The dsquery utility returns the Distinquished Name of an object that matches the specified parameters, and for LDAP filters it has a filter parameter. Windows has several built-in tools such as dsget and dsquery, that allow you to run LDAP queries against Active Directory, For example: Get-ADObject -LdapFilter "(&(objectClass=user)(cn=*Brion*))" If you need to find objects of a specific type, you can specify the object type using the objectClass parameter. In this example, we found that the given LDAP filter matches the user Jon Brion and the BrionTeam group. If you don’t know the type of Active Directory object you are looking for, you can use the generic Get-ADObject cmdlet: Get-ADObject -LdapFilter "(cn=*Brion*)" To search for Active Directory security and distribution groups in AD, use the Get-ADGroup cmdlet: To search for computers, use the Get-ADComputer cmdlet: Get-ADComputer –LDAPFilter ‘your ldap query’ Each of these cmdlets has a LdapFilter parameter that is specifically designed to use LDAP filters when searching for objects in Active Directory.įor example, to execute the above LDAP search query using Get-ADUser, open the powershell.exe console, and run the command: Get-ADUser -LDAPFilter '(objectCategory=person)(objectClass=user)(pwdLastSet=0)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)'
You can also use LDAP query filter in the following PowerShell cmdlets: Get-ADUser, Get-ADComputer, Get-ADGroup, and Get-ADObject (these cmdlets are part of the Active Directory PowerShell module). A list of AD users that match this LDAP query should display on the right pane.Click OK twice, select your new query in the ADUC Saved Queries tree, and press F5.