While working with CFLDAP recently I needed to develop filters that would authenticate active directory members who belonged to certain characteristic groups and whose domain accounts were not disabled. There are a number of online resources that can help with filtering domain lookups but when you combine the filters together the conditional logic can be problematic. I ended up wasting a lot of time configuring and reconfiguring my filter.
If you're working within an active directory and you need to filter users based on certain criteria, then one of the best tools that you can use is called Active Directory Explorer from Sysinternals. You can use this tool to find the exact search parameters you require from your CFLDAP filter and then just copy and paste them into the attribute. This will prevent you from wasting time trying to design all the parameters needed in the conditional logic of the filter. The search feature in the Active Directory Explorer tool allows you to define any kind of search parameters you may need and takes care of things like "contains", "is equal to", and "does not contain".
The conditional logic of the Active Directory Explorer tool works a lot like CFSCRIPT and can be a little daunting at first. As soon as you start combining conditional elements together you could end up spending a lot of time adapting your filter. Using the GUI search interface in Active Directory Explorer will allow you to develop your filter requirements quickly and effectively.
Information on the Active Diretory Explorer tool can be found here.
If you find this post useful please leave a comment and let me know how you used the information.