http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx?Sort=MostUseful

LDAP Clauses

A filter specifies the conditions that must be met for a record to be included in the recordset (or collection) that results from a query. An LDAP filter has one or more clauses, each enclosed in parentheses. Each clause evaluates to either True or False. An LDAP syntax filter clause is in the following form:

(<AD Attribute><comparison operator><value>)

The <AD Attribute> must the the LDAP Display name of an Active Directory attribute. The allowed comparison operators are as follows:

Operator Meaning
= Equality
>= Greater than or equal to (lexicographical)
<= Less than or equal to (lexicographical)

Note that the operators "<" and ">" are not supported. Another operator, ~= (which means approximately equal to) is supported, but no case has been found where this is useful in Active Directory. The <value> in a clause will be the actual value of the Active Directory attribute. The value is not case sensitive and should not be quoted. The wildcard character"*" is allowed, except when the <AD Attribute> is a DN attribute. Examples of DN attributes are distinguishedName, manager, directReports, member, and memberOf. If the attribute is DN, then only the equality operator is allowed and you must specify the full distinguished name for the value (or the "*" character for all objects with any value for the attribute). Do not enclose the DN value in parentheses (as is done erroneously in some documentation). If the attribute is multi-valued, then the condition is met if any of the values in the attribute match the filter. An example LDAP syntax filter clause is:

(cn=Jim Smith)

This filters on all objects where the value of the cn attribute (the common name of the object) is equal to the string "Jim Smith" (not case sensitive). Filter clauses can be combined using the following operators:

Operator Meaning
& AND, all conditions must be met
| OR, any of the conditions must be met
! NOT, the clause must evaluate to False

For example, the following specifies that either the cn attribute must be "Jim Smith", or the givenName attribute must be "Jim" and the sn attribute must be "Smith":

(|(cn=Jim Smith)(&(givenName=Jim)(sn=Smith)))

Conditions can be nested with parentheses, but make sure the parentheses match up.

↑ Return to Top

Special Characters

The LDAP filter specification assigns special meaning to the following characters:

* ( ) \ NUL

The NUL character is ASCII 00. In LDAP filters these 5 characters should be escaped with the backslash escape character, followed by the two character ASCII hexadecimal representation of the character. The following table documents this:

Character Hex Representation
* \2A
( \28
) \29
\ \5C
Nul \00

For example, to find all objects where the common name is "James Jim*) Smith", the LDAP filter would be:

(cn=James Jim\2A\29 Smith)

Actually, the parentheses only need to be escaped if they are unmatched, as above. If instead the common name were"James (Jim) Smith", nothing would need to be escaped. However, any characters, including non-display and foreign characters, can be escaped in a similar manner in an LDAP filter. For example, here are a few foreign characters:

Character Hex Representation
á \E1
é \E9
í \ED
ó \F3
ú \FA
ñ \F1

↑ Return to Top

Filter on objectCategory and objectClass

When your filter clause includes the objectCategory attribute, LDAP does some magic to convert the values for your convenience. The objectCategory attribute is a DN attribute. A typical value for an object in Active Directory might be"cn=person,cn=Schema,cn=Configuration,dc=MyDomain,dc=com". You can use a filter clause similar to the following:

(objectCategory=cn=person,cn=Schema,cn=Configuration,dc=MyDomain,dc=com)

However, Active Directory allows you to instead use the following shortcut:

(objectCategory=person)

The following table documents the result of various combinations of clauses specifying values for objectCategory and objectClass:

objectCategory objectClass Result
person user user objects
person   user and contact objects
person contact contact objects
  user user and computer objects
computer   computer objects
user   user and contact objects
  contact contact objects
  computer computer objects
  person user, computer, and contact objects
contact   user and contact objects
group   group objects
  group group objects
person organizationalPerson user and contact objects
  organizationalPerson user, computer, and contact objects
organizationalPerson   user and contact objects

Use the filter that makes your intent most clear. Also, if you have a choice between using objectCategory and objectClass, it is recommended that you use objectCategory. That is because objectCategory is both single valued and indexed, while objectClass is multi-valued and not indexed (except on Windows Server 2008 and above). A query using a filter with objectCategory will be more efficient than a similar filter with objectClass. Windows Server 2008 domain controllers (and above) have a special behavior that indexes the objectClass attribute. You can take advantage of this if all of your domain controllers are Windows Server 2008, or if you specify a Windows Server 2008 domain controller in your query.

