LDAP Filter Cheat Sheet

Introduction

This is my collection of LDAP filters. I have collected these over the years to assist with searching Active Directory. I mostly use these using Active Directory Saved Queries. If you are unsure on how to use Saved Queries, I have a guide, how to use Active Directory Saved Queries, which is a step-by-step guide for using Saved Queries to search Active Directory.

Please test these filters before applying them to your production environments.

Operator information

Logical operators

Attribute comparison operators

Special characters

If any of the following special characters must appear in the query filter as literals, they must be replaced by the listed escape sequence.

Wildcards

Wildcards, *, can be used as a standalone value for an attribute or in addition to a value. If only a wildcard is used, the comparison will pass if a value exists. If no value for the attribute exists, the test will fail.

Examples

The following query will list all user accounts

(&(objectCategory=Person)(objectClass=User))

The following example will list all user accounts where the name starts with Dan

(&(objectCategory=Person)(objectClass=User)(displayName=Dan*))

The following example will list all user accounts where the name starts with Dan or Alex

(&((objectCategory=Person)(objectClass=User))(|(displayName=Dan*)(displayName=Alex*)))

The following example will list all user accounts that have the Job Title field filled in on their account

(&(objectCategory=Person)(objectClass=User)(title=*))

All objects

All user accounts

(&(objectCategory=Person)(objectClass=User))

All user accounts

(sAMAccountType=805306368)

All computer accounts

(&(objectCategory=Computer)(objectClass=Computer))

All contacts

(&(objectCategory=Person)(objectClass=Contact))

All security groups

(&(objectCategory=Group)(objectClass=Group))

All organisational units

(objectCategory=organizationalUnit)

All container objects

(objectCategory=container)

All builtin container objects

(objectCategory=builtinDomain)

All domain objects

(objectCategory=domain)

All Group Policy objects

(objectCategory=groupPolicyContainer)

All objects with attribute

All user accounts with attribute

(&(objectCategory=Person)(objectClass=User)(attributeName=value))

All computer accounts with attribute

(&(objectCategory=Computer)(objectClass=Computer)(attributeName=value))

All contacts with attribute

(&(objectCategory=Person)(objectClass=Contact)(attributeName=value))

User account queries

All locked out user accounts

(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))

All enabled user accounts

(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

All disabled user accounts

(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2))

All user accounts that expire

(&(objectCategory=Person)(objectClass=User)(accountExpires>=1)(accountExpires<=9223372036854775806))

All user accounts that do not expire

(&(objectCategory=Person)(objectClass=User)(|(accountExpires=0)(accountExpires=9223372036854775807)))

All user accounts that have expired

(&(objectCategory=person)(objectClass=user)(accountExpires<=Integer8ValueOfExpDate)(!accountExpires=0))

Note: Replace Integer8ValueOfExpDate with the current Int8 timestamp.

All user accounts with passwords that expire

(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=65536)))

All user accounts with passwords that do not expire

(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))

All user accounts with expired passwords

(&(objectCategory=Person)(objectClass=User)(pwdLastSet=0))

All user accounts with expired passwords and are not disabled

(&(objectCategory=Person)(objectClass=User)(pwdLastSet=0)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))

All user accounts that changed their password since April 15, 2011 (CST)

(&(objectCategory=Person)(objectClass=User)(pwdLastSet>=129473172000000000))

All user accounts that are not required to have a password

(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))

All user accounts that have never logged on

(&(objectCategory=Person)(objectClass=User)(|(lastLogonTimestamp=0)(!(lastLogonTimestamp=*))))

All user accounts protected by AdminSDHolder

(&(objectCategory=Person)(objectClass=User)(adminCount=1))

All users with “primary” group “Domain Users”

(&(objectCategory=Person)(objectClass=User)(primaryGroupID=513))

All users with “primary” group not “Domain Users”

(&(objectCategory=Person)(objectClass=User)(!(primaryGroupID=513)))

Computer account queries

All enabled computer accounts

(&(objectCategory=Computer)(objectClass=Computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

All disabled computer accounts

(&(objectCategory=Computer)(objectClass=Computer)(userAccountControl:1.2.840.113556.1.4.803:=2))

All computers with “primary” group “Domain Computers”

(&(objectCategory=Computer)(objectClass=Computer)(primaryGroupID=515))

All computers with “primary” group not “Domain Computers”

(&(objectCategory=Computer)(objectClass=Computer)(!(primaryGroupID=515)))

Security group queries

All users that are direct members of the specified group

(memberOf=cn=Group,ou=Company,dc=ad,dc=dannymoran,dc=com)

All users that are direct members of the specified group including nesting

(memberOf:1.2.840.113556.1.4.1941:=cn=Group,ou=Company,dc=ad,dc=dannymoran,dc=com)

All users that are not direct members of the specified group

(&(objectCategory=Person)(objectClass=User)(!(memberOf=cn=Group,ou=Company,dc=ad,dc=dannymoran,dc=com)))

All groups that user is a member of

(member=cn=Danny Moran,ou=Company,dc=ad,dc=dannymoran,dc=com)

All groups that user is a member of including nesting

(member:1.2.840.113556.1.4.1941:=cn=Danny Moran,ou=Company,dc=ad,dc=dannymoran,dc=com)

Additional references

• Microsoft Learn: Creating a Query Filter
• Microsoft TechNet: Active Directory: LDAP Syntax Filters