Active Directory LDAP Filters

Active Directory is primarily a standards-compliant directory service and the standard access protocol used to query Active Directory is the LDAP (Lightweight Directory Access Protocol) protocol.

Active Directory is also the primary enterprise store for vital IT resources (user accounts, security groups, computer accounts and group policies) that play a central role in enterprise wide security, IT management and security audit and compliance reporting.

IT personnel thus often need to generate Active Directory based security reports that document the state of these IT resources, and to do so, they can either user a set of tools that automate the generation of these reports, or a variety of LDAP clients, such as dsquery (provided by Microsoft) to generate these reports.

Most organizations choose to use automated tools because they are almost always more reliable and efficient to use, since they automate report generation and eliminate the possibility of human error.

For organizations and IT personnel who wish to write their own scripts to generate custom reports, this section provides some common LDAP filters that can be used to generate common security reports –

1. Find all user accounts
   
   

   (&(objectCategory=person)(objectClass=user))
   
    

2. Find all disabled user accounts
   
   

   (&(&(objectCategory=person)(objectClass=user))
   (UserAccountControl:1.2.840.113556.1.4.803:=2))
   
    

3. Find all user accounts for whom a password is not required
   
   

   (&(&(objectCategory=person)(objectClass=user))
   (UserAccountControl:1.2.840.113556.1.4.803:=32))
   
    

4. Find all user accounts that do not require a SmartCard for logon
   
   

   (&(&(objectCategory=person)(objectClass=user))
   (!(UserAccountControl:1.2.840.113556.1.4.803:=262144)))
   
    

5. Find all user accounts that must change their password at next logon
   
   

   (&(&(objectCategory=person)(objectClass=user))(pwdLastSet=0))
   
    

Do you need to generate security reports? Why bother scripting when you can generate automated AD security reports? You can, with Gold Finger from Paramount Defenses !         Free Trial

 

6. Find all security groups
   
   

   (&(objectCategory=group)
   (groupType:1.2.840.113556.1.4.804:=2147483648))
   
    

7. Find all builtin security groups
   
   

   (&(objectCategory=group)
   (groupType:1.2.840.113556.1.4.803:=2147483649))
   
    

8. Find all global security groups
   
   

   (&(objectCategory=group)
   (groupType:1.2.840.113556.1.4.803:=2147483650))
   
    

9. Find all universal security groups
   
   

   (&(objectCategory=group)
   (groupType:1.2.840.113556.1.4.803:=2147483656))
   
    

10. Find all security groups with members
    
    

    (&(objectCategory=group)
    (groupType:1.2.840.113556.1.4.804:=2147483648)(member=*))
    
     

Do you need to generate security reports? Why bother scripting when you can generate automated AD security reports? You can, with Gold Finger from Paramount Defenses !         Free Trial

 

11. Find all computer accounts
    
    

    (&(objectCategory=computer)(objectClass=computer))
    
     

12. Find all domain controllers
    
    

    (&(&(objectCategory=computer)(objectClass=computer))
    (UserAccountControl:1.2.840.113556.1.4.803:=8192))
    
     

13. Find all computer accounts for whom a manager is specified
    
    

    (&(&(objectCategory=computer)(objectClass=computer))
    (managedBy=*))
    
     

14. Find all computer accounts for whom a location is specified
    
    

    (&(&(objectCategory=computer)(objectClass=computer))
    (!(location=*)))
    
     

15. Find all computer accounts for whom a description is specified
    
    

    (&(&(objectCategory=computer)(objectClass=computer))
    (!(description=*)))
    
     

Do you need to generate security reports? Why bother scripting when you can generate automated AD security reports? You can, with Gold Finger from Paramount Defenses !         Free Trial

 

16. Find all mailbox-enabled accounts
    
    

    (&(&(objectCategory=person)(objectClass=user))
    (&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))))
    
     

17. Find all mail-enabled contacts
    
    

    (&(&(objectCategory=person)(objectClass=user))
    (&(mailnickname=*)(targetAddress=*)))
    
     

18. Find all mail-enabled security groups
    
    

    (&(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=2147483648))
    (mailnickname=*))
    
     

19. Find all mail-enabled groups hidden from the Global Address list (GAL)
    
    

    (&(&(objectCategory=group)(objectClass=group))
    (&(mailnickname=*)(msExchHideFromAddressLists=TRUE)))
    
     

20. Find all mailbox-enabled accounts with Outlook Web Access (OWA) disabled
    
    

    (&(&(objectCategory=person)(objectClass=user))
    (&(mailnickname=*)(|(msExchhomeServerName=*)(homeMDB=*))
    (|(protocolSettings=*HTTP§0*)(protocolSettings=*OWA§0*))))
    
     

Do you need to generate security reports? Why bother scripting when you can generate automated AD security reports? You can, with Gold Finger from Paramount Defenses !         Free Trial

 

21. Find all service connection points
    
    

    (objectCategory=serviceConnectionPoint)
    
     

22. Find all service connection points that do not have service bindings specified
    
    

    (&(objectCategory=serviceConnectionPoint)(!(serviceBindingInformation=*)))
    
     

23. Find all service connection points that do not have a service DNS name specified
    
    

    (&(objectCategory=serviceConnectionPoint)(!(serviceDNSName=*)))