Getting Data In

AD Base Filter syntax

twgtech
New Member

I am using the "Map users directly" config from here -

http://www.splunk.com/base/Documentation/4.1.5/Admin/SetupuserauthenticationwithLDAP#Test_your_LDAP_...

in order to get around referrals in an AD forest with multiple child domains.

Everything is working well, in fact, too well. It is returning all objects, even though my (objectclass=user) is set (I tried people as well. no change).

My question is how can I filter out the computer objects that get returned? Ideally, I'd like to remove everything with a $ in the name. I've tried piping !objectclass=computer into it with no success.

Tags (2)
0 Karma

ziegfried
Influencer

One option is to use the userAccountControl flag to query user accounts:

(&(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=512))

(the UAC flag 512 means NORMAL_ACCOUNT)

Your suggestion of filtering accounts with $ in its name would work as well:

(&(!(sAMAccountName=*$*))(objectclass=user))

twgtech
New Member

Thanks, gkanapathy. That works as well. now if I can only get it to distiguish between the same sAMAccountName from different domains. I'll be creating a new question for that one.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Usually in AD, you want (&(ObjectCategory=Person)(objectclass=user)).

0 Karma

twgtech
New Member

DOH! No wonder my query wasn't working. I didn't correctly paren it. Thanks for the examples. A quick shuffle and it's doing exactly what I need.

Thanks much, ziegfried.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...