• Filter operators
  • Comparison operators
  • Combination operators
• Filter basics
  • To match a single attribute
  • To match two attributes (and)
  • To match two attributes (or)
  • To match three attributes (and)
  • To match three attributes (or)
  • To perform a wildcard search
• Sample filters
  • Users in group
  • Users in group (include nested)
  • Users in multiple groups
  • Users that must change their password at next logon
  • Users starting with a particular name
  • Users by job title
• Active Directory related filters
  • Domain and Enterprise Admins
  • All users except blocked
  • Disabled user accounts
  • Users with password never expires enabled
  • Users with empty email
  • Users in department
• References

The following comparison operators can be used in a filter:

For example, the following filter returns all objects with cn (common name) attribute value Jon:

(cn=Jon)

Filters can be combined using boolean operators when there are multiple search conditions

For example, to select objects with cn equal to Jon and sn (surname/last name) equal to Brian:

(&(cn=Jon)(sn=Brian))

(sAMAccountName=<SomeAccountName>)

(&(objectClass=<person>)(objectClass=<user>))

(|(objectClass=<person>)(objectClass=<user>))

(&(objectClass=<user>)(objectClass=<top>)(objectClass=<person>))

(!(objectClass=<user>)(objectClass=<top>)(objectClass=<person>))

(&(objectClass=<user>)(cn=<*Marketing*>))

To retrieve user account names (sAMAccountName) that are a member of a particular group (SomeGroupName):

(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=<SomeGroupName>,ou=<users>,dc=<company>,dc=<com>))

To retrieve user account names (sAMAccountName), and nested user account names that are a member of a particular group (SomeGroupName):

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=<SomeGroupName>,ou=users,dc=company,dc=com))

To retrieve user account names (sAMAccountName) that are a member of any, or all the 4 groups (fire, wind, water, heart):

(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=<fire>,ou=<users>,dc=<company>,dc=<com>)(memberOf=cn=<wind>,ou=<users>,dc=<company>,dc=<com>)(memberOf=cn=<water>,ou=<users>,dc=<company>,dc=<com>)(memberOf=cn=<heart>,ou=<users>,dc=<company>,dc=<com>)))

To search Active Directory for users that must change their password at next logon:

(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!userAccountControl:1.2.840.113556.1.4.803:=2)

To search user objects that start with Common Name Brian (cn=Brian*):

(&(objectClass=user)(cn=<Brian*>))

To find all users with a job title starting with Manager (Title=Manager*):

(&(objectCategory=person)(objectClass=user)(Title=<Manager*>))

Search filters supported only by Microsoft Active Directory.

To search for administrators in groups Domain Admins, Enterprise Admins:

(objectClass=user)(objectCategory=Person)(adminCount=1)

To search all users except for blocked ones:

(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)

To list only disabled user accounts:

(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=16)

(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

(objectCategory=person)(!mail=*)

To search users in a particular department:

(&(objectCategory=person)(objectClass=user)(department=<Sales>))

• Atlassian Support: How to write LDAP search filters
• TheITBros.com: Active Directory LDAP Query Examples