diff --git a/src/CommonLib/LDAPQueries/LDAPFilter.cs b/src/CommonLib/LDAPQueries/LDAPFilter.cs
index 5ca7bef0..990467bf 100644
--- a/src/CommonLib/LDAPQueries/LDAPFilter.cs
+++ b/src/CommonLib/LDAPQueries/LDAPFilter.cs
@@ -144,6 +144,8 @@ public LDAPFilter AddContainers(params string[] conditions)
///
/// Add a filter that will include Computer objects
+ ///
+ /// Note that gMSAs and sMSAs have this samaccounttype as well
///
///
///
@@ -164,6 +166,17 @@ public LDAPFilter AddSchemaID(params string[] conditions)
return this;
}
+ ///
+ /// Add a filter that will include Computer objects but exclude gMSA and sMSA objects
+ ///
+ ///
+ ///
+ public LDAPFilter AddComputersWoutMSAs(params string[] conditions)
+ {
+ _filterParts.Add(BuildString("(&(samaccounttype=805306369)(!(objectclass=msDS-GroupManagedServiceAccount))(!(objectclass=msDS-ManagedServiceAccount)))", conditions));
+ return this;
+ }
+
///
/// Adds a generic user specified filter
///
diff --git a/src/CommonLib/Processors/GPOLocalGroupProcessor.cs b/src/CommonLib/Processors/GPOLocalGroupProcessor.cs
index 12213899..6189c2cc 100644
--- a/src/CommonLib/Processors/GPOLocalGroupProcessor.cs
+++ b/src/CommonLib/Processors/GPOLocalGroupProcessor.cs
@@ -70,7 +70,7 @@ public async Task ReadGPOLocalGroups(string gpLink, string
// Its cheaper to fetch the affected computers from LDAP first and then process the GPLinks
var options = new LDAPQueryOptions
{
- Filter = new LDAPFilter().AddComputers().GetFilter(),
+ Filter = new LDAPFilter().AddComputersWoutMSAs().GetFilter(),
Scope = SearchScope.Subtree,
Properties = CommonProperties.ObjectSID,
AdsPath = distinguishedName
diff --git a/test/unit/GPOLocalGroupProcessorTest.cs b/test/unit/GPOLocalGroupProcessorTest.cs
index 63954e06..60536944 100644
--- a/test/unit/GPOLocalGroupProcessorTest.cs
+++ b/test/unit/GPOLocalGroupProcessorTest.cs
@@ -145,7 +145,7 @@ public async Task GPOLocalGroupProcessor_ReadGPOLocalGroups_Null_Gpcfilesyspath(
mockSearchResults.Add(mockSearchResultEntry.Object);
mockLDAPUtils.Setup(x => x.QueryLDAP(new LDAPQueryOptions
{
- Filter = "(samaccounttype=805306369)",
+ Filter = "(&(samaccounttype=805306369)(!(objectclass=msDS-GroupManagedServiceAccount))(!(objectclass=msDS-ManagedServiceAccount)))",
Scope = SearchScope.Subtree,
Properties = CommonProperties.ObjectSID,
AdsPath = null