Home → Supercharger KB → How To → How To Use LDAP Filters in Deterministic Subscription Policies
5.8. How To Use LDAP Filters in Deterministic Subscription Policies
Deterministic subscription policies normally use the groups in Allowed Forwarder on the subscription to figure out the set of "expected" forwarders. However, one might only want to use only a subset of these computers at the collector.
For instance, some customers specify Domain Computers as Allowed Forwarders but then only point a subset of those computers at the collector with a group policy object linked to an organizational unit containing those computers. This means that deterministic forwarder analysis will always report all other computers outside that OU as problem status. This is a situation where you could use an LDAP filter to specify which computers should really be expected for a given subscription.
This subset can be defined using an LDAP filter. Setting the LDAP filter for a deterministic policy will tell Supercharger not to enumerate the members of all the groups on this subscription, only those defined by the LDAP filter.
To use LDAP filters in a subscription:
- Select a deterministic policy under the Policy tab.
- Using the slider that appears, change the Deterministic Criteria from Group Name to LDAP Query.
- Select a predefined LDAP query (see below how to define LDAP queries).
To use LDAP filters in a load balanced subscription:
- Under Cohort based on, select LDAP Query.
- Select a predefined LDAP query (see below how to define LDAP queries).
To define LDAP queries:
- Go to Settings.
- Select the LDAP Queries tab, and click on the Add button.
- Specify a name, the domain, a base DN, and the LDAP filter.
For the full syntax of LDAP filters, see, for example, the Search Filter Syntax MSDN article and the Active Directory: LDAP Syntax Filters TechNet wiki article. In Supercharger, of course, only filters in the following format can be used: (&(objectCategory=computer)_________)
You can test LDAP filters in Powershell with the Get-ADComputer cmdlet, using the LDAPFilter parameter.
Some examples of LDAP filters:
- To include all computers under that base DN:
(&(objectCategory=computer)(name=*))
- To include all computers with name starting with "desktop":
(&(objectCategory=computer)(name=desktop*))
- To include all computers with a description:
(&(objectCategory=computer)(description=*))
- To include all computers with no description:
(&(objectCategory=computer)(!(description=*)))
- To include all computers with a description and with name including the word "desktop":
(&(objectCategory=computer)(name=*desktop*)(description=*))
- To include all computers with name including either "desktop" or "laptop":
(&(objectCategory=computer)(|(name=*desktop*)(name=*laptop*)))
- To include all computers with operating system Windows Server 2012 R2:
(&(objectCategory=computer)(operatingSystem=Windows Server 2012 R2*))
- To include all servers:
(&(objectCategory=computer)(operatingSystem=*server*))
To test LDAP queries there are many ways. One way is using Active Directory Users and Computers. Right click on the domain, select Find then click on "Custom Search" in the dropdown and then Advanced. You can paste in your LDAP query by clicking "Find Now' and seeing if AD finds any results. If you get no items, it doesn't necessarily mean that your LDAP is incorrectly formatted. On the other hand, if you do get results then you can be certain the LDAP is formatted correctly.