Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LDAP Filter to exclude a sub OU?

I have a need to exclude a sub OU from a search base.  CUCM is LDAP integrated to Active Directory.  The directory search basically OU=Users, DC=company,DC=local.  There is a couple of OU's located under the Users container (OU=service, OU=special).  A third party manages this companies AD and is not willing to make any changes to the structure.  Does anyone have a suggestion for a filter that will work to filter out the users in the OU=special?  I have tried several things but the ones i thought would work are:

1. (&(objectClass=user)(!(OU=special)))  have tried this with the full search base as well

2. (!(&(objectClass=user)(OU=special)))

Any help would be appreciated.


Everyone's tags (2)
Cisco Employee

Simply remove read

Simply remove read permissions over that OU from the user you're using for the integration.



if this helps, please rate
New Member

Hi gpword,I dont think you

Hi gpword,

I dont think you can exlcude a sub OU, at least I could never get it working.

A few options you can use.

1. Add all the users in the "Special" OU to a group and then exclude that group - I use this option and it works


2. As above you could utilise the ipPhone field and only sync users who have this set or only sync users who are a member of a particular group below


The above examples also exclude disabled accounts, computer objects and inlcude only users with the ipPhone field set.



CreatePlease login to create content