Microsoft Active Directory Multi-Domain v1.6

Exclude specific Active Directory OUs

In our environment, we have an OU that contains a very large number of user objects that aren’t real people. These objects represent device MAC addresses and are created automatically by a legacy network access control process. Our network policy servers use group membership on these objects to allow or deny devices access to the network and apply VLANs/ACLs. Because of this, the OU contains over ~70,000 non-human user objects that don’t participate in onboarding, offboarding, or any identity lifecycle workflows. Including them in NIM adds a lot of unnecessary clutter and makes it harder to search for actual users, especially in areas with limited filtering options. Having a supported way to ignore or exclude specific OUs (and their sub-OUs) would reduce noise and make administration much easier.