How do I filter out unwanted objects when performing a search against Active Directory? (NETIQKB30347)

  • 7730347
  • 02-Feb-2007
  • 23-Oct-2007

Resolution

goal

How do I filter out unwanted objects when performing a search against Active Directory?



goal
How do I exclude unwanted objects when performing a search against Active Directory?

goal
How do I remove unwanted objects from a search against Active Directory?

goal
How do I search against Active Directory without including unwanted objects?

fact
VigilEnt Policy Center 2.1

fact
VigilEnt Policy Center 3.0

fact
VigilEnt Policy Center 4.0

fact
Microsoft Windows 2000 Server

fix

To filter out unwanted objects when performing a search against Active Directory, complete the following steps:

  1. Set the search base to the container object (OU) in which all of the users reside. This will filter out all of the other unwanted objects.

    Note:  This method will not work if you have users created in multiple OUs or containers.  If you point the search base directly to that container, you will only be able to see the objects within that container object.

  2. Set the permissions for the OUs or container objects that contain the unwanted objects (Computer Accounts) to exclude or deny access to the account that is being used to do the binding LDAP within VigilEnt Policy Center.  This action restricts access to those containers for the account. Therefore, the account will not be able to browse those container objects and will exclude the unwanted objects.

    To set the permissions to the container objects (OUs) to deny access to the binding account, complete the following steps:
    1. Log in to one of your AD servers and click Start Menu | Programs | Administrative Tools | Active Directory Users and Computers.
    2. Locate the container object (OU) that has the unwanted objects in it (Computer Accounts). Right-click the container object, select Properties | Security, then click Add.
    3. Browse to the account that you are using to bind to LDAP within VigilEnt Policy Center and select the account.
    4. Select Deny and select the Full Control, Read, Write, Create All Child Objects, and Delete All Child Objects check boxes.
    5. Click Apply to apply the settings.  

      Note:  A Deny Security setting takes precedence over an Allow. Therefore, even if the binding account belongs to groups that have access to objects, the Deny overrides those settings. 

      Note: Complete these steps for all container objects (OUs) that have unwanted objects (Computer Accounts).

  3. You can filter out unwanted accounts using the advanced attribute mappings for LDAP in VigilEnt Policy Center.
    1. Log in to VigilEnt Policy Center as the administrator or with an account that has administrative privileges.
    2. Click Administration | Options | Repository.
    3. Click the Advanced tab for LDAP settings. Change the User Object Class from the current account to your specified attribute and then click Update. This change should eliminate the unwanted objects, as long as they are not using the same Object Class.

(Some of the options that you have for the ObjectClass are organization l person, user, top. These options depend on how you have configured your directory structure. Not all options are standard, and you may be using different Object Classes for your objects.)

 

 

 

 

 



Additional Information

Formerly known as NETIQKB30347