Applying Filters for Directory Manager and Directory Search

*This article applies to:

  • Directory Search v3.1 and later
  • Directory Manager v3.0.1 and later

By default, Directory Manager and Directory Search will search for all users (or contacts) across the entire domain. In most cases, this search will yield not only the users you want to see, but also service accounts, administrator accounts, and inactive / disabled accounts. You may not want users of Directory Manager or Directory Search to see these accounts in their search results. We provide different ways to filter out the search results so that end users only see the users or contacts from the Active Directory that you want them to see. These include:

  • Limiting search results to a single parent OU structure
  • Preventing disabled users from being displayed
  • Preventing users that are not mail-enabled from being displayed
  • Excluding users with a specific value in a specific attribute
  • Creating a custom LDAP filter
  • Searching for users in specific Organizational Units (OUs)

Specifying a Search Base organizational unit

We use the the LDAP protocol to query the Active Directory. LDAP queries consist of a search base (the fully qualified domain name of the host being name being queried) and the filter of what objects to return or exclude. The organizational unit (OU) is part of the search base. Directory Search and Directory Manager allow you to specify a parent OU or searchBase which determines the starting point for all queries. Only users (and contacts) in that OU and below will be listed.

This is a popular way to restrict searches but it does have its limitations. You can only specify one searchBase; you cannot specify multile searchBase OUs. So, all users and contacts you wish to search for must be under the searchBase OU. This does not work for the default "Users" container. In addition, this feature only works for single domain forests. This feature existed in previous versions but was tied in with the OU-by-OU search filter which made it very confusing.

To enable an OU filter, open the AppSettings.XML file and look for this section:

<organizationalUnitFilter enabled="false" searchBase="Accounts" />

The above example would start all searches in the root OU "Accounts". If you want Directory Manager or Directory Search to only look in the OUs below the \Accounts\Users OU, enter the OU name in the searchBase field (without the leading "/", then set enabled="true" and set the search base. It will look something like this:

<organizationalUnitFilter enabled="true"> searchBase="Accounts/Users" />

Filtering Disabled and Exchange enabled users

You can also choose to display only user accounts that are enabled or to show only user accounts that are Exchange enabled. This is done in the section of the AppSettings.XML file. Look for this section in the AppSettings.XML:

    <userList
      useGlobalCatalog="false"
      maxResults="500"
      pageSize="20"
      showContacts="true"
      showDisabledUsers="false"
      showOnlyExchangeEnabledUsers="false"
	  ...

To exclude disabled users from the default search listing, set showDisabledUsers="true". To include only users that are Exchange enabled in the default search listing, set showOnlyExchangeEnabledUsers="true".


Excluding Specific Users or Contacts

We also have a feature we call an exclusion filter. This feature is a simple, easy-to-use, filter that will exclude any user or contact from the default search listing if the specified text is found in a the specified attribute. Remember, this is an exclusion filter only, you cannot use this filter to include users or contacts in the search listing. In the AppSettings.XML file, look for this section:

<accountFilter enabled="false" attribute="extensionAttribute12" value="excluded" />

In the above example, we are filtering out any user or contact that has the word excluded in extensionAttribute12. This is one of the attributes associated with user objects that are created if you have prepared your Active Directory forest to support Exchange Server.


Custom LDAP Filters

We have started supporting the ability for an administrator to define their own LDAP filter. This is an advanced feature and can easily created a scenario with unpredictable search results if you are not careful. You can use this filter to either include or exclude objects from the search results.

<customLdapFilter enabled="false" value="(department=*marketing*)" />

Directory Search: Searching by Organizational Unit

Directory Search v3.1 and later has a feature that allows your users to select and search on different organizational units (OUs). Depending on how your Active Directory is organized, this be a useful feature. In previous versions of Directory Search, this feature was tied to the searchBase feature, but it is now independent. This feature only works in single-domain forests. It allows a user to select an OU name (or the friendly name) in the search list; Directory Search will list all users or contacts in that parent OU and below. To enable this feature, look for this section in the AppSettings.XML file:

<searchByOu text="Organizational Unit" enabled="true">
   <ou name="Accounts/NewYork" text="New York Office" />
   <ou name="Accounts/Breck" text="Breckenridge Office" />
   <ou name="DemoUsers/London" text="London Office" />
</searchByOu>

You cannot combine multiple parent OUs in to a single search. This feature will also bypass the searchBase feature.

Key words: filter filtering organizational unit OU LDAP searchBase parent Last Review: 21 March 2018