↑ Return to Top

Examples

The following table shows many example LDAP filters that can be useful when you query Active Directory:

Query LDAP Filter
All user objects (&(objectCategory=person)(objectClass=user))
All user objects (Note 1) (sAMAccountType=805306368)
All computer objects (objectCategory=computer)
All contact objects (objectClass=contact)
All group objects (objectCategory=group)
All organizational unit objects (objectCategory=organizationalUnit)
All container objects (objectCategory=container)
All builtin container objects (objectCategory=builtinDomain)
All domain objects (objectCategory=domain)
Computer objects with no description (&(objectCategory=computer)(!(description=*)))
Group objects with a description (&(objectCategory=group)(description=*))
Users with cn starting with "Joe" (&(objectCategory=person)(objectClass=user) 
(cn=Joe*))
Object with description "East\West Sales" 
(Note 2)		 (description=East\5CWest Sales)
Phone numbers in form (xxx) xxx-xxx (telephoneNumber=(*)*-*)
Groups with cn starting with 
"Test" or "Admin"		 (&(objectCategory=group) 
(|(cn=Test*)(cn=Admin*)))
All users with both a first and last name. (&(objectCategory=person)(objectClass=user) 
(givenName=*)(sn=*))
All users with direct reports but no 
manager		 (&(objectCategory=person)(objectClass=user) 
(directReports=*)(!(manager=*)))
All users with specified email address (&(objectCategory=person)(objectClass=user) 
(|(proxyAddresses=*:jsmith@company.com) 
(mail=jsmith@company.com)))
 All users with Logon Script: field occupied  (&(objectCategory=person)(objectClass=user)(scriptPath=*))
Object with Common Name "Jim * Smith" 
(Notes 3, 19)		 (cn=Jim \2A Smith)
Objects with sAMAccountName that begins 
with "x", "y", or "z"		 (sAMAccountName>=x)
Objects with sAMAccountName that begins
with "a" or any number or symbol except "$"		 (&(sAMAccountName<=a)(!(sAMAccountName=$*)))
All users with "Password Never Expires" set 
(Note 4)		 (&(objectCategory=person)(objectClass=user) 
(userAccountControl:1.2.840.113556.1.4.803:=65536))
All disabled user objects (Note 4) (&(objectCategory=person)(objectClass=user) 
(userAccountControl:1.2.840.113556.1.4.803:=2))
All enabled user objects (Note 4) (&(objectCategory=person)(objectClass=user) 
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
All users not required to have a password 
(Note 4)		 (&(objectCategory=person)(objectClass=user) 
(userAccountControl:1.2.840.113556.1.4.803:=32))
All users with "Do not require kerberos 
preauthentication" enabled		 (&(objectCategory=person)(objectClass=user) 
(userAccountControl:1.2.840.113556.1.4.803:=4194304))
Users with accounts that do not expire 
(Note 5)		 (&(objectCategory=person)(objectClass=user) 
(|(accountExpires=0) 
(accountExpires=9223372036854775807)))
Users with accounts that do expire (Note 5) (&(objectCategory=person)(objectClass=user) 
(accountExpires>=1) 
(accountExpires<=9223372036854775806))
Accounts trusted for delegation 
(unconstrained delegation)		 (userAccountControl:1.2.840.113556.1.4.803:=524288)
Accounts that are sensitive and not trusted 
for delegation		 (userAccountControl:1.2.840.113556.1.4.803:=1048576)
