No announcement yet.

Filter out accounts not in Domain Users

  • Filter
  • Time
  • Show
Clear All
new posts

  • Filter out accounts not in Domain Users


    Our organization has been forced for certain reasons to create user-acconts for MAC-addresses. These new accounts are never administrated and just litter our "All Users"-view, which we use all the time.
    The MAC-address-accounts have all been removed from "Domain Users" because they need no accessrights in the domain.
    What we are now trying to find is a way to somehow filter the "All Users"-view so that these littering new user-accounts aren't shown.
    In short we want to prevent users that are not members of "Domain Users" from showing up in the "All Users"-view.

    We have been googling a good bit on this and also tested around a bit inside Hyena. From what we have found it seems possible to make some kind of AD-query and bind the view to this qeury. So far though, we have not been able to come up with the final solution and would appreciate some help.


  • #2
    For one of these objects, right-click on it and choose Query Active Directory -> View All Directory Attributes. I need to see the value of memberOf, and of primaryGroupID. If you don't want to have that on this public board, you can email them to [email protected] so we can see if there is a way to query for them. Domain Users is a tough one in that all users are automatically added to it when created, and is the Primary Group for users by default. For users that haven't had the Primary Group changed, Domain Users will show up there as a group ID of 513, and won't be listed in the memberOf field. So a query to just list any users with Domain Users in the memberOf field could potentially filter out other users besides these MAC addresses. Once I get that data from you I'll see if there's anything I can key off of to create a filter.


    • #3
      Thank you for the fast reply.

      The accounts are of 5 different types (possibly more to come).
      I picked two types and here's the result to you answers:

      Type 1->
      memberOf: {}
      primaryID: 32620

      Type 2->
      memberOf: {}
      primaryID: 31968

      As you can see we have joined them to specific groups for each type, set this group to primary group and removed them from "Domain Users".
      The result is an empty "memberOf", I guess only groups that are not the primary group are listed under "memberOf".



      • #4
        There's no way to filter the All Users object, so if these instructions work the way you want you'll have to run this query whenever you want to see users that aren't these MAC addresses. This method takes some broad assumptions, but should give you a starting point to test and make sure it doesn't filter out accounts you don't want filtered out.

        Go to File -> Manage Object View -> AD Queries, change the Query Type to Container/OU Contents. On the right click the New Query icon, enter a name for it such as Filter Out Mac Address Objects, check the box at the bottom to Include subcontainers and sub-OUs in search, then paste this in the LDAP Search Filter box:

        (&(objectCategory=user)(objectClass=user)(!memberO f='')(!primaryGroupID=32620)(!primaryGroupID=31968 ))

        Click OK to create the query, and add the attributes you want to display for this query. You can use one of the user queries to get an idea of which fields they use. Click OK to close Object Manager, then to run this query right-click on Containers/OUs and choose Query Active Directory -> Filter Out Mac Address Objects.

        I would recommend copying this list out, and then copying out a list of All Users and paste both into an Excel spreadsheet to compare the two lists to make sure it only filtered out the MAC address objects.


        • #5
          Thank you for the help. We would've prefered to filter the "All Users"-view, but this is 2nd best. And it works like a charm