Windows App Profile - Active Directory Group Filtering

FILTER EXPRESSION FORMAT FOR GROUP FILTER

The format of the filter expression is a sequence of colon-separated filter terms. Each filter term is either an inclusive filter term or an exclusive filter term.
A filter term consists of the string include or exclude followed by a colon, followed by a regular expression specifying the expression used for matching against group names.
For example, the following is a filter expression containing 2 inclusive filter terms followed by an exclusive filter term:

include:match-expr-1:include:match-expr-2:exclude:match-expr-3


The filter expression is evaluated against each group name by processing filter terms sequentially in the order they are listed in the filter expression. The first encountered match expression that matches the group name will terminate evaluation of the filter expression and return either an inclusive or exclusive result depending on whether the filter term is an inclusive or exclusive filter term. If none of the match expressions listed in the filter expression match the group name then the default return result is to exclude the group.

The regular expression syntax is a regular expression grammar which is documented below (see the section below: Regular Expression Syntax for group filter expression). If the regular expression contains a colon character ( : ) this should be escaped into a double-colon sequence ( :: ) due to the fact that the colon character is used to delimit the filter terms in the filter expression and to delimit the “include” or “exclude” string from the regular expression itself.

Regular expressions are case sensitive, therefore the group names must use the correct case, e.g. "Finance Group" is not the same as "finance group".

 

EXAMPLE GROUP FILTER EXPRESSIONS

The following table lists examples of group filter expressions:

Expression

Explanation

include:SnapClientUsers

Includes only the group with the string “SnapClientUsers” somewhere in its name and excludes all other groups.

include:^\!

Includes all groups that begin with the character “!” and excludes all other groups.

exclude:^SG-:include:.*

Excludes all groups that begin with the string “SG-” and includes all other groups.

include:^DG::.*:

Includes all groups that begin with the string “DG:” and excludes all other groups. The presence of the double-colon ( :: ) is necessary to escape the colon character included within the regular expression.

include:.*

Includes all groups

exclude:.*

Excludes all groups

 

REGULAR EXPRESSION SYNTAX FOR GROUP FILTER EXPRESSIONS

This table lists the metacharacters understood by the regular expression grammar:
 

Metacharacter

Meaning

.

Matches any single character.

[ ]

Indicates a character class. Matches any character inside the brackets (for example, [abc] matches "a", "b", and "c").

^

If this metacharacter occurs at the start of a character class, it negates the character class. A negated character class matches any character except those inside the brackets (for example, [^abc] matches all characters except "a", "b", and "c").

If ^ is at the beginning of the regular expression, it matches the beginning of the input (for example, ^[abc] will only match input that begins with "a", "b", or "c").

-

In a character class, indicates a range of characters (for example, [0-9] matches any of the digits "0" through "9").

?

Indicates that the preceding expression is optional: it matches once or not at all (for example, [0-9][0-9]? matches "2" and "12").

+

Indicates that the preceding expression matches one or more times (for example, [0-9]+ matches "1", "13", "456", and so on).

*

Indicates that the preceding expression matches zero or more times.

??, +?, *?

Non-greedy versions of ?, +, and *. These match as little as possible, unlike the greedy versions that match as much as possible (for example, given the input "<abc><def>", <.*?> matches "<abc>" while <.*> matches "<abc><def>").

( )

Grouping operator. Example: (\d+,)*\d+ matches a list of numbers separated by commas (for example, "1" or "1,23,456").

{ }

Indicates a match group. The actual text in the input that matches the expression inside the braces has no significance when evaluating the filter expression.

\

Escape character: interpret the next character literally (for example, [0-9]+ matches one or more digits, but [0-9]\+ matches a digit followed by a plus character). Also used for abbreviations (such as \a for any alphanumeric character; see the following table).

If \ is followed by a number n, it matches the nth match group (starting from 0). Example: <{.*?}>.*?</\0> matches "<head>Contents</head>".

Note that, in C++ string literals, two backslashes must be used: "\\+", "\\a", "<{.*?}>.*?</\\0>".

$

At the end of a regular expression, this character matches the end of the input (for example, [0-9]$ matches a digit at the end of the input).

|

Alternation operator: separates two expressions, exactly one of which matches (for example, T|the matches "The" or "the").

!

Negation operator: the expression following ! does not match the input (for example, a!b matches "a" not followed by "b").

ABBREVIATIONS

The regular expression grammar can handle abbreviations, such as \d instead of [0-9]. The abbreviations are provided by the character traits class passed in the CharTraits parameter. The predefined character traits classes provide the following abbreviations:

Abbreviation

Matches

\a

Any alphanumeric character: ([a-zA-Z0-9])

\b

White space (blank): ([ \\t])

\c

Any alphabetic character: ([a-zA-Z])

\d

Any decimal digit: ([0-9])

\h

Any hexadecimal digit: ([0-9a-fA-F])

\n

Newline: (\r|(\r?\n))

\q

A quoted string: (\"[^\"]*\")|(\'[^\']*\')

\w

A simple word: ([a-zA-Z]+)

\z

An integer: ([0-9]+)

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.