Investigating complex LDAP filters in Exchange

Customers migrating from Exchange 2003 to 2007 or 2010 often use my ConvertFrom-LdapFilter script to do very literal conversions from their old LDAP filters to the new OPATH filter syntax. In most cases, that works, but sometimes you’ll run across a filter like this: (&(&(&(|(&(objectCategory=person)(objectSid=*)(!samAccountType:1.2.840.113556.1.4.804:=3))(&(objectCategory=person)(!objectSid=*))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14))))(objectCategory=user)(memberOf=CN=SomeGroup,CN=Users,DC=contoso,DC=com))) My script will refuse to process this filter because of…