LDAP Query

Active Directory LDAP Query Examples

LDAP queries can be used to search for objects (computers, users, groups) in the Active Directory LDAP database according to certain criteria. To perform LDAP query against the AD LDAP catalog, you can use various utilities (for example ldapsearch), PowerShell or VBS scripts, Saved Queries feature in in the Active Directory Users and Computers snap-in, etc.

In this article, we will take a look at some useful examples of LDAP queries to AD and how to execute them.

How to Execute the LDAP Query?

First, let’s look at some examples of running LDAP queries. For example, you want to perform a simple LDAP query to search for users in AD who have the “User must change password at next logon” option enabled. The code for this LDAP query is as follows:


Let’s try to execute this query using the ADUC console.

  1. Open the ADUC console and go to the Saved Queries section;
  2. Create a new query: New > Query;
    ldap query
  3. Specify the name of the request and click the Define Query button;
    ldap query tool
  4. Select the Custom Search type, go to the Advanced tab and copy your LDAP query code into the Enter LDAP query field;
    ldap query examples
  5. Click OK twice, select your new query in the Saved Queries tree and press F5;
  6. A list of AD users that match this LDAP request should display on the right pane.
    ldap active directory

You can also execute this LDAP query using the PowerShell Get-ADUser cmdlet (to search for users):

Get-ADUser -LDAPFilter '(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)'

To search for computers, use the Get-ADComputer cmdlet:

Get-ADComputer –LDAPFilter ‘your ldap query’

LDAP Query Examples for Active Directory

Let’s consider some useful examples of LDAP queries that are often used by the AD admins.

Search for administrators in groups Domain Admins, Enterprise Admins:


List all AD users except blocked ones:


Display the list of disabled user accounts:


Select users with the “Password never expires option” enabled:


Users with empty email value:


List users with the Sales specified in the Department field:


List all disabled computer accounts in AD:


Display all Windows 10 computers:

(objectCategory=computer)(operatingSystem=Windows 10*)

All domain controllers:


All member domain servers (except DCs):


List of groups created for the specified period:


List all empty AD groups:


Print all groups with the *CIO* key in the group name:


Find all Exchange Servers in the domain:

(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*)

All color printers on a specific print server published in the AD:


You may also like:

AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...

Add Your Comment