Skip to main content
Passwork LogoPasswork LogoTechnical guides
search
7.0arrow
search
Version: 7.0

DN filters. Features and examples

Users

  • Universal default filter: (|(objectclass=posixAccount)(uid=*)(sAMAccountType=805306368)(&(objectCategory=person)(objectClass=user)))
  • Only enabled users: (&(|(objectclass=posixAccount)(uid=*)(sAMAccountType=805306368))(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
  • All users with samaccountname starting with my (you can use another attribute containing a string) — (&(objectCategory=person)(objectClass=user)(samaccountname=my*))
  • All users who are members of a specified group: (&(objectCategory=person)(objectClass=user)(memberOf=CN=MyGroup,OU=MyOU,DC=domain,DC=my))
  • All users who are members of a specified group, as well as all users who are members of nested groups: (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=MyOU,DC=domain,DC=my))

Groups

  • Default filter: (|(objectclass=group)(objectclass=organizationalRole)(objectclass=posixGroup))
  • Groups whose description contains the word security: (&(objectclass=group)(description=*security*))
  • Groups that are members of a specified group: (&(objectCategory=group)(objectClass=group)(memberOf=CN=MyGroup,OU=MyOU,DC=domain,DC=my))
  • Groups that are members of a specified group, as well as all nested groups: (&(objectCategory=group)(objectClass=group)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=MyOU,DC=domain,DC=my))
  • Only security groups: (&(objectCategory=group)(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))
  • Only distribution groups — (&(objectCategory=group)(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

Filter features

  • Using DN filters, you can load information about nested groups and users who are members of nested groups. At the same time, groups and login restrictions apply directly to the parent group, but not to nested objects;
  • The expression after a logical operator must be enclosed in parentheses.

Example:

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

In Microsoft products, some logical operators can often be specified directly.

Example:

(!userAccountControl:1.2.840.113556.1.4.803:=2)

Wildcard search for groups is not supported. This is a technical limitation of most LDAP servers, so a filter like (&(objectCategory=group)(objectClass=group)(memberOf=CN=My*,OU=MyOU,DC=domain,DC=my)) cannot be used.

© 2014–2025 «Passwork»
Company
Release notesRoadmapISO 27001 certificateBlog
Browser extension
Google ChromeMozilla FirefoxMicrosoft EdgeApple Safari
Mobile application
App StoreGoogle Play
For business
TeamsSmall businessBusiness and corporatesEnterpriseOn-premise solutionPassword sharing toolSecret management
Help
User manualTechnical documentationHelp centerPrivacy policy and GDPR