LDAP extensible match filtering. Exclude groups base on OU text pattern

Question

I have an Active Directory root like:

dc=ooo,dc=yyy,dc=xx

under this root there are several OUs like:

ou=Applications,dc=ooo,dc=yyy,dc=xx
ou=PKI,ou=Applications,dc=ooo,dc=yyy,dc=xx
ou=Servers,dc=ooo,dc=yyy,dc=xx
ou=Location1,ou=Servers,dc=ooo,dc=yyy,dc=xx
ou=Department1,dc=ooo,dc=yyy,dc=xx
ou=Subdepartment1=ou=Department1,dc=ooo,dc=yyy,dc=xx

I want to fetch all "departments", thus nodes which are represented as OUs, except specific OUs and their childs (based on OU term) which do not represent a department.

For example in the case described above i would like to fetch only Department1 and its subdepartments. But i want to achieve this by excluding OU Application and its childs as also OU Servers and its childs (search based on excluding criteria)...

I am performing the following search:

scope: subtree
search dn clause: dc=ooo,dc=yyy,dc=xx (beggining from the root)
filter: (&(!(ObjectClass=person))(!(ou:dn:=Applications))(!(ou:dn:=Servers))

BUT the problem is that it only excludes 'Applications' and 'Servers' BUT not their children, so it returns me:

ou=PKI,ou=Applications,dc=ooo,dc=yyy,dc=xx
ou=Location1,ou=Servers,dc=ooo,dc=yyy,dc=xx
ou=Department1,dc=ooo,dc=yyy,dc=xx
ou=Subdepartment1=ou=Department1,dc=ooo,dc=yyy,dc=xx

Anyway to eliminate all their childrens also? and to have finally only

ou=Department1,dc=ooo,dc=yyy,dc=xx
ou=Subdepartment1=ou=Department1,dc=ooo,dc=yyy,dc=xx

returned??

Answer 1

I do not know all the details, but AD has limited support for LDAP extensible match filtering: http://msdn.microsoft.com/en-us/library/cc223241.aspx