LDAP Search Samples for Windows Server 2003 and Exchange 2000/2003

These LDAP search strings are good for Saved Queries in Windows Server 2003 AD Users and Computers, Query-based Distribution Groups and Exchange 2000/2003 Recipient Policies and Address Lists. In order to use the LDAP strings please consult your product help.

Most regular LDAP searches can be easily done via the provided GUI (such as in a new Address List filter), however there are instances where the provided GUI does not give us the needed flexibility. For example, you cannot use the GUI to create a search that uses the Boolean word “OR”, you can only create searches that use “AND” as their filter. In those cases, if you wanted to create a filter that finds users that are either in the Sales department OR in the Development department – you’d need to use a manual search string.
Hence the following examples. They are simple, common, day-to-day strings that you might find handy.
Most samples can be used as provided, but some need minor changes, use common sense where needed.
Finally, saves XML samples of the same queries can be downloaded and used directly from the Saved Queries folder in the Windows Server 2003 AD Users and Computers.

  • Find all Computers that are NT4.0 BDCs
​(&(objectCategory=computer)(operatingSystemVersion=4*)(userAccountControl:1.2.840.113556.1.4.803:=8192))
  • Find all Computers that do not have a Description

Notice the “!” that means “NOT”.

​(objectCategory=computer)(!description=*)
  • Find all Groups that have a Description
​(objCategory=group)(description=*)
  • Find all Groups that start with QA or HD

Notice the “|” that means “OR”.

​(objectCategory=group)(|(cn=QA*)(cn=HD*))
  • Find all Objects where Department, Company or Description is Sales

Notice the “|” that means “OR”.

​(|(department=Sales)(company=Sales)(description=Sales))
  • Find all Users created after 01.08.2004
​(objectCategory=user)(whenCreated>=20040801000000.0Z)
  • Find all Users except Sara

Notice the “!” that means “NOT”.

​(objectCategory=user)(!cn=sara*)
  • Find all Users that are almost Locked-Out

Notice the “>=” that means “Greater than or equal to”.

​(objectCategory=user)(badPwdCount>=2)
  • Find all Users that are Disabled
​(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
  • Find all Users that are Disabled (another option)
​(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))
  • Find all Users that are members of QA Users Group in the Help Desk OU in the dpetri.net domain
​(objectCategory=user)(memberOf=CN=QA Users,OU=Help Desk,DC=dpetri,DC=net)
  • Find all Users that have an E-Mail Address (not Exchange related)
​(objectClass=user)(mail=*)
  • Find all Users that have an E-Mail attribute (Mail Enabled)
​(objectClass=user)(email=*)
  • Find all Users that have not changed password since 05.02.2004

Note: Download the datetointeger8.zip script to help you generate this date format.

​(&(objectCategory=person)(objectClass=user)(pwdLastSet