Overview #
These are Examples for Active Directory Groups related LDAP SearchFilters which show LDAP Query Examples that can be used to find information specific to Active Directory Groups.More LDAP Query Examples and more AD Specific LDAP Query Examples
Table of Contents
- Overview
- All groups
- Security Groups
- Direct members of a Security Groups
- Resolves all members (including nested) Security Groups (requires at least Windows 2003 SP2)
- All Security Groups (local, global and universal)
- All empty groups:
- All Security Groups with a GroupType of Global Group
- All Security Groups with GroupType of Domain Local Group
- All Security Groups with a GroupType of Universal Group
- Distribution Groups
- All Distribution Groups
- All Distribution Groups with GroupType of Global Group
- All Distribution Groups with GroupType of Domain Local Group:
- All Distribution Groups with GroupType of Universal Group
- All groups which were changed since Dec 31 2008:
- More Information
All groups #
(objectClass=group)
Security Groups #
Direct members of a Security Groups #
(memberOf=CN=Admin,OU=Security,DC=DOM,DC=NT)
Resolves all members (including nested) Security Groups (requires at least Windows 2003 SP2) #
(memberOf:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET)
Or to retrieve only users that are members:
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=GroupOne,OU=Security Groups,OU=Groups,DC=YOURDOMAIN,DC=NET)For information on why this Extensible Match rule works see 1.2.840.113556.1.4.1941 or LDAP_MATCHING_RULE_IN_CHAIN
All Security Groups (local, global and universal) #
(groupType:1.2.840.113556.1.4.803:=2147483648)For information on why this works see How To use Filtering for Bit Fields and 1.2.840.113556.1.4.803 or LDAP_MATCHING_RULE_BIT_AND
All empty groups: #
(&(objectClass=group)(!member=*))
All Security Groups with a GroupType of Global Group #
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483650))
All Security Groups with GroupType of Domain Local Group #
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483652))
All Security Groups with a GroupType of Universal Group #
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483656))
Distribution Groups#
All Distribution Groups#
(&(objectCategory=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
All Distribution Groups with GroupType of Global Group #
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
All Distribution Groups with GroupType of Domain Local Group: #
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=4)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
All Distribution Groups with GroupType of Universal Group #
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=8)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
All groups which were changed since Dec 31 2008: #
(&(objectClass=group)(whenChanged>=20081231000000.0Z))
More Information #
There might be more information for this subject on one of the following:- Active Directory Groups
- LDAP Query Examples for AD
- LDAP_MATCHING_RULE_BIT_AND
- Microsoft Active Directory
The handy search I found is:
(member:1.2.840.113556.1.4.1941:=CN=John Smith,DC=MyDomain,DC=NET)
Where CN=John Smith,DC=MyDomain,DC=NET is the user's FDN and 1.2.840.113556.1.4.1941 is the special OID Rule ID LDAP_MATCHING_RULE_IN_CHAIN as you used above (and is documented here
.
--scott, 02-Apr-2012 21:48