cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 7

How do I filter out my Active Directory student accounts and prevent them from logging in to Web Help Desk?

Jump to solution

We are using the AD/LDAP connection for our domain and would like to prevent students from logging in to created tickets.

0 Kudos
1 Solution
Level 8

You can set up (multiple) active directory connections with search filters applied.

For instance: (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=xxxxxx,OU=xxxxx,OU=Users,DC=xxxxx,DC=xxxxx))

This search filter will recursively match group members of the group listed after the ":="

You could just specify your "Teachers" security group in the search filter.

You could also specify the  "Users DN" in the directory connector to exclude students from the scope

View solution in original post

0 Kudos
12 Replies
Level 8

You can set up (multiple) active directory connections with search filters applied.

For instance: (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=xxxxxx,OU=xxxxx,OU=Users,DC=xxxxx,DC=xxxxx))

This search filter will recursively match group members of the group listed after the ":="

You could just specify your "Teachers" security group in the search filter.

You could also specify the  "Users DN" in the directory connector to exclude students from the scope

View solution in original post

0 Kudos

One more question. Is there a limit as to number of users in the selected group? The nested group that I would like to use has over 2,000 users and does not work when testing connection. A smaller group of 400 works.

0 Kudos

That's interesting...


I currently have two AD Connections set up, each querying separate AD Security groups in WHD, one for our "on-site" staff, which is about 150 users, and another connection for "off-site" staff, which is about 1,100. The AD Connectors then hard-code the location to "on site" and "remote" respectively.

What is your connection timeout set to in the WHD Connection properties box?  Maybe it's timing out before all user accounts are transferred?

What is your AD Forest level, and what server are you pulling the AD connection from?

0 Kudos

Connection timeout is 20 seconds, forest level is 2012 R2 and I’m pulling from one of our 3 DC’s.

0 Kudos

I'm not sure what would cause that.  If you find out, do please post the solution back here!

Thanks,

0 Kudos

It appears to be the default “Users” OU. I moved the group to another OU and it works.

0 Kudos

Thanks everyone. I believe I will exclude the students by using the teacher/staff group as a filter.

0 Kudos
Level 15

So if I understand you correctly, you have one shared directory, where some users you want to login, but some yes? How do you differentiate those users in directory?

0 Kudos

That is correct Peter. Our Active Directory structure is arranged by school site (30+) with sub OU’s for students under each. The only difference between staff and student is a few attribute values.

0 Kudos

If you have an attribute / security group that only the staff have then you should be able to create a LDAP

search filter to only bring in the staff

0 Kudos

This sounds promising. I've not setup search filters before. Would you have a sample?

Sent from my Windows Phone

0 Kudos

If all of your users are in separate OU's set up separate AD connections for the OU's you do want by using the users DN field. This is how we do it.

0 Kudos