| title | author | date | source | notoc |
|---|---|---|---|---|
LDAP Search Filter Cheatsheet |
Jon LaBelle |
January 4, 2021 |
true |
- Filter operators
- Filter basics
- Sample filters
- Active Directory filters
- More Active Directory filters
- References
- Additional Resources
The following comparison operators can be used in a filter:
| Operator | Meaning |
|---|---|
= |
Equality |
>= |
Greater than or equal to |
<= |
Less than or equal to |
~= |
Approximately equal to |
For example, the following filter returns all objects with cn (common name) attribute value Jon:
(cn=Jon)
Filters can be combined using boolean operators when there are multiple search conditions
| Operator | Description |
|---|---|
& |
AND --- all conditions must be met |
| |
OR --- any number of conditions can be met |
! |
NOT --- the condition must not be met |
For example, to select objects with cn equal to Jon and sn (surname/last name) equal to Brian:
(&(cn=Jon)(sn=Brian))
The LDAP filter specification assigns special meaning to the following characters:
| Character | Hex Representation |
|---|---|
* |
\2A |
( |
\28 |
) |
\29 |
\ |
\5C |
Nul |
\00 |
For example, to find all objects where the common name is James Jim*) Smith, the LDAP filter would be:
(cn=James Jim\2A\29 Smith)
| objectCategory | objectClass | Result |
|---|---|---|
| person | user | user objects |
| person | n/a | user and contact objects |
| person | contact | contact objects |
| user | user and computer objects | n/a |
| computer | n/a | computer objects |
| user | n/a | user and contact objects |
| contact | contact objects | n/a |
| computer | computer objects | n/a |
| person | user, computer, and contact objects | n/a |
| contact | n/a | user and contact objects |
| group | n/a | group objects |
| n/a | group | n/a |
| person | organizationalPerson | user and contact objects |
| organizationalPerson | user, computer, and contact objects | n/a |
| organizationalPerson | n/a | user and contact objects |
Use the filter that makes your intent most clear. Also, if you have a choice between using objectCategory and objectClass, it is recommended that you use objectCategory. That is because objectCategory is both single valued and indexed, while objectClass is multi-valued and not indexed (except on Windows Server 2008 and above). A query using a filter with objectCategory will be more efficient than a similar filter with objectClass. Windows Server 2008 domain controllers (and above) have a special behavior that indexes the objectClass attribute. You can take advantage of this if all of your domain controllers are Windows Server 2008, or if you specify a Windows Server 2008 domain controller in your query. --- Source
(sAMAccountName=<SomeAccountName>)
(&(objectClass=<person>)(objectClass=<user>))
(|(objectClass=<person>)(objectClass=<user>))
(&(objectClass=<user>)(objectClass=<top>)(objectClass=<person>))
(!(objectClass=<user>)(objectClass=<top>)(objectClass=<person>))
(&(objectClass=<user>)(cn=<*Marketing*>))
To retrieve user account names (sAMAccountName) that are a member of a particular group (SomeGroupName):
(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=<SomeGroupName>,ou=<users>,dc=<company>,dc=<com>))
To retrieve user account names (sAMAccountName), and nested user account names that are a member of a particular group (SomeGroupName):
(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=<SomeGroupName>,ou=users,dc=company,dc=com))
To retrieve user account names (sAMAccountName) that are a member of any, or all the 4 groups (fire, wind, water, heart):
(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=<fire>,ou=<users>,dc=<company>,dc=<com>)(memberOf=cn=<wind>,ou=<users>,dc=<company>,dc=<com>)(memberOf=cn=<water>,ou=<users>,dc=<company>,dc=<com>)(memberOf=cn=<heart>,ou=<users>,dc=<company>,dc=<com>)))
To search Active Directory for users that must change their password at next logon:
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!userAccountControl:1.2.840.113556.1.4.803:=2)
To search user objects that start with Common Name Brian (cn=Brian*):
(&(objectClass=user)(cn=<Brian*>))
To find all users with a job title starting with Manager (Title=Manager*):
(&(objectCategory=person)(objectClass=user)(Title=<Manager*>))
Search filters supported only by Microsoft Active Directory.
To search for administrators in groups Domain Admins, Enterprise Admins:
(objectClass=user)(objectCategory=Person)(adminCount=1)
To search all users except for blocked ones:
(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)
To list only disabled user accounts:
(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=16)
(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
(objectCategory=person)(!mail=*)
To search users in a particular department:
(&(objectCategory=person)(objectClass=user)(department=<Sales>))
To find as user (sAMAccountName=<username>) that isn't disabled:
(&(objectCategory=person)
(objectClass=user)
(sAMAccountType=805306368)
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
(sAMAccountName=<username>))
- The filter
(sAMAccountType=805306368)on user objects is more efficient, but is harder to remember. (Source) - The filter
(!(UserAccountControl:1.2.840.113556.1.4.803:=2))excludes disabled user objects. (Source)
Kore Active Directory filter samples can be found here.
- Atlassian Support: How to write LDAP search filters
- TheITBros.com: Active Directory LDAP Query Examples
- Active Directory: LDAP Syntax Filters
- Active Directory Glossary - This is a glossary of terms and acronyms used in Active Directory and related technologies.
- Microsoft Docs: Active Directory Schema (AD Schema) Definitions - Formal definitions of every attribute that can exist in an Active Directory object.