# LDAP Paths to Scan

Select the LDAP OU paths to scan here. This applies to Create and Update actions only

The first step in creating an Active Directory profile is to choose which parts of your Active Directory you want to scan and monitor for changes. Each profile can scan multiple Active Directory locations or Organizational Units (OU).

## LDAP Paths

These are the locations in the Active Directory where HelpMaster will look for user accounts to create/synchronize. The paths here will vary depending on your domain structure and may look something like this: OU=Recipients,DC=wizbangwidgets,DC=com.

These can be easily selected using the Active Directory browsing dialog by clicking the Add button. You may also type in an LDAP path directly using the format LDAP://OU=General Accounts,OU=Wizbang Users,DC=WizbangWidgets,DC=com. If a path is directly typed in, it will be validated to ensure that it actually exists.

### Use recursive query (include child containers)

This option is available under the LDAP path box. When checked (ticked by default) it will use a recursive query when querying the Active Directory, i.e. the container and all sub-containers will be queried. If this option is unchecked, it will only query the selected path but not the OUs beneath.

If some paths require recursive queries while others require container-only queries, create a separate profile for each set of paths. This setting will apply to all LDAP paths in the profile.

### Do not synchronize Active Directory users that are disabled

As labeled, if checked, this option will prevent disabled Active Directory users from being created or updated.

### Limiting the directory structure when browsing

By default, HelpMaster will open the Active Directory browse paths to the root container for your domain e.g. DC=WizbangWidgets,DC=com. In circumstances where you wish to start this browse path at a location further into your hierarchy, you can specify this by copying the exact LDAP path into the database column LDAPPathRoot in the table tblActiveDirectoryServiceConfiguration again using the format LDAP://OU=Wizbang Users,DC=WizbangWidgets,DC=com. See your database administrator for details on how to do this.

This is an optional setting that can be used to filter the list of users that are returned within each of the specified LDAP paths. Use this text-box to enter a valid LDAP query expression.

The Active Directory search is hard-coded to only search for user objects within the LDAP path, and this cannot be changed. The LDAP filters here add to the expression using the syntax outlined in the webpage (link) below. The following operators may be used.

Operator Symbol Meaning
AND & all conditions must be met
OR | any of the conditions must be met
NOT ! the clause must evaluate to False

Filter to include only users with first name (givenName) = Jimi:

(&(givenName=Jimi))

Filter to exclude users with first name (givenName) = Jimi OR Fred:

(!(givenName=Jimi)(!(givenName=Fred)))

Filter to include only users with first name (givenName) = Jimi and surname (sn) = King:

(&(anr=Jimi King))

Filter to include only users with an email address (mail):

(&(email=*))

Note, LDAP queries support wildcards and other boolean filtering expressions.

For further information and examples on LDAP filters, see this Microsoft webpage:

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx