Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

How do I filter out my Active Directory student accounts and prevent them from logging in to Web Help Desk?

We are using the AD/LDAP connection for our domain and would like to prevent students from logging in to created tickets.

Find more posts tagged with

Accepted answers

crossan007

You can set up (multiple) active directory connections with search filters applied.

For instance: (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=xxxxxx,OU=xxxxx,OU=Users,DC=xxxxx,DC=xxxxx))

This search filter will recursively match group members of the group listed after the ":="

You could just specify your "Teachers" security group in the search filter.

You could also specify the "Users DN" in the directory connector to exclude students from the scope

All comments

peter.kruty

So if I understand you correctly, you have one shared directory, where some users you want to login, but some yes? How do you differentiate those users in directory?

ryanez

That is correct Peter. Our Active Directory structure is arranged by school site (30+) with sub OU’s for students under each. The only difference between staff and student is a few attribute values.

conners

If you have an attribute / security group that only the staff have then you should be able to create a LDAP

search filter to only bring in the staff

typhoon87

If all of your users are in separate OU's set up separate AD connections for the OU's you do want by using the users DN field. This is how we do it.

ryanez

This sounds promising. I've not setup search filters before. Would you have a sample?

Sent from my Windows Phone

crossan007

You can set up (multiple) active directory connections with search filters applied.

For instance: (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=xxxxxx,OU=xxxxx,OU=Users,DC=xxxxx,DC=xxxxx))

This search filter will recursively match group members of the group listed after the ":="

You could just specify your "Teachers" security group in the search filter.

You could also specify the "Users DN" in the directory connector to exclude students from the scope

ryanez

Thanks everyone. I believe I will exclude the students by using the teacher/staff group as a filter.

ryanez

One more question. Is there a limit as to number of users in the selected group? The nested group that I would like to use has over 2,000 users and does not work when testing connection. A smaller group of 400 works.

crossan007

That's interesting...

I currently have two AD Connections set up, each querying separate AD Security groups in WHD, one for our "on-site" staff, which is about 150 users, and another connection for "off-site" staff, which is about 1,100. The AD Connectors then hard-code the location to "on site" and "remote" respectively.

What is your connection timeout set to in the WHD Connection properties box? Maybe it's timing out before all user accounts are transferred?

What is your AD Forest level, and what server are you pulling the AD connection from?

ryanez

Connection timeout is 20 seconds, forest level is 2012 R2 and I’m pulling from one of our 3 DC’s.