Recently we decided to give our students email addresses but that has created another problem for us as they are showing up in the address book on our Xerox Workcentre copiers connected to LDAP.    I thought about moving the OU structure to consolidate all the teachers and staff OUs under one primary OU but my boss does not want to that as he feels it will mess with group policy settings assigned to those OUs

So I thought about using the Email Address Book filter built into the copiers to only find the Teachers and Staff accounts by using a common attribute that is only associated to those accounts and NOT the student accounts.   Since the student email accounts are on a different domain than the teachers and staff I thought maybe I could filter based on that but I am not having any luck and the information from Xerox is not very helpful and I have to admit I am not an expert on LDAP strings.

Here is what the filter options looks like on the Xerox copiers

So let's say teachers and staff get their email at the domain @SchoolDomain.com and students get their email at @studentemail.com.   I would like to filter out the @studentemail.com domain or only filter in accounts that have an email address at @SchoolDomain.com.   I hope that makes sense as I made the domains generic for privacy reasons.    We have a variety of teacher and staff accounts and there are no security groups that they are all a part of that I can use so the email domain was the only thing that made sense to me.
Answer Summary:
5 Comments   [ - ] Hide Comments


  • create a new security group just for this purpose
  • use can also create a filter based on the domain DC=XXXX,DC=XXXX,DC=XXXX
  • I think I will start by making a security group to add the staff too that I can try and filter on. I am still not sure on the syntax/format that should be used though..

    I cannot use the domain one because the students and staff are part of the same domain internally but have different domains for their email addresses.
    • A xerox security group would be the best then.
      not sure on xerox ldap naming but should be something like (&(samaccountname=LDAP)(memberof=CN=XeroxGroups,OU=Groups,OU=Campuses,DC=admn,DC=tmcc,DC=edu))

      not much info on web about this, if you have xerox support I would email and ask them
      • Thank You very much.. THat was my problem. I was not using the full string and only using memberOf=CN=XeroxGroups and not the rest of that. I made one change so that people can search by first or last name instead of username.

        My final string looks like this

        (&(cn=*LDAP*)(memberOf=CN=COPIERS_EMAIL,OU=Specialty Accounts,OU=ARGO,DC=ahs,DC=com))

        That way it searches using common name (First or Last)
  • In General, whenever required LDAP Import to the Kace we should provide search filter fully.
    It may be users or machines import
  • It has been a year since this ticket was opened but I am having the same issue. I too need to filter out the kids. I created a security group in AD, adding staff and teachers to it. I then tried using his final string, in the email address book line of our Xerox, altering it for us. I get no errors but I get no output either.
    Any ideas would be appreciated!
    • Not sure what else I can add. I made a security group in my active directory and added all the teachers and staff that I wanted to be a part of the LDAP address book t that group. I called my group "Copiers Email"

      After that I went to the attributes tab and copied the value of the "distinguishedName" attribute.

      Then go to your Xerox machine and in the LDAP settings there should be a place for custom attributes as shown by the illustration above.

      Type (&(cn=*LDAP*)(memberOf= and then after the = sign put the pasted contents of the distinguishedName attribute of the security group.

      If your xerox is properly bound to active directory the custom variable will filter out only members of that group to be available in the address book.
      • Thank you for the quick response bwilkerson! I have figured it out!
        Our lead tech did not want to create a group and add all of our teachers to it. We were trying to use a nested security group and your syntax. It did not work, but if I drilled down to one of the building groups that had real members, then it did work.

        I had to use the ldap_matching_rule_in_chain syntax to make this work:
        (&(cn=*LDAP*)(memberof:1.2.840.113556.1.4.1941:=CN=TopLevelStaff,OU=High Level Groups,OU=All Users,DC=agsd,DC=org))
      • You are welcome. Glad you got it working. I did not try nested groups but apparently those do not work. I didn't even think of trying that honestly.
Please log in to comment

Answer this question or Comment on this question for clarity


"Copied from comments to allow the question to be marked as answered"

My final string looks like this

(&(cn=*LDAP*)(memberOf=CN=COPIERS_EMAIL,OU=Specialty Accounts,OU=ARGO,DC=ahs,DC=com))

That way it searches using common name (First or Last)
Answered 07/22/2014 by: SMal.tmcc
Red Belt

  • Thank you!! This was a HUGE help for me!
Please log in to comment