Understand LDAP Filter and Syntax

LDAP Filter and Syntax

Use LDAP filtering to quickly get the information you need from Active Directory or Office 365.

You can use LDAP filtering from PowerShell or even directly in AD Users & Computers. LDAP filters are a super-powerful tool to build reports or do bulk editing.

LDAP filters are processed server-side on the domain controller. You should always filter objects server-side to improve performance.

Tip: If you have many applications doing frequent and complex queries on a huge AD, you should dedicate a domain controller to process these queries.

LDAP Filter Syntax

LDAP filters in their simplest form only match an AD attribute name with a value:

[attribute name]=[attribute value]

Attribute names are the “raw” names you find in the “Attribute Editor” tab in AD Users & Computers.

Attribute names and values are case-insensitive.

For more complex queries, the following four operators should cover most of your needs:

OperatorMeaningSample Expression
&And(&(department=sales)(c=us))
|Or(|(department=sales)(department=marketing))
!Not(!description=external)
*Wildcard(sAMAccountName=EXT*)

As seen in the above examples & (and) and | (or) will perform an and/or on all statements nested in the following parentheses.

E.g. to find all objects where department equals ‘sales’ AND city equals ‘Berlin’ AND country equals ‘Germany’ you would use the following filter:

(&(department=sales)(l=berlin)(c=DE))

You can use AND or OR on any number of statements simply by adding more parentheses.

When you start combining multiple AND and OR operators it quickly leads to higher complexity. Consider the following sample LDAP filter which identifies all users OR groups that have ‘temp’ OR ‘tmp’ in their description attribute:

(&(|(&(objectClass=user)(objectCategory=person))(objectClass=group))(|(description=*temp*)(description=*tmp*)))

In order to construct (or decode) a complex LDAP query you should break it up on several lines like so:

(&
  (|
    (&
      (objectClass=user)
      (objectCategory=person)
    )
    (objectClass=group)
  )
  (|
    (description=*temp*)
    (description=*tmp*)
  )
)

Let’s have a look at the structure:

Line 3 – 6:

Since objectClass=user also returns computer objects, we need to AND with objectCategory=person to only retrieve user objects.

Line 2 – 8:

We limit our search to include only user OR group objects.

Line 9 – 12:

We limit our search to objects that have ‘temp’ OR ‘tmp’ in their description attribute.

Line 1 – 13:

We wrap up our query by AND’ing (users OR groups) with (‘temp’ OR ‘tmp’ in description)

It may take a few tries to get your head around it, but once you have created your first handful of LDAP queries you’ll soon become fluent 😉

PowerShell and LDAP Filter

A lot of the PowerShell get commands, like Get-ADUser, have an LDAPFilter switch (to learn more about the Filter switch read this article).

The LDAPFilter switch takes an LDAP filter query string and allows you to easily list AD objects that match certain criteria.

The following example lists all AD users that are in the marketing department:

Get-ADUser -LDAPFilter '(department=marketing)'

The PowerShell command, Get-ADUser, automatically limits your LDAP search to user objects.

Get-ADGroup and Get-ADComputer have a similar limiting effect on your AD search.

To search for any kind of Active Directory object use Get-ADObject instead.

AD Users & Computers and LDAP Filter

You can use the AD Users & Computers tool to run LDAP queries. This allows you to test your LDAP queries easily.

To test an LDAP filter, start AD Users & Computers, right-click Saved Queries, and select New -> Query:

Create an LDAP Filter in AD Users & Computers

Give your query a name, change the search scope (query root) if you wish, and click Define Query:

Create an LDAP Filter in AD Users & Computers

Select Custom Search from the dropdown:

Create an LDAP Filter in AD Users & Computers

Click the Advanced tab and insert your LDAP filter:

Create an LDAP Filter in AD Users & Computers

Then click OK a couple of times to exit the query editor. To see the results of your query, select it and click the refresh icon:

Create an LDAP Filter in AD Users & Computers

It seems our sample LDAP filter is a success since both users and groups with ‘temp’ or ‘tmp’ in the description were found.

Summary

Mastering the basics of LDAP filtering can save you a lot of time and allow you to retrieve information efficiently.

To work even more efficiently, have a look at Easy365Manager.

Easy365Manager is a snap-in to AD Users & Computers that allows you to manage Office 365 mailboxes and licenses as part of your standard AD management.

Easy365Manager extends user properties with two new tabs, so you no longer have to switch between multiple tools to perform daily management:

easy365manager ui
User properties, "Office 365" tab
easy365manager ui
User properties, "Mailbox tab"

Imagine that you no longer have to log in to the Microsoft 365 Admin Center, the Exchange Online Admin Center, or the Azure Portal for daily user management.

You can even synchronize Azure AD Connect directly from user properties.

And you can remove your on-premises Exchange server to avoid all future zero-day exploits.

Try the zero-risk 30-day trial now. It only takes a few minutes to install, and we guarantee you’ll be saving hours of work before the end of the week!