How to filter sub-OUs in AD connector

Huu Tran 4 months ago in Identity Broker for Microsoft Active Directory • updated by Adam van Vliet (Product Manager) 2 months ago 8

An AD connector will search objects in an OU in sub-tree mode. This means it looks through all sub-OUs.

What to do if only objects in few selected sub-OUs need to be imported? i.e.

Based Container: OU=User, DC=company, DC=com

only objects in 2 sub-OU needed to be import:

OU=Staff,OU=User, DC=company, DC=com

OU=Disabled_Staff,OU=User, DC=company, DC=com

Affected Versions:
Fixed by Version:


Under review

Hi Huu,

Is it possible that the LDAP filter on the connector might be able to target the particular sub-containers, or the entities contained in them?

Hi Curtis, I tried that but no success ... AD does not allow wildcard search on dn and no other attribute contains OU info. See below:

Dn: CN=Firstname Surname,OU=Users,DC=company,DC=com
accountExpires: 9223372036854775807 (never);
badPasswordTime: 0 (never);
badPwdCount: 0;
cn: Firstname Surname;
codePage: 0;
countryCode: 0;
distinguishedName: CN=Firstname Surname,OU=Users,DC=company,DC=com;
dSCorePropagationData: 0x0 = (  );
givenName: Firstname;
instanceType: 0x4 = ( WRITE );
lastLogoff: 0 (never);
lastLogon: 0 (never);
logonCount: 0;
name: Firstname;
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=company,DC=com;
objectClass (4): top; person; organizationalPerson; user;
objectGUID: 1de570bd-f2cb-4664-b839-f2f926224c5f;
objectSid: S-1-5-21-185952679-2677576052-3257292388-138740;
primaryGroupID: 513 = ( GROUP_RID_USERS );
pwdLastSet: 2/11/2017 8:05:59 AM AUS Eastern Daylight Time;
sAMAccountName: 626483;
sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT );
sn: Surname;
userAccountControl: 0x200 = ( NORMAL_ACCOUNT );
userPrincipalName: 626483@company.com;
uSNChanged: 3859705;
uSNCreated: 3859701;
whenChanged: 2/11/2017 8:05:59 AM AUS Eastern Daylight Time;
whenCreated: 2/11/2017 8:05:59 AM AUS Eastern Daylight Time;

Thanks for the info, Huu. Without knowing more about the content of the other sibling OUs, is there any other attribute shared by the users in your two target OUs that you might be able to filter on?

I'll add the multiple-OU-import use case to our product backlog. For potential workarounds, how much control do you have over the OU hierarchy? Would it be possible to structure it as OU=Active,OU=Staff,OU=Users,DC=company,DC=com and OU=Terminated,OU=Staff,OU=Users,DC=company,DC=com and then instead target OU=Staff,OU=Users,DC=company,DC=com, which should not only include your two target sub-OUs?

I don't have any control over OUs, only read access. I think I will import all users in for now and leave the unwanted as disconnectors (no join to lockers). There will be performance impact but I guess it will work. What do you think?  

Hi Huu,

Could you try applying this patch Unify.Connectors.AD.dll and reconfiguring the Object Container setting on the connector to a semi-colon-separated list of OUs, e.g. OU=Staff,OU=User, DC=company, DC=com;OU=Disabled_Staff,OU=User, DC=company, DC=com and let us know if this imports the correct users?

Hi Curtis, it works. However, can I have the option of one-level or subtree search. At the moment, it is still loading all users from in sub-OUs of the declared OUs.

Thanks for the update, Huu. Glad to hear that it works. We'll have to consider the most appropriate way to incorporate this use case into the product, but you can use the patch in the meantime.

Specifying the search scope is much more clear cut, and seems reasonable to support. I've added a feature to the backlog to allow configuring this for future versions, in the meantime the following patch will force one-level search: Unify.Connectors.AD.Agent.dll