sync filter syntax

I'm trying to create a sync filter that will include all users that have samaccountname present and that do not have adminDescription set to Exclude.  In ADUC my filter is working properly using (&(!adminDescriptio=exclude)(samaccoutname=*))  , but in QMM I get errors of invalid filter.  Don't know how to get the filter to be accepted by QMM.

  • I was hoping not to have to test this filter in production because we a large user count in the source directory and the resync takes hours, but I sense that you are suggesting that sync deletion will still work even with a simple filter like (!(admindescription=exclude)).  So does this mean that KB 4254857 no longer applies ?

  • I am telling you I don't know. I would have to test it to know . So I told you to test it. 

    I suspect becasue the object moves from OU=Blah,DC=Blah,DC=Blah to CN=Deleted Items,DC=,DC= it would fall out of scope and it would not be appied. Testing is the only way to know anything for sure. 

    I personally would never implement in production something I had not tested. 

  • I hear you, and will test it and post the result.  I tested the filter (&(!adminDescription=exclude))(samaccountname=qmm*)) and the sync deletions does work; meaning a previously sync'd user gets deleted in source, and even with this filter applied, the deletion is sync'd to target.  So even though adminDescription is not a tombstoned attribute, we know this filter works and I simply wasn't sure if it was working because it included samaccountname in the filter or not.  So my test will now be to remove the samaccountname part of the filter, and see if sync deletions still works or if the tombstone situation from that KB is still valid.  

  • ok happy to report the sync deletions does work, even using the filter targeting a non-tombstoned attribute.  (I started the full resync a 3 hours ago).  Guess maybe that KB no longer applies to the newer versions of QMM but thank you for the insight on this topic.  So last question about the ldap filter - when the object class is set to just users, and the ldap filter is set to (!(admindescription=exclude)) , does it always have enumerate all user objects in the source during a full resync, even though the scope-OU is set in the GUI to only look in a particular OU?  I know you mentioned it does need to enumerate everything in a resync to build its cache so I suppose there's no way around this , in terms of enumerating all user objects even though they are not in the scope'd OU?