All distribution groups (Notes 4, 15) (&(objectCategory=group) 
(!(groupType:1.2.840.113556.1.4.803:=2147483648)))
All security groups (Notes 4, 19) (groupType:1.2.840.113556.1.4.803:=2147483648)
All built-in groups (Notes 4, 16, 19) (groupType:1.2.840.113556.1.4.803:=1)
All global groups (Notes 4, 19) (groupType:1.2.840.113556.1.4.803:=2)
All domain local groups (Notes 4, 19) (groupType:1.2.840.113556.1.4.803:=4)
All universal groups (Notes 4, 19) (groupType:1.2.840.113556.1.4.803:=8)
All global security groups (Notes 17, 19) (groupType=-2147483646)
All universal security groups (Notes 17, 19) (groupType=-2147483640)
All domain local security groups 
(Notes 17, 19)		 (groupType=-2147483644)
All global distribution groups (Note 19) (groupType=2)
All objects with service principal name (servicePrincipalName=*)
Users with "Allow Access" on "Dial-in" 
tab of ADUC 
(Note 6)		 (&(objectCategory=person)(objectClass=user) 
(msNPAllowDialin=TRUE))
Users with "Control access though 
NPS Network Policy" on "Dial-in" tab of ADUC		 (&(objectCategory=person)(objectClass=user) 
(!(msNPAllowDialin=*)))
All groups created after March 1, 2011 (&(objectCategory=group) 
(whenCreated>=20110301000000.0Z))
All users that must change their password 
at next logon		 (&(objectCategory=person)(objectClass=user) 
(pwdLastSet=0))
All users that changed their password since 
April 15, 2011 (CST) (Note 7)		 (&(objectCategory=person)(objectClass=user) 
(pwdLastSet>=129473172000000000))
All users with "primary" group 
other than "Domain Users"		 (&(objectCategory=person)(objectClass=user) 
(!(primaryGroupID=513)))
All computers with "primary" group 
"Domain Computers"		 (&(objectCategory=computer) 
(primaryGroupID=515))
Object with GUID 
"90395F191AB51B4A9E9686C66CB18D11" 
(Note 8)		 (objectGUID=\90\39\5F\19\1A\B5\1B\4A\9E\96 
\86\C6\6C\B1\8D\11)
Object beginning with GUID 
"90395F191AB51B4A" 
(Note 8)		 (objectGUID=\90\39\5F\19\1A\B5\1B\4A*)
Object with SID "S-1-5-21-73586283 
-152049171-839522115-1111" (Note 9)		 (objectSID=S-1-5-21-73586283-152049171 
-839522115-1111)
Object with SID "010500000000000515000 
0006BD662041316100943170A3257040000" 
(Note 9)		 (objectSID=\01\05\00\00\00\00\00\05\15 
\00\00\00\6B\D6\62\04\13\16\10\09\43\17\0A\32 
\57\04\00\00)
All computers that are not 
Domain Controllers (Note 4)		 (&(objectCategory=computer) 
(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))
All Domain Controllers (Note 4) (&(objectCategory=computer) 
(userAccountControl:1.2.840.113556.1.4.803:=8192))
All Domain Controllers (Notes 14, 19) (primaryGroupID=516)
All servers (&(objectCategory=computer) 
(operatingSystem=*server*))
All member servers (not DC's) (Note 4) (&(objectCategory=computer) 
(operatingSystem=*server*) 
(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))
All direct members of specified group (memberOf=cn=Test,ou=East,dc=Domain,dc=com)
All users not direct members of 
a specified group		 (&(objectCategory=person)(objectClass=user) 
(!(memberOf=cn=Test,ou=East,dc=Domain,dc=com)))
All groups with specified direct member 
(Note 19)		 (member=cn=Jim Smith,ou=West, 
dc=Domain,dc=com)
All members of specified group, including 
