You can't really. You have to choose your query based on scope. If you
just want to search one level down, you should do a one level query.

If you want to search the entire subtree but do not want to include objects
in one branch of the subtree, then you must either find an attribute common
to all objects in the branch of the subtree that you can use in your filter
or do separate searches in each branch.

You can't use the filter below because the user objects in question do not
have an OU attribute since they are not OU objects.

You also can't do a partial match on their distinguished names as DN syntax
attributes must be exact matches.

Joe K.

"Raterus" <***@hotmail.com> wrote in message news:%***@tk2msftngp13.phx.gbl...
I'm trying to create an active directory query to search under my companies
"Users" OU. Under this OU are departmental OU's, and under those OU's "may"
be an OU named "Service Accounts".

I'm trying to create a query to hit ever user under the "Users" OU, but
exclude users/OU's that are under "Service Accounts"

This seems like it'd work to me, but I'm getting a bad query error,

(&(objectCategory=person)(objectClass=user)(!ou=Service Accounts))

Can anyone help me on exactly what I need to change with this query to
exclude any and all "Service Accounts" OU's

Thanks,
--Michael

As JoeK indicated, you can't do this with LDAP. You would need to write a query
that returns all of the info and then filters out the OUs you don't like. I have
this functionality incorporated into adfind with the -excldn switch.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net