Filter AD Sync by Group Membership

Often it is easier to sync the membership of a specific group rather than the entire contents of the domain. This can make it easier to restrict user and group clutter by preventing service accounts as well as unwanted domain level security groups from being brought in via the sync process.

Please note: If you are applying this filter to a site that previously synced all users/groups in your Active Directory, this filter method is non destructive. Enabling the filter will not automatically remove any AD users from your site that do not conform to the sync criteria. It will, however, ensure that moving forward your site does not create any new or update any existing accounts except those that conform to the criteria.


To restrict your sync to a particular sync group, do the following:

  • Create a Universal Security group. Title it with an obvious name denoting its purpose (ex: Intranet Users)
  • Note the distinguised name of the security group, using ADSI Edit or the following command in the command prompt on the domain controller computer: DSquery group –samid "Group Name" (no quotes needed for single word names)
  • Make any user or group you wish to sync into the site a member of this new group. Note that these objects must explicitly belong to the group. If you want to sync a user account, that account must belong directly to this group. If you wish a group to be synced then that group must directly be a member of the master sync group. This filter does not perform recursive group membership lookup 
  • Note that for the filter to work correctly you cannot have this group assigned as either the user or the group's primary group. For example, a user account should have the domain users group set as primary and this group as an additional membership

Version 12.0: Go to your Admin --> Site Settings --> Global Settings --> Execute Custom Code and run the following query

Version 12.5: Go to your Admin --> Setup --> Global Settings --> Execute Custom Code and run the following query

<!--- start code --->

<cfquery datasource="#application.config.DSN#">
Update Administrator_Information
Set ADField3= '1'

<!---end code ---> 


In version 13.0+, please use the alternative code:

<!--- start code --->

<cfquery datasource="#application.config.DSN#">

UPDATE AppSetting SET Value = '1' WHERE Name = 'ADField3'


<!---end code ---> 


Once this is complete, go to Admin --> Site Security --> AD Synchronization

You can now make use of the Filter field in the Advanced Settings section of the AD Sync. This accepts standard LDAP query filters. To use the example above of filtering on group membership we will assume that we created a group called Intranet Users in the top level OU Helpdesk in the domain Our sync filter would then look like:

 (memberOf=CN=Intranet Users,OU=Helpdesk,DC=SQBOX,DC=COM)

Save the sync. 

Note that we are not restricted to using an inclusive filter. We could create an exclusive filter as well. It may be easier, for example, to identify the records you don't want to sync rather than those you do. In that case we might imagine a group called 'service accounts' and create filter to ignore these using the not (!) argument. 

 (!(memberOf=CN=Service Accounts,OU=Helpdesk,DC=SQBOX,DC=COM))

We could also create an OR filter where we would sync the membership of either of two groups using the LDAP OR pipe expression.

(|(memberOf=CN=Service Accounts,OU=Helpdesk,DC=SQBOX,DC=COM) (memberOf=CN=Different Group,OU=Another OU,DC=SQBOX,DC=COM))


Alternatively, you can filter your AD synchronization based on OU. For more information on this method, please view:

Filter AD Sync by OU

 Referenced by:

Have more questions? Submit a request


Article is closed for comments.