Active Directory User Related Searches

Overview#

These are Example user related LDAP SearchFilters which show LDAP Query Examples that can be used to find information specific to Users within the Active Directory Domain.

More LDAP Query Examples and more AD Specific LDAP Query Examples

Table of Contents

ObjectClass vs ObjectCategory#

All users#

    (&(objectCategory=person)(objectClass=user))
or
    (sAMAccountType=805306368)

All contacts#

    (objectClass=contact)

All users and contacts:#

    (objectClass=user)

All users with logon since Dec 31 2008#

    (&(&(objectCategory=person)(objectClass=user))(lastLogonTimestamp<=128752108510000000))

All users with the account configuration DONT_EXPIRE_PASSWORD#

    (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
For information on why this works see how to use Filtering for Bit Fields and the Extensible Match Rule 1.2.840.113556.1.4.803.

All Administratively Disabled users (ie ACCOUNTDISABLE (2))#

    (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
For information on why this works see how to use Filtering for Bit Fields and the Extensible Match Rule 1.2.840.113556.1.4.803.

All expired user accounts#

(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807))

All Users where PASSWD_NOTREQD (32)#

(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))
For information on why this works see how to use Filtering for Bit Fields and the Extensible Match Rule 1.2.840.113556.1.4.804.

All Groups a User is a member of including Nested Groups#

This Extensible Match Rule is often referred to as LDAP_MATCHING_RULE_IN_CHAIN

As an example, to find all the groups that "CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET" is a member of, set the base to the groups container DN; for example (OU=groupsOU,DC=MyDomain,DC=NET) and the scope to subtree, and use the following filter. 

(member:1.2.840.113556.1.4.1941:=(CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET))
Where CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET is the user's FDN and the Extensible Match Rule 1.2.840.113556.1.4.1941.

Anomaly: DirectReports but no Manager#

It is a little strange to have a entry which has DirectReports but lacks a manager. Could be this is the top person in the Organizational Entity or something is amiss. 
ldapsearch -H ldaps://serverdc.example.com:636 -x -D "adminguy@example.com" -W -b "DC=example,DC=com" -s sub -a always -z 1000 "(&(objectCategory=person)(objectClass=user)(directReports=*)(!(manager=*)))" "objectClass"

Exchange Specific Queries#

All hidden Exchange mail recipients:#

    (msExchHideFromAddressLists=TRUE)

All hidden Exchange mail recipients (without public folder objects):#

    
    (&(msExchHideFromAddressLists=TRUE)(!objectClass=publicFolder))

All mail recipients with fax address:#

    (proxyAddresses=FAX:*)

All users with mailboxes on Exchange server 'KUNGUR':#

    (msExchangeHomeserverName=/o=MAILOrg/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=KUNGUR)

Query All users that report to a department manager or their subordinates.#

(manager:1.2.840.113556.1.4.1941:=CN=Jim,OU=Managed,OU=Accounts,DC=willeke,DC=com)
Where CN=Jim,OU=Managed,OU=Accounts,DC=willeke,DC=com is the department manager And return the attribute "mail" as an Example, to send them an email.

For information on why this works see how to use Microsoft Active Directory Extensible Match Rules and the Extensible Match Rule 1.2.840.113556.1.4.1941.

More Information#

There might be more information for this subject on one of the following:
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!