LDAP queries used to search for objects (computers, users, groups) in the Active Directory database according to specific criteria. You can use several tools to perform an LDAP query against the AD LDAP catalog: ldapsearch.exe, PowerShell or VBS scripts, Saved Queries feature in the ADUC, etc.
In this article, we’ll look at some useful examples of LDAP queries to AD and how to execute them.
Table of Contents
How to Execute the LDAP Query
Let’s look at some examples of how to perform (Lightweight Directory Access Protocol) queries. The following simple LDAP query can be used to search for Active Directory user accounts that have the “User must change password at next logon” option enabled:
(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
This LDAP query contains several conditions, each of which is enclosed in parentheses/brackets.
Let’s try to run this LDAP query using the Active Directory Users and Computers MMC snap-in.
- Open the ADUC console and go to the Saved Queries;
- Create a new query;
- Specify a query name and click the Define Query button;
- Select the Custom Search type. Go to the Advanced tab, and paste your LDAP query code into the Enter LDAP query field;
- Save the query and press F5;
- A list of AD users matching this LDAP query should appear in the right pane.
You can also use LDAP filters when searching for objects in the ADSI Edit console.
- Right-click on the naming context and select New > Query;
- Specify the query name;
- Select the search area (Root of Search). Paste your LDAP query code into the Query String field.
Note. An LDAP query must be converted to the following format in order to be used in the ADSI Edit console: (&your_ldap_filter).
You can specify your LDAP query in the LdapFilter parameter of the PowerShell cmdlets from the PowerShell Active Directory module (Get-ADUser, Get-ADComputer, Get-ADGroup, Get-ADObject, etc.).
The Get-ADUser cmdlet is used to find the user objects that match the criteria:
Get-ADUser -LDAPFilter '(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)'
The Get-ADComputer cmdlet searches for computers:
Get-ADComputer –LDAPFilter ‘your ldap query’
Below is an example of a complex LDAP filter with multiple OR conditions to search for Windows 10 and 8.1 computers that do not contain the keywords WKS and TEST in their hostnames:
$compLDAPFilter= "(&(|(operatingSystem=*Windows 10*)" $compLDAPFilter += "(operatingSystem=*Windows 8.1*))" $compLDAPFilter += "(!name=*WKS*)(!name=*TEST*))" Get-ADComputer -LDAPFilter $compLDAPFilter -Property * | Select-Object Name, OperatingSystem, LastLogonDate
To search for Active Directory groups in AD, use the Get-ADGroup cmdlet:
Get-ADGroup –LDAPFilter {LDAP_query}
If you don’t know the type of Active Directory object you are looking for, you can use the generic Get-ADObject cmdlet:
Get-ADObject -LdapFilter "(cn=*Brion*)"
You can use the objectClass parameter to specify the object type:
Get-ADObject -LdapFilter "(&(objectClass=user)(cn=*Brion*))"
List AD group members using the LDAP filter (Domain Admins group in this example):
(Get-ADObject -LdapFilter “(&(objectclass=group)(CN=Domain Admins))”) |
ForEach-Object {$a=$_.Name;
Get-ADObject -LdapFilter “(&(objectclass=user)(MemberOf=$($_.DistinguishedName)))” |
Select-Object DistinguishedName, Name, @{l=’GroupName’;e={$a}}}
You can run LDAP queries against Active Directory using the built-in Windows command prompt tool such as dsget.exe and dsquery.exe.
For example, to find all users whose job title starts with Manager, run the command:
dsquery * OU=Employees,DC=theitbros,DC=com -filter "(&(objectCategory=person)(objectClass=user)(Title=Manager*))"
You can use ANR (Ambiguous Name Resolution) to search for Active Directory objects. This feature allows you to use complex filters that include multiple attributes associated with names:
- displayName
- givenName (First Name)
- sn (Last Name)
- sAMAccountName
- legacyExchangeDN
- Relative Distinguished Name (RDN)
- proxyAddresses
- mailNickname
- msExchResourceSearchProperties
- msDS-AdditionalSamAccountName
- msDS-PhoneticCompanyName
- msDS-PhoneticDepartment
- msDS-PhoneticDisplayName
- msDS-PhoneticFirstName
- msDS-PhoneticLastName
For example, run this simple LDAP query to find users who have the keyword test in any of these attributes:
(anr=test)
LDAP Filter Syntax
The common LDAP filter syntax is:
<Filter>=(<Attribute><comparison operator><value>)
Hint. LDAP query attributes are not case sensitive.