due to group nesting (Note 10)		 (memberOf:1.2.840.113556.1.4.1941:= 
cn=Test,ou=East,dc=Domain,dc=com)
All groups specified user belongs to, 
including due to group nesting (Notes 10, 19)		 (member:1.2.840.113556.1.4.1941:= 
cn=Jim Smith,ou=West,dc=Domain,dc=com)
Objects with givenName "Jim*" and sn 
"Smith*", or with cn "Jim Smith*" (Note 11)		 (anr=Jim Smith)
All attributes in the Schema container 
replicated to the GC (Notes 6, 12)		 (&(objectCategory=attributeSchema) 
(isMemberOfPartialAttributeSet=TRUE))
All operational (constructed) attributes in 
the Schema container (Notes 4, 12)		 (&(objectCategory=attributeSchema) 
(systemFlags:1.2.840.113556.1.4.803:=4))
All attributes in the Schema container not 
replicated to other Domain Controllers 
(Notes 4, 12)		 (&(objectCategory=attributeSchema) 
(systemFlags:1.2.840.113556.1.4.803:=1))
All objects where deletion is not allowed 
(Notes 4)		 (systemFlags:1.2.840.113556.1.4.803:=2147483648)
Attributes whose values are copied when 
the object is copied (Notes 4, 12)		 (searchFlags:1.2.840.113556.1.4.803:=16)
Attributes preserved in tombstone object 
when object deleted (Notes 4, 12)		 (searchFlags:1.2.840.113556.1.4.803:=8)
Attributes in the Ambiguous Name 
Resolution (ANR) set (Notes 4, 12)		 (searchFlags:1.2.840.113556.1.4.803:=4)
Attributes in the Schema that are 
indexed (Notes 4, 12)		 (searchFlags:1.2.840.113556.1.4.803:=1)
Attributes marked confidential in 
the schema (Notes 4, 12)		 (searchFlags:1.2.840.113556.1.4.803:=128)
Attributes in the RODC filtered attribute 
set, or FAS (Notes 4, 12)		 (searchFlags:1.2.840.113556.1.4.803:=512)
All site links in the Configuration 
container (Note 13)		 (objectClass=siteLink)
The nTDSDSA objects associated with 
all Global Catalogs. This will identify all DC's 
that are GC's. (Note 4)		 (&(objectCategory=nTDSDSA) 
(options:1.2.840.113556.1.4.803:=1))
The nTDSDSA object associated with the 
PDC Emulator. This will identify the DC 
with the PDC Emulator FSMO role (Note 18).		 (&(objectClass=domainDNS)(fSMORoleOwner=*))
The nTDSDSA object associated with the 
RID Master. This will identify the DC 
with the RID Master FSMO role (Note 18).		 (&(objectClass=rIDManager)(fSMORoleOwner=*))
The nTDSDSA object associated with the 
Infrastructure Master. This will identify the DC 
with this FSMO role (Note 18).		 (&(objectClass=infrastructureUpdate) 
(fSMORoleOwner=*))
The nTDSDSA object associated with the 
Schema Master. This will identify the DC with 
the Schema Master FSMO role (Note 18).		 (&(objectClass=dMD)(fSMORoleOwner=*))
The nTDSDSA object associated with the 
Domain Naming Master. This will identify the 
DC with this FSMO role (Note 18).		 (&(objectClass=crossRefContainer) 
(fSMORoleOwner=*))
All Exchange servers in the Configuration 
container (Note 13)		 (objectCategory=msExchExchangeServer)
All objects protected by AdminSDHolder (adminCount=1)
All trusts established with a domain (objectClass=trustedDomain)
All Group Policy objects (objectCategory=groupPolicyContainer)
All service connection point objects (objectClass=serviceConnectionPoint)
All Read-Only Domain Controllers 
(Notes 4, 19)		 (userAccountControl:1.2.840.113556.1.4.803:=67108864)

