Understand LDAP Filter And Syntax - Easy365Manager

Skip to content

Use LDAP filtering to quickly get the information you need from Active Directory or Office 365.

You can use LDAP filtering from PowerShell or even directly in AD Users & Computers. LDAP filters are a super-powerful tool to build reports or do bulk editing.

LDAP filters are processed server-side on the domain controller. You should always filter objects server-side to improve performance.

Tip: If you have many applications doing frequent and complex queries on a huge AD, you should dedicate a domain controller to process these queries.

LDAP Filter Syntax

LDAP filters in their simplest form only match an AD attribute name with a value:

[attribute name]=[attribute value]

Attribute names are the “raw” names you find in the “Attribute Editor” tab in AD Users & Computers.

Attribute names and values are case-insensitive.

For more complex queries, the following four operators should cover most of your needs:

Operator	Meaning	Sample Expression
&	And	(&(department=sales)(c=us))
|	Or	(|(department=sales)(department=marketing))
!	Not	(!description=external)
*	Wildcard	(sAMAccountName=EXT*)

As seen in the above examples & (and) and | (or) will perform an and/or on all statements nested in the following parentheses.

E.g. to find all objects where department equals ‘sales’ AND city equals ‘Berlin’ AND country equals ‘Germany’ you would use the following filter:

(&(department=sales)(l=berlin)(c=DE))

You can use AND or OR on any number of statements simply by adding more parentheses.

When you start combining multiple AND and OR operators it quickly leads to higher complexity. Consider the following sample LDAP filter which identifies all users OR groups that have ‘temp’ OR ‘tmp’ in their description attribute:

(&(|(&(objectClass=user)(objectCategory=person))(objectClass=group))(|(description=*temp*)(description=*tmp*)))

In order to construct (or decode) a complex LDAP query you should break it up on several lines like so:

(& (| (& (objectClass=user) (objectCategory=person) ) (objectClass=group) ) (| (description=*temp*) (description=*tmp*) ) )

Let’s have a look at the structure:

Line 3 – 6:

Since objectClass=user also returns computer objects, we need to AND with objectCategory=person to only retrieve user objects.

Line 2 – 8:

We limit our search to include only user OR group objects.

Line 9 – 12:

We limit our search to objects that have ‘temp’ OR ‘tmp’ in their description attribute.

Line 1 – 13:

We wrap up our query by AND’ing (users OR groups) with (‘temp’ OR ‘tmp’ in description)

It may take a few tries to get your head around it, but once you have created your first handful of LDAP queries you’ll soon become fluent 😉

PowerShell and LDAP Filter

A lot of the PowerShell get commands, like Get-ADUser, have an LDAPFilter switch (to learn more about the Filter switch read this article).

The LDAPFilter switch takes an LDAP filter query string and allows you to easily list AD objects that match certain criteria.

The following example lists all AD users that are in the marketing department:

Get-ADUser -LDAPFilter '(department=marketing)'

The PowerShell command, Get-ADUser, automatically limits your LDAP search to user objects.

Get-ADGroup and Get-ADComputer have a similar limiting effect on your AD search.

To search for any kind of Active Directory object use Get-ADObject instead.

AD Users & Computers and LDAP Filter

You can use the AD Users & Computers tool to run LDAP queries. This allows you to test your LDAP queries easily.

To test an LDAP filter, start AD Users & Computers, right-click Saved Queries, and select New -> Query:

Give your query a name, change the search scope (query root) if you wish, and click Define Query:

Select Custom Search from the dropdown:

Click the Advanced tab and insert your LDAP filter:

Then click OK a couple of times to exit the query editor. To see the results of your query, select it and click the refresh icon:

It seems our sample LDAP filter is a success since both users and groups with ‘temp’ or ‘tmp’ in the description were found.

Summary

Mastering the basics of LDAP filtering can save you a lot of time and allow you to retrieve information efficiently.

To work even more efficiently, have a look at Easy365Manager.

Easy365Manager is a snap-in to AD Users & Computers that allows you to manage Office 365 mailboxes and licenses as part of your standard AD management.

Easy365Manager extends user properties with two new tabs, so you no longer have to switch between multiple tools to perform daily management:

Imagine that you no longer have to log in to the Microsoft 365 Admin Center, the Exchange Online Admin Center, or the Azure Portal for daily user management.

You can even synchronize Azure AD Connect directly from user properties.

And you can remove your on-premises Exchange server to avoid all future zero-day exploits.

Try the zero-risk 30-day trial now. It only takes a few minutes to install, and we guarantee you’ll be saving hours of work before the end of the week!

Search for: Easy365Manager is the missing link between on-premises and Office 365. Martin DugganTechnology Infrastructure LeadCornerstone, United Kingdom

Office 365 Plugin forActive Directory Users & Computers

Easy365Manager has saved us tons of time. Matt BryantIT Systems AdministratorAudioscan, Canada

Delegate calendar permissions without PowerShell

Easy365Manager is a real time saver! Very well thought out software. Manny MamakasSenior ConsultantGreenwire Solutions, United States

MANAGE MEETING ROOMS AND ROOM LISTS WITH EASE

Saves us time that we can use on our many other projects waiting to be done. Devin GrayDirector of Information Technology & CommunicationCity of Edwardsville, United States

Manage email attributes without on-premises Exchange Server

Easy365Manager installation and Exchange removal was conducted smoothly and rapidly. Support provided by Easy365Manager team is efficient and fast. Eric GaillardIT & Facilities Addex Therapeutics, Switzerland

Install and Configure in Less Than Two Minutes

Removing my old Exchange server is a game changer! What a great time-saver to manage Office 365 and AD on one dashboard! ChristopherSaint Agnes School, United States

Manage Office 365 licenses and mailboxes from AD Users & Computers

Love this tool! Works and does everything we need! Matt WeberSystems AdministratorCommunity Bridges, United States

CONFIGURE OUTLOOK AUTOMAPPING WITHOUT POWERSHELL

Great product, I'm really happy we found it! Charles-Eric HachéHead of IT and TelecommunicationCity of Sainte-Julie, Canada

VIEW AND CONFIGURE AUTO-REPLY SCHEDULES WITHOUT POWERSHELL

We love using Easy365Manager. The program makes everything a lot more enjoyable for us. Bram BorkinkSystems AdministratorLinthorst Techniek, Netherlands

MULTI-OBJECT EDITING OF EXCHANGE ONLINE MAILBOXES

Easy365Manager really took care of a lot of security concerns by being able to turn off our last Exchange Server and simultaneously being able to handle Exchange Online completely in AD, without opening the browser. Marcus OddoSystems AdministratorCodac, United States

Single-click Azure AD Connect synchronization

Aside from Easy365Manager being such a revolutionary tool, your level of expertise in your product and responsiveness to our questions has made us very eager to partner with you. Jerry JacobsenSupv. of Network AdminMetal-Tek, United States