Release candidate
...
Administration
LDAP settings

DN filters

6min

User filters

  • Default universal filter: (|(objectclass=posixAccount)(uid=*)(sAMAccountType=805306368)(&(objectCategory=person)(objectClass=user)))
  • Only enabled users: (&(|(objectclass=posixAccount)(uid=*)(sAMAccountType=805306368))(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
  • All samaccountname users whose name starts with my (you can use another attribute containing a string) — (&(objectCategory=person)(objectClass=user)(samaccountname=my*))
  • All users who are members of a specified group: (&(objectCategory=person)(objectClass=user)(memberOf=CN=MyGroup,OU=MyOU,DC=domain,DC=my))
  • All users who are members of a specified group, as well as all users who are members of nested groups: (&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=MyOU,DC=domain,DC=my))


Group filters

  • Default filter: (|(objectclass=group)(objectclass=organizationalRole)(objectclass=posixGroup))
  • Groups that contain the word security in their description: (&(objectclass=group)(description=*security*))
  • Groups that are part of a specified group: (&(objectCategory=group)(objectClass=group)(memberOf=CN=MyGroup,OU=MyOU,DC=domain,DC=my))
  • Groups that are part of a specified group, as well as all nested groups: (&(objectCategory=group)(objectClass=group)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=MyOU,DC=domain,DC=my))
  • Only security groups: (&(objectCategory=group)(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))
  • Only distribution groups — (&(objectCategory=group)(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))


Filter Behavior

  • Using DN filters, you can load information about nested groups and users who are members of those nested groups. However, group policies and login restrictions are applied only to the parent group, not to the nested objects;
  • Expressions following logical operators must be enclosed in parentheses.

Example:

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

In Microsoft products, it's often possible to directly specify certain logical operators.

Example:

(!userAccountControl:1.2.840.113556.1.4.803:=2)

Wildcard search for groups is not supported. This is a technical limitation of most LDAP servers, so filters like the following cannot be used:

(&(objectCategory=group)(objectClass=group)(memberOf=CN=My*,OU=MyOU,DC=domain,DC=my))




Updated 09 Apr 2025
Doc contributor
Doc contributor
Did this page help you?
PREVIOUS
LDAPS setup
NEXT
SSO settings
Docs powered by Archbee