Overview #

These are Examples for Active Directory Groups related LDAP SearchFilters which show LDAP Query Examples that can be used to find information specific to Active Directory Groups.

More LDAP Query Examples and more AD Specific LDAP Query Examples

All groups #

 
(objectClass=group) 

Security Groups #

Direct members of a Security Groups #

 
(memberOf=CN=Admin,OU=Security,DC=DOM,DC=NT) 

Resolves all members (including nested) Security Groups (requires at least Windows 2003 SP2) #

 
(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET) 
Or to retrieve only users:
 
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET) 
For information on why this Extensible Match rule works see 1.2.840.113556.1.4.1941 or LDAP_MATCHING_RULE_IN_CHAIN

All Security Groups (local, global and universal) #

 
(groupType:1.2.840.113556.1.4.803:=2147483648) 
For information on why this works see How To use Filtering for Bit Fields and 1.2.840.113556.1.4.803 or LDAP_MATCHING_RULE_BIT_AND

All empty groups: #

 
(&(objectClass=group)(!member=*)) 

All Security Groups with a groupType of Global #

(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483650)) 

All Security Groups with groupType of Domain Local #

 
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483652)) 

All Security Groups with a groupType of Universal #

 
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483656)) 

Distribution Groups#

All Distribution Groups#

 
(&(objectCategory=Group)(proxyAddresses=*)) 

All Distribution Groups with groupType of Global #

 
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2)(!(groupType:1.2.840.113556.1.4.803:=2147483648))) 

All Distribution Groups with type of Domain Local: #

 
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=4)(!(groupType:1.2.840.113556.1.4.803:=2147483648))) 

All Distribution Groups with type of Universal #

 
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=8)(!(groupType:1.2.840.113556.1.4.803:=2147483648))) 

All groups which were changed since Dec 31 2008: #

 
(&(objectClass=group)(whenChanged>=20081231000000.0Z)) 

More Information #

There might be more information for this subject on one of the following:


The handy search I found is:

(member:1.2.840.113556.1.4.1941:=CN=John Smith,DC=MyDomain,DC=NET)

Where CN=John Smith,DC=MyDomain,DC=NET is the user's FDN and 1.2.840.113556.1.4.1941 is the special OID Rule ID LDAP_MATCHING_RULE_IN_CHAIN as you used above (and is documented here.

--scott, 02-Apr-2012 21:48

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-23) was last changed on 10-Jun-2016 13:13 by jim