now, there are members of 130 groups being aggregatted over and then the 130 groups are being brought over as Entitlements (actually only 128 are being brought over but I’m guessing that’s because 2 of the groups don’t have any members). This is all good as of now, but as you know the Account Aggregation only brings over the Distinguished Name and then you have to run the Entitlement Aggregation to bring over the Display Name. I fear if I run the Entitlement Aggregation right now, with nothing specified, it’s going to bring over all AD groups. Any suggestions?


2024-02-28 13_31_40-Window

From my understanding, you do not want to get empty group entitlements.

In that case, use this LDAP filter in your Group search scope to only pull non-empty groups:
(&(objectClass=group)(member=*))

Hope this helps!

1 Like

@pillar224 Glad it is working for you!.

Yes, when you run an entitlement aggregation that will aggregate all the groups from AD.

You have to add a filter in two places to filter the number of groups from the AD:
“Group Search Scope” : To filter groups in entitlement aggregation => Entitlements created during entitlement aggregation
“User Search Scope”: To filter groups user is already a memberOf. => Entitleements created during account aggregation (You already ran this and got 128 entitlements in to IDN)

Please note: Once aggregated entitlements cannot be deleted in IDN even though you change the filter and aggregate again. IDN removes the entitlements only when it is deleted natively in the source. If you want to delete the already imported entitlements, you must RESET the source or delete and create the source again and give the appropriate filter before aggregating.

Refer: Account and Group Settings

Thank you again. So does this look about right? The Entitlement Aggregation I ran with that config brought over 91 Entitlements (and I don’t think they were all limited to the ones I wanted because my total Entitlement number jumped up to 196)


@pillar224

Are you trying to filter all entitlements from OU “dc=tb,DC=local” and groups that are memberOf DN “RPT-BNK-Audit…”

I’m trying to limit the Entitlements I’m pulling information in for to the 130 groups that govern Power BI access (one of those groups is RPT-BNK-Audit Analysts, but there’s also 129 other ones like RPT-BNK-Data Team). All the groups exist in the “DC=tb,DC=local” OU

I answered my own question, thanks Raghunath

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.