Menu

Search

LOGbinder Support


How To Use LDAP Filters in Deterministic Subscription Policies


Tamas Lengyel
How To

Deterministic subscription policies normally use the groups in Allowed Forwarder on the subscription to figure out the set of "expected" forwarders. However, one might only want to use only a subset of these computers at the collector.

For instance, some customers specify Domain Computers as Allowed Forwarders but then only point a subset of those computers at the collector with a group policy object linked to an organizational unit containing those computers. This means that deterministic forwarder analysis will always report all other computers outside that OU as problem status. This is a situation where you could use an LDAP filter to specify which computers should really be expected for a given subscription.

This subset can be defined using an LDAP filter. Setting the LDAP filter for a deterministic policy will tell Supercharger not to enumerate the members of all the groups on this subscription, only those defined by the LDAP filter.

To use LDAP filters in a subscription:

  1. Select a deterministic policy under the Policy tab.
  2. Using the slider that appears, change the Deterministic Criteria from Group Name to LDAP Query.
  3. Select a predefined LDAP query (see below how to define LDAP queries).

To use LDAP filters in a distributed subscription:

  1. Under the Forwarder Criteria tab, using the slider to change the Criteria from Use Allowed Forwarders to Use LDAP Query.
  2. Select a predefined LDAP query (see below how to define LDAP queries).

To define LDAP queries:

  1. Go to Settings.
  2. Select the LDAP Queries tab, and click on the Add button.
  3. Specify a name, the domain, a base DN, and the LDAP filter.

For the full syntax of LDAP ​filters, see, for example, the Search Filter Syntax MSDN article and the Active Directory: LDAP Syntax Filters TechNet wiki article. In Supercharger, of course, only filters in the following format can be used: (&(objectCategory=computer)_________) You can test LDAP filters in Powershell with the Get-ADComputer cmdlet, using the LDAPFilter parameter.​

Some examples of LDAP filters:

  • To include all computers under that base DN:
    (&(objectCategory=computer)(name=*))
  • To include all computers with name starting with "desktop":
    (&(objectCategory=computer)(name=desktop*))
  • To include all computers with a description:
    (&(objectCategory=computer)(description=*))
  • To include all computers with no description:
    (&(objectCategory=computer)(!(description=*)))
  • To include all computers with a description and with name including the word "desktop":
    (&(objectCategory=computer)(name=*desktop*)(description=*))
  • To include all computers with name including either "desktop" or "laptop":
    (&(objectCategory=computer)(|(name=*desktop*)(name=*laptop*)))
  • To include all computers with operating system Windows Server 2012 R2:
    (&(objectCategory=computer)(operatingSystem=Windows Server 2012 R2*))
  • To include all servers:
    (&(objectCategory=computer)(operatingSystem=*server*))

Related Links


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Still have questions - Submit a new ticket