Active Directory LDAP Query Examples - TheITBros

In this article, we’ll explain how to use LDAP queries to retrieve information about users, computers, and groups from the Active Directory domain using PowerShell, ADUC, and command prompt tools. It includes the syntax of LDAP search filters, operators, and practical LDAP query examples for AD.

Contents

Toggle

• What Is an LDAP Query in Active Directory
• How to Run LDAP Queries Against Active Directory
  • Using Saved Queries in Active Directory Users and Computers (ADUC)
  • Running LDAP Filters in ADSI Edit Console
  • Executing LDAP Queries in PowerShell
  • Using DSQUERY and DSGET with LDAP Filters
• LDAP Query Syntax and Operators
  • Comparison Operators (=, >=, <=, ~=)
  • Boolean Operators (AND, OR, NOT)
  • Using objectClass and objectCategory Attributes
  • Using Wildcards in LDAP Search Filters
  • Using Ambiguous Name Resolution (ANR) in LDAP Filters
• LDAP Query Examples for Active Directory Users
  • Find Disabled or Locked AD Accounts
  • List Users with Password Never Expires
  • Search Users by Department or Group Membership
  • Search Users by Location
• LDAP Query Examples for Computers in Active Directory
  • Find Disabled Computers
  • Search Computers by Operation System:
  • List Domain Controllers and Servers
• LDAP Query Examples for Active Directory Groups
  • Find Empty AD Groups
  • List Distribution Groups
  • What is an LDAP query in Active Directory?
  • What tools can I use to run LDAP queries in Active Directory?
  • What is the syntax of an LDAP query?
  • Which operators can be used in LDAP filters?
  • How do I use LDAP queries in PowerShell?
  • How can I list or filter Active Directory groups using LDAP queries?
  • How can I search for computers using LDAP filters?
  • What is Ambiguous Name Resolution (ANR) in LDAP?

What Is an LDAP Query in Active Directory

LDAP (Lightweight Directory Access Protocol) queries are used to retrieve information from various directory services. Microsoft’s Active Directory Domain Service (AD DS) is a directory service that also supports the LDAP protocol. Users can perform LDAP queries against Active Directory to search (filter) for computers, users, groups, and other objects based on specific criteria using various tools, like:

• Saved Queries in the Active Directory Users and Computers MMC console GUI
• PowerShell cmdlets
• ldapsearch.exe, dsget.exe, and dsquery.exe commands

Here is an example of an LDAP query that can be used to find Active Directory users with the “User must change password at next logon” option enabled:

(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

This LDAP query contains several conditions, each of which is enclosed in brackets.

How to Run LDAP Queries Against Active Directory

Now, let’s review the most popular methods for running an LDAP query against Active Directory.

Using Saved Queries in Active Directory Users and Computers (ADUC)

The Active Directory Users and Computers MMC snap-in offers a graphical interface for executing an LDAP filter to search for AD objects.

1. Open the ADUC console (run dsa.msc) and go to the Saved Queries;
2. Create a new query;

   

3. Specify a query name and click the Define Query button;

   

4. Select the Custom Search type. Go to the Advanced tab, and paste your LDAP query code into the Enter LDAP query field;

   

5. Save the query and press F5;
6. A list of AD users matching this LDAP query should appear in the right pane.

   

Running LDAP Filters in ADSI Edit Console

You can also use LDAP filters when searching for objects in the ADSI Edit console.

1. Right-click on the naming context and select New > Query;

   

2. Specify the query name;
3. Select the search area (Root of Search). Paste your LDAP query code into the Query String field.

Note. An LDAP query must be converted to the following format in order to be used in the ADSI Edit console: (&your_ldap_filter).

Executing LDAP Queries in PowerShell

You can use PowerShell to run an LDAP query against Active Directory. Most cmdlets from the the PowerShell Active Directory module (like Get-ADUser, Get-ADComputer, Get-ADGroup, Get-ADObject, etc.) include an LdapFilter parameter that allows you to specify your LDAP query.