LDAP查询过滤语法(MS)的更多相关文章

  1. MySQL之单表查询 一 单表查询的语法 二 关键字的执行优先级(重点) 三 简单查询 四 WHERE约束 五 分组查询:GROUP BY 六 HAVING过滤 七 查询排序:ORDER BY 八 限制查询的记录数:LIMIT 九 使用正则表达式查询

    MySQL之单表查询 阅读目录 一 单表查询的语法 二 关键字的执行优先级(重点) 三 简单查询 四 WHERE约束 五 分组查询:GROUP BY 六 HAVING过滤 七 查询排序:ORDER B ...

  2. node.js下LDAP查询实践

    目标: 从一个LDAP Server获取uid=kxh的用户数据 LDAP地址为:ldap://10.233.21.116:389 在工程根目录中,先npm一个LDAP的访问库ldpajs npm i ...

  3. Linq之查询表达式语法详解

    1.闲言碎语 由于项目的需要接触到Linq,刚开始有些不适应,好多概念都很模糊.不过经过一段时间的摸索,慢慢地对Linq有了一个更加深入的了解.在此记录一下备忘.      2.查询表达式语法 执行L ...

  4. 大数据学习----day27----hive02------1. 分桶表以及分桶抽样查询 2. 导出数据 3.Hive数据类型 4 逐行运算查询基本语法(group by用法,原理补充) 5.case when(练习题,多表关联)6 排序

    1. 分桶表以及分桶抽样查询 1.1 分桶表 对Hive(Inceptor)表分桶可以将表中记录按分桶键(某个字段对应的的值)的哈希值分散进多个文件中,这些小文件称为桶. 如要按照name属性分为3个 ...

  5. 自定义 Azure Table storage 查询过滤条件

    本文是在Azure Table storage 基本用法一文的基础上,介绍如何自定义 Azure Table storage 的查询过滤条件.如果您还不太清楚 Azure Table storage ...

  6. wireshark过滤语法总结

    抓包采用wireshark,提取特征时,要对session进行过滤,找到关键的stream,这里总结了wireshark过滤的基本语法,供自己以后参考.(脑子记不住东西) wireshark进行过滤时 ...

  7. wireshark过滤语法总结-重点偏移过滤

    http://chenjiji.com/post/3371.html 作者: CHAN | 发布: 2013 年 10 月 24 日 做应用识别这一块经常要对应用产生的数据流量进行分析. 抓包采用wi ...

  8. HBase Thrift过滤语法

    摘抄自hbase ref guide 0.94: 在写本文的时候,hbase ref guide已经更新到1.2及2.0了,但是个人感觉Thrift过滤语法部分写得都没有0.94的好,省掉了examp ...

  9. 转: wireshark过滤语法总结

    from: http://blog.csdn.net/cumirror/article/details/7054496 wireshark过滤语法总结 原创 2011年12月09日 22:38:50 ...

随机推荐

  1. 使用servers 启动项目时 ,一直处于启动中, 最后出现无法的问题。

    使用eclipse 中的servers 配置了一个server 来启动项目, 发现无法启动 排除法: 去掉项目配置,单独启动该server ,发现可以启动, 说明是项目出现问题 但是项目并没有报错, ...

  2. oracle学习

    在平时的工作学习中,经常需要使用到oracle数据库,将平时用到的一些技巧记录在这里,以便以后随时可以翻阅. 1.日期类型的比较 插入日期时,经常会使用sysdate来插入数据,但sysdate插入的 ...

  3. Java多线程死锁的产生实例

    死锁产生的四个必要条件: (1) 互斥条件:一个资源每次只能被一个进程使用.(2) 请求与保持条件:一个进程因请求资源而阻塞时,对已获得的资源保持不放.(3) 不剥夺条件:进程已获得的资源,在末使用完 ...

  4. Android性能优化方法(八)

    Android SDK tools目录下提供一个观察布局的工具,层级观察器(Hierarchy Viewer).Hierarchy Viewer工具是一个非常好的布局优化工具,同时,你也可以通过它学习 ...

  5. C# async await 学习笔记1

    由于我的开发工具为vs.net 2010(.net 4.0),需先做以下两步才能进行: 1.下载并安装Async CTP (http://www.microsoft.com/en-us/downloa ...

  6. ubuntu VNC server 黑屏 yum源更新(ubuntu16.04)

    更新yum源,备份/etc/apt/sources.list root@mgw-virtual-machine:~# nano /etc/apt/sources.list   #添加源 # deb c ...

  7. linux xwiki搭建过程

    安装mysql数据库,并创建xwiki数据库及用户 mysql> create database xwiki; Query OK, 1 row affected (0.00 sec) mysql ...

  8. Deis logo 开源PaaS系统 Deis

    Deis 是一个 Django/Celery API 服务器.Python CLI 和一组 Chef cookbooks 合并起来提供一个类似 Heroku 的应用平台,用于公有云和私有云.Deis ...

  9. WinDbg 命令三部曲:(二)WinDbg SOS 扩展命令手册

    本文为 Dennis Gao 原创技术文章,发表于博客园博客,未经作者本人允许禁止任何形式的转载. 系列博文 <WinDbg 命令三部曲:(一)WinDbg 命令手册> <WinDb ...

  10. [异常] openCV安装和配置

    http://blog.csdn.net/mygis2005/article/details/10472717 >_<" 这个链接亲测可行,我试了很多次,找了很多个都不行,最后怀 ...