How to use a filter to avoid a sub OU in Active Directory?

Question

I have an application that pulls user information from an OU in Active Directory. The parameters it takes are a base for the search and a filter string.

I have an O

Answer 1

The objectClasses organizationalUnit and its descendant inetOrgPerson allow the attribute ou to be present in an entry. Add an ou attribute with value evil to the objects subordinate to the ou=evil branch and include the assertion (!(ou=evil)) to the search filter to limit responses from the candidate list to those that do not contain an attribute ou with the value evil. Alternatively, the LDAP Assertion Control could be used on requests in the same fashion to ensure that requests that contain an ou with the value evil are not processed. Professional quality directory servers that are LDAP compliant will support both of these methods.