For example, use the Get-ADUser cmdlet with an LDAP filter to search for the user objects that match these criteria:

Get-ADUser -LDAPFilter '(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)'

The Get-ADComputer cmdlet is used to search for computer objects:

Get-ADComputer –LDAPFilter ‘your ldap query’

Below is an example of a complex LDAP filter with multiple OR conditions to search for Windows 10 and 11 computers whose hostnames don’t contain the keywords WK and TEST:

$compLDAPFilter= "(&(|(operatingSystem=*Windows 10*)" $compLDAPFilter += "(operatingSystem=*Windows 11*))" $compLDAPFilter += "(!name=*WS*)(!name=*TEST*))" Get-ADComputer -LDAPFilter $compLDAPFilter -Property * | Select-Object Name, OperatingSystem, LastLogonDate

To search for Active Directory groups in AD, use the Get-ADGroup cmdlet:

Get-ADGroup –LDAPFilter {LDAP_query}

If you don’t know the type of Active Directory object you are looking for, you can use the generic Get-ADObject cmdlet:

Get-ADObject -LdapFilter "(cn=*Brion*)"

To specify the specific object type in the LDAP query, add the objectClass parameter:

Get-ADObject -LdapFilter "(&(objectClass=user)(cn=*Brion*))"

List AD group members using the LDAP filter:

(Get-ADObject -LdapFilter “(&(objectclass=group)(CN=Domain Admins))”) | ForEach-Object {$a=$_.Name; Get-ADObject -LdapFilter “(&(objectclass=user)(MemberOf=$($_.DistinguishedName)))” | Select-Object DistinguishedName, Name, @{l=’GroupName’;e={$a}}}

Using DSQUERY and DSGET with LDAP Filters

You can run LDAP queries against Active Directory using the built-in Windows command prompt tools such as dsget.exe and dsquery.exe.

For example, to find all users whose job title starts with Manager, run the command:

dsquery * OU=Employees,DC=theitbros,DC=com -filter "(&(objectCategory=person)(objectClass=user)(Title=Manager*))"

LDAP Query Syntax and Operators

The common LDAP filter syntax is:

<Filter>=(<Attribute><comparison operator><value>)

Hint. LDAP query attributes are not case sensitive.

Comparison Operators (=, >=, <=, ~=)

The following comparison operators can be used in a filter:

Operator	Syntax	Description
=	attribute=value	Equal
>=	attribute>=value	More or equal
<=	attribute<=value	Less or equal
~=	attribute~=value	Approximately equal to

For example, the following filter returns all objects with cn (common name) attribute value Jon:

(cn=Jon)

Boolean Operators (AND, OR, NOT)

Boolean operators allow you to specify multiple search conditions:

Operator	Syntax	Description
&	(&(filter1) (filter2))	AND — all conditions must be met
|	(|(filter1) (filter2))	OR — any number of conditions can be met
!	(!(filter1))	NOT — the condition must not be met

For example, let’s find AD objects with cn=Jon AND sn (surname)= Brion:

(&(cn=Jon)(sn=Brion))

You can use several logical operators in one filter. The following LDAP query returns objects with cn = Jon OR sn = Brion, for which cn is not equal to Alex:

(&(|(cn=Jon)(sn=Brion)(!(cn=Alex)))

Using objectClass and objectCategory Attributes

The objectCategory and objectClass attributes allow you to refine the search objects.

Valid parameters: person, user, contact, computer, groups, organizationalPerson.

Find all user accounts with the name Jon:

(&(objectClass=user)(objectCategory=person)(cn=Jon))

Using Wildcards in LDAP Search Filters

If you don’t know the exact name of the object, you can use the asterisk (*) wildcard character in the LDAP filter. For example, the previous query to find users whose names start with Jo would need to be changed to:

(&(objectClass=user)(objectCategory=person)(cn=Jo*))

A wildcard in LDAP query can be used to check if a particular attribute of an object has any value. For example, to find all users who have the mail attribute filled in, use this filter:

(&(objectClass=user)(objectCategory=person)(mail=*))

Sometimes, it is useful to apply the comparison operators “≥” and “≤” instead of a wildcard. For example, this filter displays users whose names start with the letter X and continue in alphabetical order (i.e., X, Y, or Z).

(&(objectClass=user)(objectCategory=person)(cn>=V))

Using Ambiguous Name Resolution (ANR) in LDAP Filters

The Ambiguous Name Resolution (AMR) feature can be used in an LDAP filter to simplify searches and queries for users or contacts in AD whose names are only partially known. For example, the LDAP (anr=*Denis*) will filter objects containing Denis in any of the following user attributes:

• displayName
• sAMAccountName
• Relative Distinguished Name (RDN),
• givenName
• sn
• legacyExchangeDN
• msExchResourceSearchProperties
• proxyAddresses
• mailNickname
• mail
• physicalDeliveryOfficeName

This filter will return all users with at least one attribute from the list that matches your string.

LDAP Query Examples for Active Directory Users

Let’s look at some useful examples of LDAP queries commonly used by AD admins.

