LDAP User Filters for Limiting User Profile Import

SharePoint

Post reproduced here:

If youÂ’ve ever tried to setup SharePoint 2007 to import user
profiles via LDAP youÂ’ll like this post.  The setup of the SSP to
import profiles is a fairly simple task, but what is not that easy is
applying the right LDAP user filter to import only the accounts that
you desire from Active Directory.  IÂ’d like to share with you my
experience with applying user filters and some of the excellent user
filter examples I have found.

Instructions for creating a new connection and applying an LDAP user
filter to limit the profiles imported by your Shared Service Provider:

1. Log in to your SharePoint Central Administration site.
2.
Select your Shared Service Provider and click on “User profiles and
properties” under the “User Profiles and My Sites” column.
3. Click on the link, “Manage Connections”.
4. Click on “Create New Connection”.
5. Give the connection a meaningful name.
6. In the Directory service server name text box, enter the server name or IP address of your LDAP server.
7. Enter the LDAP user filter of your choice (see below for examples) .

Now you are ready to import your LDAP users into the profile
database. Go back a screen and start a full import. Once the import
starts enumerating you should see user profiles being imported into
SharePoint. When the import is complete, click “View Profiles” to see
what profiles were imported.

IÂ’ve compiled a fairly good set of user filters below, feel free to submit a comment if you have others to add to the list.

Example LDAP User Filters

Default user filter:
(&(objectCategory=Person)(objectClass=User))

Exclude accounts with no email address:
(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(mail=*))

Exclude disabled accounts:
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))

Exclude accounts with passwords set to expire:
(&(objectCategory=person)(objectClass=user)(!userAccountControl=65536))

Include only the accounts with valid email addresses
(&(objectCategory=Person)(objectClass=User)(mail=*com)

Include only the accounts that are part of the Branch1 organizational unit
(&(objectCategory=Person)(objectClass=User)(memberof:1.2.840.113556.1.4.1941:=(CN=Authenticated
Users,OU=Branch1,DC=domain,DC=local)))

Exclude accounts that donÂ’t have a first name
(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(!givenName=*)))

Other Resources

Wayne Hall – Importing only a specific group into sharepoint profile database (via LDAP)

MSDN – Active Directory Search Filter Syntax

LDAP Documentation – LDAP Attribute List