How to skip a specific Organisational Unit (OU) while getting a list of users from Active Directory

Question

I am pulling a list of users from Active Directory however i want to skip a specific Organisational Unit by the name of "ServiceAccounts". My understanding is that the following line will not solve my problem as wildcards do not work with DN :

search.Filter = "(&(objectCategory=person)(objectClass=user)(!(distinguishedName=*ServiceAccounts*))(mail=*))";

This OU contains a list of around 150+ service accounts which i do not need while generating a list of employees . My only question , how to not get records from a specific OU ?

Thanks, Much appreciated!

Answer 1

In LDAP generally, substring searches within DN values are not permitted.

Microsoft Active Directory specifically the wildcard character cannot be used with Distinguished Name attributes (attributes of data type DN), such as the distinguishedName, memberOf, directReports, and managedBy attributes.

And as Microsoft Active Directory only supports specific Extensible Match Rules, I do not believe this is possible.

Also, by default, the "ou" value is not populated on user entries or you might be able to use:

(!(ou=ServiceAccounts))

Within the filter.

Some programing environments appear to support a non-standard syntax of:

(&(objectClass=user)(!(distinguishedName:=%ServiceAccounts%)))

Perhaps providing more information about your Tree Structure someone could provide a solution.