Skip to content

Instantly share code, notes, and snippets.

@jonlabelle

jonlabelle/ldap_search_filter_cheatsheet.md

Last active August 9, 2025 12:18
Show Gist options
  • Save jonlabelle/0f8ec20c2474084325a89bc5362008a7 to your computer and use it in GitHub Desktop.
Save jonlabelle/0f8ec20c2474084325a89bc5362008a7 to your computer and use it in GitHub Desktop.
Download ZIP
LDAP Search Filter Cheatsheet
Raw
ldap_search_filter_cheatsheet.md
title author date source notoc
LDAP Search Filter Cheatsheet
Jon LaBelle
January 4, 2021
true

LDAP Search Filter Cheatsheet

A comprehensive reference for constructing LDAP search filters, with practical examples for common queries.

Filter operators

Comparison operators

The following comparison operators can be used in a filter:

Operator Meaning
= Equality
>= Greater than or equal to
<= Less than or equal to
~= Approximately equal to

For example, the following filter returns all objects with cn (common name) attribute value Jon:

(cn=Jon)

Combination operators

Filters can be combined using boolean operators when there are multiple search conditions:

Operator Description
& AND — all conditions must be met
| OR — any number of conditions can be met
! NOT — the condition must not be met

For example, to select objects with cn equal to Jon and sn (surname/last name) equal to Brian:

(&(cn=Jon)(sn=Brian))

Special Characters

The LDAP filter specification assigns special meaning to the following characters:

Character Hex Representation
* \2A
( \28
) \29
\ \5C
Nul \00

For example, to find all objects where the common name is James Jim*) Smith, the LDAP filter would be:

(cn=James Jim\2A\29 Smith)

objectCategory and objectClass

objectCategory objectClass Result
person user user objects
person n/a user and contact objects
person contact contact objects
user n/a user and computer objects
computer n/a computer objects
contact n/a contact objects
group n/a group objects
n/a group group objects
person organizationalPerson user and contact objects
organizationalPerson n/a user and contact objects

Use objectCategory instead of objectClass in your filters.

objectCategory is faster because it's single-valued and indexed. objectClass is multi-valued and typically not indexed, making queries slower.

Filter basics

To match a single attribute

(sAMAccountName=SomeAccountName)

To match two attributes (and)

(&(objectClass=person)(objectClass=user))

To match two attributes (or)

(|(objectClass=person)(objectClass=user))

To match three attributes (and)

(&(objectClass=user)(objectClass=top)(objectClass=person))

To match three attributes (or)

(|(objectClass=user)(objectClass=top)(objectClass=person))

To perform a wildcard search

(&(objectClass=user)(cn=*Marketing*))

Sample filters

Users in group

To retrieve user account names (sAMAccountName) that are a member of a particular group (SomeGroupName):

(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=SomeGroupName,ou=users,dc=company,dc=com))

Users in group (include nested)

To retrieve user account names (sAMAccountName), and nested user account names that are a member of a particular group (SomeGroupName):

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=SomeGroupName,ou=users,dc=company,dc=com))

Users in multiple groups

To retrieve user account names (sAMAccountName) that are a member of any of the 4 groups (fire, wind, water, heart):

(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=fire,ou=users,dc=company,dc=com)(memberOf=cn=wind,ou=users,dc=company,dc=com)(memberOf=cn=water,ou=users,dc=company,dc=com)(memberOf=cn=heart,ou=users,dc=company,dc=com)))

Users that must change their password at next logon

To search Active Directory for users that must change their password at next logon:

(&(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Users starting with a particular name

To search user objects that start with Common Name Brian (cn=Brian*):

(&(objectClass=user)(cn=Brian*))

Users by job title

To find all users with a job title starting with Manager (Title=Manager*):

(&(objectCategory=person)(objectClass=user)(Title=Manager*))

Active Directory filters

Search filters supported only by Microsoft Active Directory.

Domain and Enterprise Admins

To search for administrators in groups Domain Admins, Enterprise Admins:

(&(objectClass=user)(objectCategory=Person)(adminCount=1))

All users except blocked

To search all users except for blocked ones:

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Disabled user accounts

To list only disabled user accounts:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Users with password never expires enabled

(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))

Users with empty email

(&(objectCategory=person)(!(mail=*)))

Users in department

To search users in a particular department:

(&(objectCategory=person)(objectClass=user)(department=Sales))

Exclude disabled users

To find a user (sAMAccountName=username) that isn't disabled:

(&(objectCategory=person)(objectClass=user)(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountName=username))
  • The filter (sAMAccountType=805306368) on user objects is more efficient, but is harder to remember.
  • The filter (!(userAccountControl:1.2.840.113556.1.4.803:=2)) excludes disabled user objects.

Additional useful filters

Computer accounts

To find all computer accounts in Active Directory:

(objectCategory=computer)

To find computer accounts that are not disabled:

(&(objectCategory=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Service accounts

To find service accounts (accounts with Service Principal Names):

(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))

To find accounts used as service accounts that don't require Kerberos pre-authentication:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))

Groups with specific attributes

To find all security groups:

(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))

To find all distribution groups:

(&(objectCategory=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

To find empty groups (no members):

(&(objectCategory=group)(!(member=*)))

Objects modified within timeframe

To find objects modified after a specific date (uses generalized time format):

(whenChanged>=20240101000000.0Z)

To find objects created within the last 30 days (approximate):

(whenCreated>=20240715000000.0Z)

Users by location

To find users in a specific city:

(&(objectCategory=person)(objectClass=user)(l=New York))

To find users in a specific state/province:

(&(objectCategory=person)(objectClass=user)(st=California))

To find users in a specific country:

(&(objectCategory=person)(objectClass=user)(co=United States))

Empty organizational units

To find organizational units with no child objects:

(&(objectCategory=organizationalUnit)(!(ou=*)))

References

Additional Resources

@Juris-ru
Copy link

Juris-ru commented Aug 7, 2025

Hi. Need to be corrected: https://gist.github.com/jonlabelle/0f8ec20c2474084325a89bc5362008a7#to-match-three-attributes-or
Perhaps you should write "|" instead of "!"

@jonlabelle
Copy link
Author

Hi. Need to be corrected: https://gist.github.com/jonlabelle/0f8ec20c2474084325a89bc5362008a7#to-match-three-attributes-or Perhaps you should write "|" instead of "!"

Good catch! Thanks @Juris-ru.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment