Active Directory LDAP User Search Filter - Filter out memberOf specific group(s)

Under User Sources (in Gateway Settings > Config > Security > Users, Roles), we set up an Active Directory source to use LDAP. In the User Search Filter, what syntax can I use to narrow down to only look for users that are members of a specific group or groups of our Active Directory? In the User Search Base, I want to use the whole domain, so I would put (DC=companyname,DC=com). But I need to filter this down to users that are only part of a certain group in the User Search Filter. If I don’t, it takes a long time and seems to hang up since it’s looking at all users in AD. I’ve tried many things, but can’t get it to work.

I’m not referring about the Roles Filter section. I know how to narrow down to the Security Groups in AD for Ignition to search through in Roles.


Did you solve it?
I’m struggling with exactly the same problem.

Yes, hopefully this helps you and others. The method that we needed to use was the User List Filter along with the User Listing Base and User Search Filter. It’s helps to get the DistinguishedName of the path to the OU you want to use (Like Sysinternals AD Explorer). I will describe the filters strings below.

#Use to narrow down which Organizational Units to search for. The more you use, the faster the audit roles will be. Being too broad can make it slower. To do this you combine your OU’s seperatley with parenthesis.
User Listing Base: (OU=SomeOU,DC=Domain,DC=com)(OU=SomeOtherOU,DC=Domain,DC=com)(OU=YetAnotherOU,DC=Domain,DC=com)

#This was the most important and needed help from IA support.
User List Filter:(&(objectCategory=person)(objectClass=user)(!(objectClass=computer))(|(memberOf=CN=YourOUGroup,OU=Security Groups,OU=SubsubFolderOU,OU=SubFolderOU,OU=MainOU,DC=Domain,DC=com)))

#Left this as default.
User Search Filter: (&(objectClass=user)(sAMAccountName={0}))


Thanks for sharing the solution.

I am fairly new to AD, could you please confirm what OU actually is? is it the group name?
what are:

which parameters of the expression I should change to narrow AD query to 2 groups?

any help is greatly appreciated.