LDAP Search Filter Examples

Quelle:

http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

The following table shows many example LDAP filters that can be useful when you query Active Directory:

Query LDAP Filter
All user objects (&(objectCategory=person)(objectClass=user))
All user objects (Note 1) (sAMAccountType=805306368)
All computer objects (objectCategory=computer)
All contact objects (objectClass=contact)
All group objects (objectCategory=group)
All organizational unit objects (objectCategory=organizationalUnit)
All container objects (objectCategory=container)
All builtin container objects (objectCategory=builtinDomain)
All domain objects (objectCategory=domain)
Computer objects with no description (&(objectCategory=computer)(!(description=*)))
Group objects with a description (&(objectCategory=group)(description=*))
Users with cn starting with „Joe“ (&(objectCategory=person)(objectClass=user)
(cn=Joe*))
Object with description „East\West Sales“
(Note 2)
(description=East\5CWest Sales)
Phone numbers in form (xxx) xxx-xxx (telephoneNumber=(*)*-*)
Groups with cn starting with
„Test“ or „Admin“
(&(objectCategory=group)
(|(cn=Test*)(cn=Admin*)))
All users with both a first and last name. (&(objectCategory=person)(objectClass=user)
(givenName=*)(sn=*))
All users with direct reports but no
manager
(&(objectCategory=person)(objectClass=user)
(directReports=*)(!(manager=*)))
All users with specified email address (&(objectCategory=person)(objectClass=user)
(|(proxyAddresses=*:jsmith@company.com)
(mail=jsmith@company.com)))
Object with Common Name „Jim * Smith“
(Notes 3, 19)
(cn=Jim \2A Smith)
Objects with sAMAccountName that begins
with „x“, „y“, or „z“
(sAMAccountName>=x)
Objects with sAMAccountName that begins
with „a“ or any number or symbol except „$“
(&(sAMAccountName<=a)(!(sAMAccountName=$*)))
All users with „Password Never Expires“ set
(Note 4)
(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=65536))
All disabled user objects (Note 4) (&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=2))
All enabled user objects (Note 4) (&(objectCategory=person)(objectClass=user)
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
All users not required to have a password
(Note 4)
(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=32))
All users with „Do not require kerberos
preauthentication“ enabled
(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=4194304))
Users with accounts that do not expire
(Note 5)
(&(objectCategory=person)(objectClass=user)
(|(accountExpires=0)
(accountExpires=9223372036854775807)))
Users with accounts that do expire (Note 5) (&(objectCategory=person)(objectClass=user)
(accountExpires>=1)
(accountExpires<=9223372036854775806))
Accounts trusted for delegation
(unconstrained delegation)
(userAccountControl:1.2.840.113556.1.4.803:=524288)
Accounts that are sensitive and not trusted
for delegation
(userAccountControl:1.2.840.113556.1.4.803:=1048574)
All distribution groups (Notes 4, 15) (&(objectCategory=group)
(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
All security groups (Notes 4, 19) (groupType:1.2.840.113556.1.4.803:=2147483648)
All built-in groups (Notes 4, 16, 19) (groupType:1.2.840.113556.1.4.803:=1)
All global groups (Notes 4, 19) (groupType:1.2.840.113556.1.4.803:=2)
All domain local groups (Notes 4, 19) (groupType:1.2.840.113556.1.4.803:=4)
All universal groups (Notes 4, 19) (groupType:1.2.840.113556.1.4.803:=8)
All global security groups (Notes 17, 19) (groupType=-2147483646)
All universal security groups (Notes 17, 19) (groupType=-2147483640)
All domain local security groups
(Notes 17, 19)
(groupType=-2147483644)
All global distribution groups (Note 19) (groupType=2)
All objects with service principal name (servicePrincipalName=*)
Users with „Allow Access“ on „Dial-in“
tab of ADUC
(Note 6)
(&(objectCategory=person)(objectClass=user)
(msNPAllowDialin=TRUE))
Users with „Control access though
NPS Network Policy“ on „Dial-in“ tab of ADUC
(&(objectCategory=person)(objectClass=user)
(!(msNPAllowDialin=*)))
All groups created after March 1, 2011 (&(objectCategory=group)
(whenCreated>=20110301000000.0Z))
All users that must change their password
at next logon
(&(objectCategory=person)(objectClass=user)
(pwdLastSet=0))
All users that changed their password since
April 15, 2011 (CST) (Note 7)
(&(objectCategory=person)(objectClass=user)
(pwdLastSet>=129473172000000000))
All users with „primary“ group
other than „Domain Users“
(&(objectCategory=person)(objectClass=user)
(!(primaryGroupID=513)))
All computers with „primary“ group
