I am trying to pick up some LDAP query skills for use in my SharePoint 2013 farm. I want to constrain my people picker user the peoplepicker-searchadcustomfilter command which takes an LDAP query. For those not familiar with this the command looks like this:

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -url https://<web app url> -pv "(|(objectClass=Group)(memberof=OU=WCH,OU=Employees,DE=Company,DC=Local))"

The '-pv' parameter takes the LDAP query and the rest is for SharePoint specific.

My intention is to show only groups OR an entity, person/user or group that resides in the WCH Employees OU.

Since the picker setting will only work if the ldap is syntactically correct I am assuming that there is something wrong with my syntax to find a member of the OU I'm specifying.

When I use "(objectClass=Group)" as the value it works fine. I get back only groups from everywhere in AD. When I add the Or and the additional 'memberof' query it fails completely.

Any idea how to get any group and only users from a specific OU?

Thanks you!