Active Directory LDAP Query Examples

LDAP queries can be used to search for different objects (computers, users, groups) in the Active Directory LDAP database according to certain criteria. To perform an LDAP query against the AD LDAP catalog, you can use various utilities (for example, ldapsearch), PowerShell or VBS scripts, Saved Queries feature in the Active Directory Users and Computers MMC snap-in, etc.

In this article, we’ll take a look at some useful examples of LDAP queries to AD and how to execute them.

How to Execute the LDAP Query?

First, let’s look at some examples of executing LDAP (Lightweight Directory Access Protocol) queries. For example, you want to perform a simple LDAP query to search for Active Directory users which have the “User must change password at next logon” option enabled. The code for this LDAP query is as follows:

(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Let’s try to execute this LDAP query using the ADUC console.

  1. Open the ADUC console and go to the Saved Queries section;
  2. Create a new query: New > Query;
    ldap query
  3. Specify a name for the new saved query and click the Define Query button;
    query active directory
  4. Select the Custom Search type, go to the Advanced tab, and copy your LDAP query code into the Enter LDAP query field;
    active directory query
  5. Click OK twice, select your new query in the ADUC Saved Queries tree, and press F5;
  6. A list of AD users that match this LDAP query should display on the right pane.
    ldap queries

You can also use LDAP query filter in the following PowerShell cmdlets: Get-ADUser, Get-ADComputer, Get-ADGroup, and Get-ADObject (these cmdlets are part of the Active Directory PowerShell module). Each of these cmdlets has a LdapFilter parameter that is specifically designed to use LDAP filters when searching for objects in Active Directory.

READ ALSO  Change Default OU permissions in Active Directory

For example, to execute the above LDAP search query using Get-ADUser, open the powershell.exe console, and run the command:

Get-ADUser -LDAPFilter '(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)'

To search for computers, use the Get-ADComputer cmdlet:

Get-ADComputer –LDAPFilter ‘your ldap query’

To search for Active Directory security and distribution groups in AD, use the Get-ADGroup cmdlet:

Get-ADGroup –LDAPFilter {LDAP_query}

If you don’t know the type of Active Directory object you are looking for, you can use the generic Get-ADObject cmdlet:

Get-ADObject -LdapFilter "(cn=*Brion*)"

In this example, we found that the given LDAP filter matches the user Jon Brion and the BrionTeam group.

If you need to find objects of a specific type, you can specify the object type using the objectClass parameter. For example:

Get-ADObject -LdapFilter "(&(objectClass=user)(cn=*Brion*))"

active directory ldap query

Windows has several built-in tools such as dsget and dsquery, that allow you to run LDAP queries against Active Directory,

The dsquery utility returns the Distinquished Name of an object that matches the specified parameters, and for LDAP filters it has a filter parameter. For example, to find all users with job title starting with Manager, run the command:

dsquery * OU=Employees,DC=theitbros,DC=com -filter "(&(objectCategory=person)(objectClass=user)(Title=Manager*))"

LDAP Filter Syntax

The text form of LDAP search filters is defined in RFC 4515. The syntax for an LDAP filter is:

<Filter>=(<Attribute><comparison operator><value>)

The following comparison operators can be used in a filter:

READ ALSO  Store BitLocker Recovery Keys using Active Directory
 Operator
=Equal
>=More or equal
<=Less or equal
~=Approximately equal

For example, the following filter returns all objects with cn (common name) attribute value Jon:

(cn=Jon)

Filters can be combined using boolean operators when there are multiple search conditions.

 Operator
&AND — all conditions must be met
|OR — any number of conditions can be met
!NOT — the condition must not be met

For example, let’s select AD objects with cn equal to Jon and sn (surname) equal to Brion:

(&(cn=Jon)(sn=Brion))

You can use several logical operators in one filter at once, the main thing is not to get confused in parentheses. Let’s compose a filter that will return objects with cn equal to Jon or sn equal to Brion, for which cn is not equal to Alex:

(&(|(cn=Jon)(sn=Brion)(!(cn=Alex)))

You can refine search objects using the objectCategory and objectClass attributes.

Valid parameters: person, user, contact, computer, groups.

Using the following filter, select all users named Jon:

(&(objectClass=user)(objectCategory=person)(cn=Jon))

LDAP Query Examples for Active Directory

Let’s consider some useful examples of LDAP queries that are often used by the AD admins.

Search for administrators in groups Domain Admins, Enterprise Admins:

(objectClass=user)(objectCategory=Person)(adminCount=1)

List all AD users except blocked ones:

(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Display the list of disabled user accounts:

(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

Select users with the “Password never expires option” enabled:

(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

Users with empty email value:

(objectcategory=person)(!mail=*)
List users with the Sales specified in the Department field:

(&(objectCategory=person)(objectClass=user)(department=Sales))

You can get a list of users with membership in a specific Active Directory group:

(&(objectclass=user)(samacccountname=*)(MemberOf=CN=UKManagers,OU=Groups,OU=UK,DC=theitbros,DC=com))

You can list the groups the user is a member of:

(&(objectCategory=group)(member=CN=Jon Brion,OU=Employees,DC=theitbros,DC=com))

List all disabled computer accounts in AD:

(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))

Display all Windows 10 computers:

(objectCategory=computer)(operatingSystem=Windows 10*)

You can only select computers with a specific build of Windows 10:

(&(&(objectCategory=computer)(operatingSystem=Windows 10*)(operatingSystemVersion=*19041*)))

Hint. You can map Windows 10 build to version according the following table:

READ ALSO  Active Directory Migration to Windows Server 2016
Windows 10 VersionBuild number
20H219042
200419041
190918363
190318362
180917763

All domain controllers:

(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))

All member domain servers (except DCs):

(&(objectCategory=computer)(operatingSystem=*server*)(!userAccountControl:1.2.840.113556.1.4.803:=8192))

All MS SQL Server instances in AD:

(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))

List of groups created for the specified period:

(objectCategory=group)(whenCreated>=20200101000000.0Z&<=20201201000000.0Z&)

List all empty AD groups:

(objectCategory=group)(!member=*)

List all distribution groups:

(&(objectCategory=group)(!groupType:1.2.840.113556.1.4.803:=2147483648))

Print all groups with the *CIO* key in the group name:

(objectCategory=group)(samaccountname=*CIO*)

Find all Exchange Servers in the domain:

(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*)

All color printers on a specific print server published in the AD:

(uncName=*lon-prnt*)(objectCategory=printQueue)(printColor=TRUE)
Cyril Kardashevsky

3 comments

  1. Would love to see an example to list AD users with membership in a particular AD group.
    Trying to enter data into the “Member of” search field never seems to work.

    Many thanks!
    JimM

  2. Hi,
    Thanks for the info.
    Do any1 know how to filter users with “Network Access Permission”?
    (User properties, dial-in, network access permision)

    Thanks in advance,
    Hector

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.