Код:
Search filter examples:
To return all user objects with cn (Common Name) beginning with the string "Joe":
"(&(objectCategory=person)(objectClass=user)(cn=Joe*))"
To return all user objects. This filter is more efficient than the one using both objectCategory and objectClass, but is harder to remember:
"(sAMAccountType=805306368)"
To return all computer objects with no entry for description:
"(&(objectCategory=computer)(!description=*))"
To return all user and contact objects:
"(objectCategory=person)"
To return all group objects with any entry for description:
"(&(objectCategory=group)(description=*))"
To return all groups with cn starting with either "Test" or "Admin":
"(&(objectCategory=group)(|(cn=Test*)(cn=Admin*)))"
To return all objects with Common Name "Jim * Smith":
"(cn=Jim \2A Smith)"
To retrieve the object with GUID = "90395FB99AB51B4A9E9686C66CB18D99":
"(objectGUID=\90\39\5F\B9\9A\B5\1B\4A\9E\96\86\C6\6C\B1\8D\99)"
To return all users with "Password Never Expires" set:
"(&(objectCategory=person)(objectClass=user)" _
& "(userAccountControl:1.2.840.113556.1.4.803:=65536))"
To return all users with disabled accounts:
"(&(objectCategory=person)(objectClass=user)" _
& "(userAccountControl:1.2.840.113556.1.4.803:=2))"
To return all distribution groups:
"(&(objectCategory=group)" _
& "(!groupType:1.2.840.113556.1.4.803:=2147483648))"
To return all users with "Allow access" checked on the "Dial-in" tab of the user properties dialog of Active Directory Users & Computers. This is all users allowed to dial-in. Note that "TRUE" is case sensitive:
"(&(objectCategory=person)(objectClass=user)" _
& "(msNPAllowDialin=TRUE))"
To return all user objects created after a specified date (09/01/2002):
"(&(objectCategory=person)(objectClass=user)" _
& "(whenCreated>=20020901000000.0Z))"
To return all users that must change their password the next time they logon:
"(&(objectCategory=person)(objectClass=user)" _
& "(pwdLastSet=0))"
To return all users that changed their password since 2/5/2004. See the link below for a function to convert a date value to an Integer8 (64-bit) value. The date 2/5/2004 converts to the number 127,204,308,000,000,000:
"(&(objectCategory=person)(objectClass=user)" _
& "(pwdLastSet>=127204308000000000))"
To return all users with the group "Domain Users" designated as their "primary" group:
"(&(objectCategory=person)(objectClass=user)" _
& "(primaryGroupID=513))"
To return all users with any group other than "Domain Users" designated as their "primary" group:
"(&(objectCategory=person)(objectClass=user)" _
& "(!primaryGroupID=513))"
To return all users not required to have a password:
"(&(objectCategory=person)(objectClass=user)" _
& "(userAccountControl:1.2.840.113556.1.4.803:=32))"
To return all users that are direct members of a specified group. You must specify the Distinguished Name of the group. Wildcards are not allowed:
"(&(objectCategory=person)(objectClass=user)" _
& "(memberOf=cn=TestGroup,ou=Sales,dc=MyDomain,dc=com))"
To return all computers that are not Domain Controllers.
"(&(objectCategory=Computer)" _
& "(!userAccountControl:1.2.840.113556.1.4.803:=8192))"
To return all user accounts that do not expire. The value of the accountExpires attribute can be either 0 or 2^63-1:
"(&(objectCategory=person)(objectClass=user)" _
& "(|(accountExpires=9223372036854775807)(accountExpires=0)))"