Find Disabled or Locked AD Accounts

Search for users in privileged groups (Domain Admins, Enterprise Admins, etc):

(objectClass=user)(objectCategory=Person)(adminCount=1)

List all AD users except disabled ones:

(objectCategory=person)(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)

Display the list of disabled user accounts:

(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

List Users with Password Never Expires

Find users with the “Password never expires” option enabled:

(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

List locked AD users:

objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=16)

Users with an empty e-mail address attribute:

(objectcategory=person)(!mail=*)

Search Users by Department or Group Membership

List users with the Sales specified in the Department field:

(&(objectCategory=person)(objectClass=user)(department=Sales))

You can check AD group membership:

(&(objectclass=user)(samacccountname=*)(MemberOf=CN=UKManagers,OU=Groups,OU=UK,DC=theitbros,DC=com))

You can list the groups the user is a member of:

(&(objectCategory=group)(member=CN=Jon Brion,OU=Employees,DC=theitbros,DC=com))

List contact objects in AD:

(&(objectCategory=person)(objectClass=contact))

Search Users by Location

Find users in a specific city:

(&(objectCategory=person)(objectClass=user)(l=Chicago))

In a specific state/province:

(&(objectCategory=person)(objectClass=user)(st=California))

In a specific country:

(&(objectCategory=person)(objectClass=user)(co=Canada))

LDAP Query Examples for Computers in Active Directory

Find Disabled Computers

List all disabled computer accounts in AD:

(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))

Search Computers by Operation System:

List all Windows 10 computers in a domain:

(&(objectCategory=computer)(operatingSystem=Windows 10*))

List Domain Controllers and Servers

Get Active Directory domain controllers:

(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))

List member domain servers (except DCs):

(&(objectCategory=computer)(operatingSystem=*server*)(!userAccountControl:1.2.840.113556.1.4.803:=8192))

All MS SQL Server instances in AD:

(&(objectCategory=computer)(servicePrincipalName=MSSQLSvc*))

List color printers on a specific print server published in the AD:

(uncName=*lon-prnt*)(objectCategory=printQueue)(printColor=TRUE)

LDAP Query Examples for Active Directory Groups

List of groups created during the specified period:

(objectCategory=group)(whenCreated>=20230101000000.0Z&<=20231201000000.0Z&)

Find Empty AD Groups

List empty AD groups (have no members):

(objectCategory=group)(!member=*)

List the membership of groups, including nested AD groups:

(memberOf:1.2.840.113556.1.4.1941:=CN=allowUSB,OU=Groups,OU=NewYork,OU=US,DC=theitbros,DC=loc)

List Distribution Groups

List all distribution groups:

(&(objectCategory=group)(!groupType:1.2.840.113556.1.4.803:=2147483648))

Find groups with *CIO* in the group name:

(objectCategory=group)(samaccountname=*CIO*)

Find an AD object with a specific object SID:

(objectSID=S-1-5-21-506968642-4209078585-1781862235-1021)

What is an LDAP query in Active Directory?

An LDAP (Lightweight Directory Access Protocol) query is used to search and retrieve objects from a directory service such as Active Directory. You can use it to find users, computers, groups, and other objects based on specific criteria.

What tools can I use to run LDAP queries in Active Directory?

LDAP queries can be executed using several tools, including:

• Active Directory Users and Computers (ADUC) via Saved Queries
• ADSI Edit console
• PowerShell cmdlets like Get-ADUser, Get-ADComputer, Get-ADGroup, and Get-ADObject
• Command-line tools such as dsquery.exe and dsget.exe

What is the syntax of an LDAP query?

The general syntax is:

<filter> = (<attribute><operator><value>)

Example: (cn=John)

Which operators can be used in LDAP filters?

• = (equal)

• >= (greater or equal)

• <= (less or equal)

• ~= (approximately equal)You can also use Boolean operators: & (AND), | (OR), ! (NOT).

How do I use LDAP queries in PowerShell?

Use the -LDAPFilter parameter in AD module cmdlets.

Example to find users who must change their password at next logon:

Get-ADUser -LDAPFilter "(objectCategory=person)(objectClass=user)(pwdLastSet=0)"

You can also run queries for computers, groups, or any AD object type.

How can I list or filter Active Directory groups using LDAP queries?

• Empty groups:(objectCategory=group)(!member=*)
• Distribution groups:(&(objectCategory=group)(!groupType:1.2.840.113556.1.4.803:=2147483648))
• Groups with “CIO” in name:(objectCategory=group)(samAccountName=*CIO*)

How can I search for computers using LDAP filters?

• Disabled computers:(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))
• Windows 10 devices:(&(objectCategory=computer)(operatingSystem=Windows 10*))
• Domain Controllers:(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))

What is Ambiguous Name Resolution (ANR) in LDAP?

ANR allows partial searches across multiple attributes (like displayName, mail, or sAMAccountName).Example — find users containing “Denis” in any of those fields:

(anr=*Denis*)