Search when NOT in OU

Question

I want to search in the AD with LDAP, with a condition that people are not in a specific OU (see example)

Domain.local
- [OU] Location A
-- [OU] Users
-- [OU] Computers
- [OU] Location B
-- [OU] Users
-- [OU] Computers
- [OU] Location C
-- [OU] Users
-- [OU] Computers

In my filter I want all users BUT the users from Location B/Users

is this possible? And if yes, how?

Answer 1

ExtensibleMatch explained here allow to build filters on the DN path, but it's not supported in Active Directory. As far as I know you've got the following solution to do what you want:

• Multiple search, one for each OU except the one you don't want
• Two search, one global, one for the OU you don't want objects, and you suppress the entries from the second search in the first one.
• Use an attribute in AD to make the distinction for users in Location B. For example the attribute called OU which is inherited from organizationalPerson class. you set it with "locationB" (it's multivaluated)

The third solution is the one I use. My advice in your case is :

1. Test if OU attribute is used in your Directory for users or inetorgpersons if so select an other attribute

   (&(|(objectclass=inetOrgPerson)(objectclass=user))(ou=*))

2. by scripting, by programming,by using LDIF populate the attribute you choose and keep it in use

If you are programmin with C# you've got the information of "parent" for an object as I explain in a simalary question so you can sort object on this criterium.