Guides
Start typing to search…

🗂️ Directory (AD)

active-directorySample AD Queries to Import Subset of Users and Groups

Why Import Only a Subset of Users or Groups?

  1. Pilot or Testing Phase:

    • Scenario: You are introducing Lumos into your environment and want to start with a small, controlled set of AD objects (e.g., only IT staff or a specific test group).
    • Goal: Limit potential impact and simplify troubleshooting before rolling out to the entire organization.

  2. Access Control / Least Privilege:

    • Scenario: You only need to manage certain groups or specific users tied to a particular application or division.
    • Goal: Reduce complexity and comply with security policies by not importing irrelevant or sensitive objects outside the project scope.

  3. Performance and Efficiency:

    • Scenario: Your AD environment contains tens or hundreds of thousands of objects, but Lumos only needs to govern a portion (e.g., subsets of contractors, specific domains/OUs).
    • Goal: Lower sync times and resource usage by limiting the import to relevant entities.

  4. Compliance / Regulatory Requirements:

    • Scenario: Various regulations dictate that certain data should be visible only to specific platforms. You might need to segregate particular sets of users for privacy or security reasons.
    • Goal: Ensure compliance by filtering out users or groups that should not be managed or viewed in Lumos.

Including Only Members of Specified Groups

Users Search Filter

(&(objectClass=user)
  (|
    (memberOf:1.2.840.113556.1.4.1941:=CN=Group1,OU=Groups,DC=example,DC=com)
    (memberOf:1.2.840.113556.1.4.1941:=CN=Group2,OU=Groups,DC=example,DC=com)
  )
)

Explanation

  1. (&(objectClass=user) ...):

    • The ampersand & denotes a logical "AND."
    • We ensure the object is a user (objectClass=user) and also meets the subsequent group membership condition.

  2. (memberOf:1.2.840.113556.1.4.1941:=CN=Group1,OU=Groups,DC=example,DC=com):

    • The OID 1.2.840.113556.1.4.1941 is a special "LDAP_MATCHING_RULE_IN_CHAIN."
    • This means "include users who are direct or nested members of the specified group."
    • If you have nested groups (e.g., Group1 contains Group2, which contains Group3, etc.), this filter includes any user in that membership chain.

  3. The (| ... ) (logical "OR"):

    • Combines two membership conditions. A user who is in Group1 or Group2 (directly or indirectly) will be included.

Common Use Cases

  • Pilot Group: Import only the users in a test security group.
  • Department-Specific: Import only the Finance or HR teams for a targeted governance initiative.
  • Role-Based Access: If certain groups define roles in an organization, you can import only those roles and skip the rest.

Including Only Specific Groups

Groups Search Filter

(&(objectClass=group)
  (|
    (distinguishedName=CN=Group1,OU=Groups,DC=example,DC=com)
    (distinguishedName=CN=Group2,OU=Groups,DC=example,DC=com)
  )
)

Explanation

  1. (&(objectClass=group) ...):

    • Ensures we are only looking at group objects.
    • The filter will ignore users, computers, and other object classes.

  2. (| (distinguishedName=...) (distinguishedName=...) ):

    • A logical "OR" that includes any group whose distinguishedName matches either Group1 or Group2.
    • For example, CN=Group1,OU=Groups,DC=example,DC=com.

Common Use Cases

  • Restrict to Key Groups: If you only want to manage a small set of high-impact security groups (e.g., domain admins, critical app groups).
  • Exclude Irrelevant Groups: Large AD environments often contain distribution lists, machine groups, or unused legacy groups; you can limit imports to the critical ones.
  • Staged Rollouts: Import a small list of groups as part of phased adoption, then expand later.

Practical Tips for Using These Filters

  1. Verify Group DNs:

    • Ensure you have the exact distinguishedName of the target groups. If a group is nested several OUs deep, confirm the spelling and structure carefully.

  2. Test Queries in an LDAP Browser:

    • Tools like LDAP AdminApache Directory Studio, or ADSI Edit allow you to test filters interactively.
    • Confirm you get the expected number of objects before putting the query into production.

  3. Use Matching Rule in Chain (1.2.840.113556.1.4.1941) Wisely:

    • It’s powerful for nested group lookups, but it can be more resource-intensive.
    • If you don’t have nested groups, you can omit it.

  4. Combine with Other Filters:

    • You might want to refine further by adding conditions like (userAccountControl:1.2.840.113556.1.4.803:=2) to exclude disabled accounts.

  5. Document Your Queries:

    • Keep a record of your filters, especially if multiple teams or directory environments are involved.
    • Clear documentation prevents confusion about why certain users or groups are (or aren’t) being imported.

Summary

  • Subset Imports: Using specialized LDAP filters lets you narrowly define which objects (users and groups) should be imported into Lumos.
  • Use Cases: Testing, efficiency, compliance, limited-scope rollouts, or restricting to critical groups.
  • Important Considerations: Ensure your queries are valid, tested, and documented.

By applying these strategies, you can tailor your Active Directory imports to the exact subset of users and groups you need within Lumos, keeping your deployment streamlined, compliant, and aligned with your organization’s specific requirements.

Updated 15 days ago