Category:General
Last Updated:2011-08-11
When pulling from AD, it may be desirable to include or exclude certain source objects based on their group membership.
NOTE: If your MemberOF filter/exclude is not working as expected, this may be due to security permissions. Try using a Domain Admin as the source login ID to see if you get better results. Alternatively, to allow a Domain User to work, you may need to delegate advanced control of both Groups as well as Users in the root of the source domain.
EXCLUDE based on Group Membership:
If you want to exclude objects based on Group membership, you should use an Exclude Rule on the Exclude tab of your connection.
Example Rules for Excluding objects based on Group Membership, where GroupX is simply the name of the group.
MemberOf:GroupX
MemberOf:GroupZ
INCLUDE based on Group Membership:
The inclusion of objects based on Group membership may be accomplished with an Optional
LDAP Query Filter (Source tab). Note: if you are already using a filter, you must use proper syntax to combine the existing and new filters.
On the Source tab of your connection, insert filters for each source object type you want to apply the filters to (i.e. Users, Contacts, Groups). In the filter, specify the group or groups whose member objects you want the connection to pull.
Example for including members of one group:
(Memberof=CN=GroupX,ou=Groups,DC=domain,DC=com)
For multiple groups, use leading or "|" syntax and specify each GroupDN:
Example for including members of two Groups:
(|(Memberof=CN=GroupX,ou=Groups,DC=domain,DC=com)(Memberof=CN=GroupZ,ou=groups,DC=domain,DC=com))