Active Directory LDAP Query Examples

LDAP queries can be used to search for objects (computers, users, groups) in the Active Directory LDAP database according to certain criteria. To perform LDAP query against the AD LDAP catalog, you can use various utilities (for example ldapsearch), PowerShell or VBS scripts, Saved Queries feature in in the Active Directory Users and Computers snap-in, etc.

In this article, we will take a look at some useful examples of LDAP queries to AD and how to execute them.

How to Execute the LDAP Query?

First, let’s look at some examples of running LDAP queries. For example, you want to perform a simple LDAP query to search for users in AD who have the “User must change password at next logon” option enabled. The code for this LDAP query is as follows:


Let’s try to execute this query using the ADUC console.

  1. Open the ADUC console and go to the Saved Queries section;
  2. Create a new query: New > Query;
    ldap query
  3. Specify the name of the request and click the Define Query button;
    ldap query tool
  4. Select the Custom Search type, go to the Advanced tab and copy your LDAP query code into the Enter LDAP query field;
    ldap query examples
  5. Click OK twice, select your new query in the Saved Queries tree and press F5;
  6. A list of AD users that match this LDAP request should display on the right pane.
    ldap active directory
READ ALSO  SamAccountName and UserPrincipalName attributes

You can also execute this LDAP query using the PowerShell Get-ADUser cmdlet (to search for users):

Get-ADUser -LDAPFilter '(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)'

To search for computers, use the Get-ADComputer cmdlet:

Get-ADComputer –LDAPFilter ‘your ldap query’

LDAP Query Examples for Active Directory

Let’s consider some useful examples of LDAP queries that are often used by the AD admins.

Search for administrators in groups Domain Admins, Enterprise Admins:


List all AD users except blocked ones:


Display the list of disabled user accounts:


Select users with the “Password never expires option” enabled:


Users with empty email value:


List users with the Sales specified in the Department field:


List all disabled computer accounts in AD:


Display all Windows 10 computers:

(objectCategory=computer)(operatingSystem=Windows 10*)

All domain controllers:


All member domain servers (except DCs):


List of groups created for the specified period:


List all empty AD groups:


Print all groups with the *CIO* key in the group name:


Find all Exchange Servers in the domain:

(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*)

All color printers on a specific print server published in the AD:

Cyril Kardashevsky
Latest posts by Cyril Kardashevsky (see all)
READ ALSO  AD Replication Error 1722 The RPC server is unavailable


  1. Would love to see an example to list AD users with membership in a particular AD group.
    Trying to enter data into the “Member of” search field never seems to work.

    Many thanks!

  2. Hi,
    Thanks for the info.
    Do any1 know how to filter users with “Network Access Permission”?
    (User properties, dial-in, network access permision)

    Thanks in advance,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.