Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

AD Base Filter syntax

twgtech
New Member
‎10-04-2010 11:41 AM

I am using the "Map users directly" config from here -

http://www.splunk.com/base/Documentation/4.1.5/Admin/SetupuserauthenticationwithLDAP#Test_your_LDAP_...

in order to get around referrals in an AD forest with multiple child domains.

Everything is working well, in fact, too well. It is returning all objects, even though my (objectclass=user) is set (I tried people as well. no change).

My question is how can I filter out the computer objects that get returned? Ideally, I'd like to remove everything with a $ in the name. I've tried piping !objectclass=computer into it with no success.

Tags (2)
0 Karma
Reply

ziegfried
Influencer
‎10-04-2010 12:22 PM

One option is to use the userAccountControl flag to query user accounts:

(&(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=512))

(the UAC flag 512 means NORMAL_ACCOUNT)

Your suggestion of filtering accounts with $ in its name would work as well:

(&(!(sAMAccountName=*$*))(objectclass=user))
Reply

twgtech
New Member
‎10-05-2010 01:31 PM

Thanks, gkanapathy. That works as well. now if I can only get it to distiguish between the same sAMAccountName from different domains. I'll be creating a new question for that one.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-04-2010 04:10 PM

Usually in AD, you want (&(ObjectCategory=Person)(objectclass=user)).

0 Karma
Reply

twgtech
New Member
‎10-04-2010 01:58 PM

DOH! No wonder my query wasn't working. I didn't correctly paren it. Thanks for the examples. A quick shuffle and it's doing exactly what I need.

Thanks much, ziegfried.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...