DN filters

you can use dn filters to load information about nested groups and users who are members of those groups at the same time, roles and login restrictions apply directly to the parent group, and not to nested objects syntax the expression after the logical operator must be in parentheses, for example (!(useraccountcontrol 1 2 840 113556 1 4 803 =2)) in microsoft products, you can often directly specify some of the logical operators for example (!useraccountcontrol 1 2 840 113556 1 4 803 =2) a group search doesn't support wildcards this is a technical limitation of most ldap servers, so it is not possible to use a filter like (&(objectcategory=group)(objectclass=group)(memberof=cn=my ,ou=myou,dc=domain,dc=my)) user filters default universal filter (|(objectclass=posixaccount)(uid= )(samaccounttype=805306368)(&(objectcategory=person)(objectclass=user))) only enabled users (&(|(objectclass=posixaccount)(uid= )(samaccounttype=805306368))(objectcategory=person)(objectclass=user)(!(useraccountcontrol 1 2 840 113556 1 4 803 =2))) all samaccountname users whose name starts with my (you can use another attribute containing a string) — (&(objectcategory=person)(objectclass=user)(samaccountname=my )) all users who are members of a specified group (&(objectcategory=person)(objectclass=user)(memberof=cn=mygroup,ou=myou,dc=domain,dc=my)) all users who are members of a specified group, as well as all users who are members of nested groups (&(objectcategory=person)(objectclass=user)(memberof 1 2 840 113556 1 4 1941 =cn=mygroup,ou=myou,dc=domain,dc=my)) group filters default filter (|(objectclass=group)(objectclass=organizationalrole)(objectclass=posixgroup)) groups that contain the word security in their description (&(objectclass=group)(description= security )) groups that are part of a specified group (&(objectcategory=group)(objectclass=group)(memberof=cn=mygroup,ou=myou,dc=domain,dc=my)) groups that are part of a specified group, as well as all nested groups (&(objectcategory=group)(objectclass=group)(memberof 1 2 840 113556 1 4 1941 =cn=mygroup,ou=myou,dc=domain,dc=my)) only security groups (&(objectcategory=group)(objectclass=group)(grouptype 1 2 840 113556 1 4 803 =2147483648)) only distribution groups — (&(objectcategory=group)(objectclass=group)(!(grouptype 1 2 840 113556 1 4 803 =2147483648)))