LDAP query to return all groups in specified OU

I am trying to update my filter currently appled to the People Picker in SharePoint (WSS).

I am using stsadm to set the filter.

Something like...

stsadm -o setproperty -url http://webserver:39770 -pn peoplepicker-searchadcustomfilter -pv "(&(userAccountControl=512)(objectCategory=person)(objectClass=user)(memberOf=cn=All Users Group,ou=E-Mail Distribution Lists,dc=domain,dc=com,dc=au))"

I know ho开发者_高级运维w to do this but want to change the LDAP query. This is where I need your help.

I would like to query an OU in AD and return all the groups in it.

As a fall back I could put all groups in the OU into their own group and just query the group using the following query...

(&(memberOf=CN=WSSPeoplePickerGroup,OU=Groups,DC=domain,DC=com,DC=au)(objectCategory=group))

... but I would like to directly query the OU if I can. It has become a bone I don't want to let go of just yet, so hopefully there is someone smarter than me out there.

I think where I need to head is something like the following query I found. As I understand it this is known as an extensible search match and they are filtering on the 'name' of OU but I am having trouble seeing how I might apply this to what I want (despite the numerous attempts I have made), if this is indeed the approach I should take.

(&(objectClass=group)(&(ou:dn:=Chicago)(!(ou:dn:=Wrigleyville))))

TIA

If you want search a particular OU only. Why not just search by the distinguishedName?

In your case, maybe something like this.

(distinguishedName=*ou=E-Mail Distribution Lists,dc=domain,dc=com,dc=au)

which will be equivalent to searching the OU E-Mail Distribution.

And also userAccountControl=512 does not mean all enabled user. It just searches for Normal account. A better way would be to search whether the Disabled flag is set.

Use this instead of userAccountControl=512 to find all users which are not disabled.

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

fyi.