The following comparison operators can be used in a filter:
| Operator | Syntax | Description |
| = | attribute=value | Equal |
| >= | attribute>=value | More or equal |
| <= | attribute<=value | Less or equal |
| ~= | attribute~=value | Approximately equal to |
For example, the following filter returns all objects with cn (common name) attribute value Jon:
(cn=Jon)
Boolean operators allow you to specify multiple search conditions:
| Operator | Syntax | Description |
| & | (&(filter1) (filter2)) | AND — all conditions must be met |
| | | (|(filter1) (filter2)) | OR — any number of conditions can be met |
| ! | (!(filter1)) | NOT — the condition must not be met |
For example, let’s find AD objects with cn=Jon AND sn (surname)= Brion:
(&(cn=Jon)(sn=Brion))
You can use several logical operators in one filter at once. The following LDAP query returns objects with cn = Jon OR sn = Brion, for which cn is not equal to Alex:
(&(|(cn=Jon)(sn=Brion)(!(cn=Alex)))
The objectCategory and objectClass attributes allow you to refine the search objects.
Valid parameters: person, user, contact, computer, groups, organizationalPerson.
Find all user accounts with the name Jon:
(&(objectClass=user)(objectCategory=person)(cn=Jon))
You can use the * wildcard character in the LDAP filter if you don’t know the exact name of the object. For example, the previous query to find users whose name starts with Jo would need to be changed to:
(&(objectClass=user)(objectCategory=person)(cn=Jo*))
LDAP Query Examples for Active Directory
Let’s look at some useful examples of LDAP queries commonly used by AD admins.
LDAP Filters for Users
Search for users in privileged groups Domain Admins, Enterprise Admins:
(objectClass=user)(objectCategory=Person)(adminCount=1)
List all AD users except disabled ones:
(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)
Display the list of disabled user accounts:
(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
Find users with the “Password never expires” option enabled:
(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
List locked AD users:
objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)
Users with an empty e-mail address attribute:
(objectcategory=person)(!mail=*)
List users with the Sales specified in the Department field:
(&(objectCategory=person)(objectClass=user)(department=Sales))
You can check AD group membership:
(&(objectclass=user)(samacccountname=*)(MemberOf=CN=UKManagers,OU=Groups,OU=UK,DC=theitbros,DC=com))
You can list the groups the user is a member of:
(&(objectCategory=group)(member=CN=Jon Brion,OU=Employees,DC=theitbros,DC=com))
List contact objects in AD:
(&(objectCategory=person)(objectClass=contact))
LDAP Filters for Computer Objects
List all disabled computer accounts in AD:
(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))
List all Windows 10 computers:
(objectCategory=computer)(operatingSystem=Windows 10*)
Find computers running a specific build of Windows 10:
(&(&(objectCategory=computer)(operatingSystem=Windows 10*)(operatingSystemVersion=*19045*)))
All Active Directory domain controllers:
(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
All member domain servers (except DCs):
(&(objectCategory=computer)(operatingSystem=*server*)(!userAccountControl:1.2.840.113556.1.4.803:=8192))
All MS SQL Server instances in AD:
(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))
Find all Exchange Servers hosts in the domain:
(objectCategory=computer)(servicePrincipalName=exchangeMDB*)(operatingSystem=Windows Server*)
List color printers on a specific print server published in the AD:
(uncName=*lon-prnt*)(objectCategory=printQueue)(printColor=TRUE)
LDAP Filters for AD Groups
List of groups created during the specified period:
(objectCategory=group)(whenCreated>=20200101000000.0Z&<=20201201000000.0Z&)
List empty AD groups:
(objectCategory=group)(!member=*)
List the membership of groups, including nested AD groups:
(memberOf:1.2.840.113556.1.4.1941:=CN=allowUSB,OU=Groups,OU=NewYork,OU=US,DC=theitbros,DC=loc)
List all distribution groups:
(&(objectCategory=group)(!groupType:1.2.840.113556.1.4.803:=2147483648))
Find groups with *CIO* in the group name:
(objectCategory=group)(samaccountname=*CIO*)
Find an AD object with a specific object SID:
(objectSID=S-1-5-21-506968642-4209078585-1781862235-1021)
5 comments
Get-ADObject -LdapFilter “(&(objectclass=user)(MemberOf=$((Get-ADObject -LdapFilter “(CN=)”).DistinguishedName)))”
(Get-ADObject -LdapFilter “(CN=Group CN)”).DistinguishedName.ForEach({ $_; Get-ADObject -LdapFilter “(&(objectclass=user)(MemberOf=$_))”})
You can even use wildcards but the following can take a long time:
(Get-ADObject -LdapFilter “(CN=*)”).DistinguishedName.ForEach({ $_; Get-ADObject -LdapFilter “(&(objectclass=user)(MemberOf=$_))”})
For better output (Group CN can even contain wildcard characters):
(Get-ADObject -LdapFilter “(&(objectclass=group)(CN=Group CN))”) |
ForEach-Object {$a=$_.Name;
Get-ADObject -LdapFilter “(&(objectclass=user)(MemberOf=$($_.DistinguishedName)))” |
Select-Object DistinguishedName, Name, @{l=’GroupName’;e={$a}}}
how to get attributes value in ad through LDAP
I want a list of members in an AD computer group. I’m not having any success in finding the right cmd or script to run an AD query to list members of a computer group. It seems to work only for user accounts. Any advice is greatly appreciated