„Domain Computers“
(&(objectCategory=computer)
(primaryGroupID=515))
Object with GUID
„90395F191AB51B4A9E9686C66CB18D11“
(Note 8)
(objectGUID=\90\39\5F\19\1A\B5\1B\4A\9E\96
\86\C6\6C\B1\8D\11)
Object beginning with GUID
„90395F191AB51B4A“
(Note 8)
(objectGUID=\90\39\5F\19\1A\B5\1B\4A*)
Object with SID „S-1-5-21-73586283
-152049171-839522115-1111“ (Note 9)
(objectSID=S-1-5-21-73586283-152049171
-839522115-1111)
Object with SID „010500000000000515000
0006BD662041316100943170A3257040000“
(Note 9)
(objectSID=\01\05\00\00\00\00\00\05\15
\00\00\00\6B\D6\62\04\13\16\10\09\43\17\0A\32
\57\04\00\00)
All computers that are not
Domain Controllers (Note 4)
(&(objectCategory=computer)
(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))
All Domain Controllers (Note 4) (&(objectCategory=computer)
(userAccountControl:1.2.840.113556.1.4.803:=8192))
All Domain Controllers (Notes 14, 19) (primaryGroupID=516)
All servers (&(objectCategory=computer)
(operatingSystem=*server*))
All member servers (not DC’s) (Note 4) (&(objectCategory=computer)
(operatingSystem=*server*)
(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))
All direct members of specified group (memberOf=cn=Test,ou=East,dc=Domain,dc=com)
All users not direct members of
a specified group
(&(objectCategory=person)(objectClass=user)
(!(memberOf=cn=Test,ou=East,dc=Domain,dc=com)))
All groups with specified direct member
(Note 19)
(member=cn=Jim Smith,ou=West,
dc=Domain,dc=com)
All members of specified group, including
due to group nesting (Note 10)
(memberOf:1.2.840.113556.1.4.1941:=
cn=Test,ou=East,dc=Domain,dc=com)
All groups specified user belongs to,
including due to group nesting (Notes 10, 19)
(member:1.2.840.113556.1.4.1941:=
cn=Jim Smith,ou=West,dc=Domain,dc=com)
Objects with givenName „Jim*“ and sn
„Smith*“, or with cn „Jim Smith*“ (Note 11)
(anr=Jim Smith)
All attributes in the Schema container
replicated to the GC (Notes 6, 12)
(&(objectCategory=attributeSchema)
(isMemberOfPartialAttributeSet=TRUE))
All operational (constructed) attributes in
the Schema container (Notes 4, 12)
(&(objectCategory=attributeSchema)
(systemFlags:1.2.840.113556.1.4.803:=4))
All attributes in the Schema container not
replicated to other Domain Controllers
(Notes 4, 12)
(&(objectCategory=attributeSchema)
(systemFlags:1.2.840.113556.1.4.803:=1))
All objects where deletion is not allowed
(Notes 4)
(systemFlags:1.2.840.113556.1.4.803:=2147483648)
Attributes whose values are copied when
the object is copied (Notes 4, 12)
(searchFlags:1.2.840.113556.1.4.803:=16)
Attributes preserved in tombstone object
when object deleted (Notes 4, 12)
(searchFlags:1.2.840.113556.1.4.803:=8)
Attributes in the Ambiguous Name
Resolution (ANR) set (Notes 4, 12)
(searchFlags:1.2.840.113556.1.4.803:=4)
Attributes in the Schema that are
indexed (Notes 4, 12)
(searchFlags:1.2.840.113556.1.4.803:=1)
Attributes marked confidential in
the schema (Notes 4, 12)
(searchFlags:1.2.840.113556.1.4.803:=128)
Attributes in the RODC filtered attribute
set, or FAC (Notes 4, 12)
(searchFlags:1.2.840.113556.1.4.803:=512)
All site links in the Configuration
container (Note 13)
(objectClass=siteLink)
The nTDSDSA objects associated with
all Global Catalogs. This will identify all DC’s
that are GC’s. (Note 4)
(&(objectCategory=nTDSDSA)
(options:1.2.840.113556.1.4.803:=1))
The nTDSDSA object associated with the
PDC Emulator. This will identify the DC
with the PDC Emulator FSMO role (Note 18).
(&(objectClass=domainDNS)(fSMORoleOwner=*))
The nTDSDSA object associated with the
RID Master. This will identify the DC
with the RID Master FSMO role (Note 18).
(&(objectClass=rIDManager)(fSMORoleOwner=*))
The nTDSDSA object associated with the
Infrastructure Master. This will identify the DC
with this FSMO role (Note 18).
(&(objectClass=infrastructureUpdate)
(fSMORoleOwner=*))
The nTDSDSA object associated with the
Schema Master. This will identify the DC with
the Schema Master FSMO role (Note 18).
(&(objectClass=dMD)(fSMORoleOwner=*))
The nTDSDSA object associated with the
Domain Naming Master. This will identify the
DC with this FSMO role (Note 18).
(&(objectClass=crossRefContainer)
(fSMORoleOwner=*))
All Exchange servers in the Configuration
container (Note 13)
(objectCategory=msExchExchangeServer)
All objects protected by AdminSDHolder (adminCount=1)
All trusts established with a domain (objectClass=trustedDomain)
All Group Policy objects (objectCategory=groupPolicyContainer)
All service connection point objects (objectClass=serviceConnectionPoint)
All Read-Only Domain Controllers
(Notes 4, 19)