DN filters

6 min

user filters default universal filter (|(objectclass=posixaccount)(uid= )(samaccounttype=805306368)(&(objectcategory=person)(objectclass=user))) only enabled users (&(|(objectclass=posixaccount)(uid= )(samaccounttype=805306368))(objectcategory=person)(objectclass=user)(!(useraccountcontrol 1 2 840 113556 1 4 803 =2))) all samaccountname users whose name starts with my (you can use another attribute containing a string) — (&(objectcategory=person)(objectclass=user)(samaccountname=my )) all users who are members of a specified group (&(objectcategory=person)(objectclass=user)(memberof=cn=mygroup,ou=myou,dc=domain,dc=my)) all users who are members of a specified group, as well as all users who are members of nested groups (&(objectcategory=person)(objectclass=user)(memberof 1 2 840 113556 1 4 1941 =cn=mygroup,ou=myou,dc=domain,dc=my)) group filters default filter (|(objectclass=group)(objectclass=organizationalrole)(objectclass=posixgroup)) groups that contain the word security in their description (&(objectclass=group)(description= security )) groups that are part of a specified group (&(objectcategory=group)(objectclass=group)(memberof=cn=mygroup,ou=myou,dc=domain,dc=my)) groups that are part of a specified group, as well as all nested groups (&(objectcategory=group)(objectclass=group)(memberof 1 2 840 113556 1 4 1941 =cn=mygroup,ou=myou,dc=domain,dc=my)) only security groups (&(objectcategory=group)(objectclass=group)(grouptype 1 2 840 113556 1 4 803 =2147483648)) only distribution groups — (&(objectcategory=group)(objectclass=group)(!(grouptype 1 2 840 113556 1 4 803 =2147483648))) filter behavior using dn filters, you can load information about nested groups and users who are members of those nested groups however, group policies and login restrictions are applied only to the parent group, not to the nested objects; expressions following logical operators must be enclosed in parentheses example (!(useraccountcontrol 1 2 840 113556 1 4 803 =2)) in microsoft products, it's often possible to directly specify certain logical operators example (!useraccountcontrol 1 2 840 113556 1 4 803 =2) wildcard search for groups is not supported this is a technical limitation of most ldap servers, so filters like the following cannot be used (&(objectcategory=group)(objectclass=group)(memberof=cn=my ,ou=myou,dc=domain,dc=my))