LDAP Search query to get only "Admin account" should not get "-da" accounts

mrahulbb · July 2, 2024, 11:12am

LDAP Search query to get only “Admin account” should not get “-da” accounts.
please suggest a LDAP search query filter for configuration.

enistri_devo · July 2, 2024, 11:28am

try this:

(&(objectClass=user)(sAMAccountName=*)(memberof=CN=Domain Admins,OU=Users,DC=subdomain,DC=domain,DC=com))

put you domain path

baoussounda · July 2, 2024, 12:28pm

Hi @mrahulbb ,

what do you mean by -da accounts ?

Directory Admin ? what is -da accounts particularity in your LDAP, i mean an attribute value from you can identity them ? and same question for “Admin Account” in your LDAP ?

mrahulbb · July 2, 2024, 12:31pm

For example DA means Domian admin …we need to get admin accounts which consist of 4 types of admin accounts in that DA is of them it should not get into the accounts list.

mrahulbb · July 2, 2024, 12:34pm

How can we use not equal to in this filter

baoussounda · July 2, 2024, 12:38pm

Not equals can be done with :

(!(yourfilter))

(&(objectClass=user)(memberof=CN=Domain Admins,OU=Users,DC=subdomain,DC=domain,DC=com)(!(sAMAccountName=*-da*)))

kyle1 · July 2, 2024, 12:39pm

Hi @mrahulbb -

It’s tough to provide an exact query without seeing the exact structure.
Here is an example though with the ‘not equal filter’ -

(&(objectClass=user)(objectCategory=person)(memberOf=CN=Administrators,CN=Builtin,DC=domain,DC=com)(!samAccountName=*-da))

Keep in mind that you cannot use the ! (Not operator) with organizational units (OUs) directly.

Regards,

jsosa · July 2, 2024, 1:12pm

Hi, I does not understand what is your goal, but if you want to search accounts which belongs to some admin groups, AND are not members of domain admin group, it is not too simple. That is because the memberOf object has LDAP DN syntax (2.5.5.1) which has restricted search filter syntax (only “exacts”), that means that you can not search by memberof=cn=admin

If you have a list of your possible admin groups, if can be done using a filter like:
(memberOf=adminDN1 OR memberOf=adminDN2 OR…memberOf=adminDNn) AND memberOf != cn=domain admins…

In LDAP, that is:

(&(|(memberof=CN=YourAdminGroup1,CN=Users,DC=xxxxx)(memberof=CN=YourDomainAdminGroup2,CN=Users,DC=xxxxx)…(memberof=CN=YourDomainAdminGroupN,CN=Users,DC=xxxxx))(!(memberof=CN=Domain Admins,CN=Users,DC=xxxxx)))

mrahulbb · July 15, 2024, 7:24am

We have -adms, -da , -sop, -sp in admin account so we dont want to get -da account in the source any ldap query

mrahulbb · July 16, 2024, 1:17pm

For AZURE AD aggregation filter query for the same?

enistri_devo · July 17, 2024, 7:21am

No is different.
In Azure AD the structure is little different and SP uses different filter, you can find examples and explanation on the guide:

see this topic too:

system · September 15, 2024, 7:22am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
AzureAD aggregation user filter for the admin accounts and not equal to userprinciplename contains -da ISC Discussion and Questions apis , aggregation , identity-security-cloud	5	33	September 20, 2024
LDAP query to filter OUs for AD connector ISC Discussion and Questions identity-security-cloud , connectors	8	324	August 16, 2024
Filtering what Accounts are being brought in from AD by group ISC Discussion and Questions aggregation , identity-security-cloud	9	574	April 29, 2024
ExtensibleMatch is possible on AD source? ISC Discussion and Questions identity-security-cloud , provisioning , connectors	1	20	October 18, 2024
Exclude using LDAP filter for active directory source ISC Discussion and Questions aggregation , identity-security-cloud , provisioning , connectors	8	85	October 18, 2024

LDAP Search query to get only "Admin account" should not get "-da" accounts

Related topics