Skip to main content
Version: 7.0

DN filters. Features and examples

Users

  • Universal default filter: (|(objectclass=posixAccount)(uid=*)(sAMAccountType=805306368)(&(objectCategory=person)(objectClass=user)))
  • Only enabled users: (&(|(objectclass=posixAccount)(uid=*)(sAMAccountType=805306368))(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
  • All users with samaccountname starting with my (you can use another attribute containing a string) — (&(objectCategory=person)(objectClass=user)(samaccountname=my*))
  • All users who are members of a specified group: (&(objectCategory=person)(objectClass=user)(memberOf=CN=MyGroup,OU=MyOU,DC=domain,DC=my))
  • All users who are members of a specified group, as well as all users who are members of nested groups: (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=MyOU,DC=domain,DC=my))

Groups

  • Default filter: (|(objectclass=group)(objectclass=organizationalRole)(objectclass=posixGroup))
  • Groups whose description contains the word security: (&(objectclass=group)(description=*security*))
  • Groups that are members of a specified group: (&(objectCategory=group)(objectClass=group)(memberOf=CN=MyGroup,OU=MyOU,DC=domain,DC=my))
  • Groups that are members of a specified group, as well as all nested groups: (&(objectCategory=group)(objectClass=group)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=MyOU,DC=domain,DC=my))
  • Only security groups: (&(objectCategory=group)(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))
  • Only distribution groups — (&(objectCategory=group)(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

Filter features

  • Using DN filters, you can load information about nested groups and users who are members of nested groups. At the same time, groups and login restrictions apply directly to the parent group, but not to nested objects;
  • The expression after a logical operator must be enclosed in parentheses.

Example:

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

In Microsoft products, some logical operators can often be specified directly.

Example:

(!userAccountControl:1.2.840.113556.1.4.803:=2)

Wildcard search for groups is not supported. This is a technical limitation of most LDAP servers, so a filter like (&(objectCategory=group)(objectClass=group)(memberOf=CN=My*,OU=MyOU,DC=domain,DC=my)) cannot be used.