Last Update: Sep 24, 2024 | Published: Jan 07, 2009
These LDAP search strings are good for Saved Queries in Windows Server 2003 AD Users and Computers, Query-based Distribution Groups and Exchange 2000/2003 Recipient Policies and Address Lists. In order to use the LDAP strings please consult your product help.
Most regular LDAP searches can be easily done via the provided GUI (such as in a new Address List filter), however there are instances where the provided GUI does not give us the needed flexibility. For example, you cannot use the GUI to create a search that uses the Boolean word “OR”, you can only create searches that use “AND” as their filter. In those cases, if you wanted to create a filter that finds users that are either in the Sales department OR in the Development department – you’d need to use a manual search string.
Hence the following examples. They are simple, common, day-to-day strings that you might find handy.
Most samples can be used as provided, but some need minor changes, use common sense where needed.
Finally, saves XML samples of the same queries can be downloaded and used directly from the Saved Queries folder in the Windows Server 2003 AD Users and Computers.
(&(objectCategory=computer)(operatingSystemVersion=4*)(userAccountControl:1.2.840.113556.1.4.803:=8192))
Notice the “!” that means “NOT”.
(objectCategory=computer)(!description=*)
(objCategory=group)(description=*)
Notice the “|” that means “OR”.
(objectCategory=group)(|(cn=QA*)(cn=HD*))
Notice the “|” that means “OR”.
(|(department=Sales)(company=Sales)(description=Sales))
(objectCategory=user)(whenCreated>=20040801000000.0Z)
Notice the “!” that means “NOT”.
(objectCategory=user)(!cn=sara*)
Notice the “>=” that means “Greater than or equal to”.
(objectCategory=user)(badPwdCount>=2)
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))
(objectCategory=user)(memberOf=CN=QA Users,OU=Help Desk,DC=dpetri,DC=net)
(objectClass=user)(mail=*)
(objectClass=user)(email=*)
Note: Download the [this_link_has_been_removed] script to help you generate this date format.
(&(objectCategory=person)(objectClass=user)(pwdLastSet