Skip to main content
Passwork LogoPasswork LogoTechnical guides
search
7.0arrow
search
Version: 7.0

DN filters. Features and examples

Users

Universal default filter:

(|(objectclass=posixAccount)(uid=*)(sAMAccountType=805306368)(&(objectCategory=person)(objectClass=user)))

Only enabled users:

(&(|(objectclass=posixAccount)(uid=*)(sAMAccountType=805306368))(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

All users with samaccountname starting with my:

(&(objectCategory=person)(objectClass=user)(samaccountname=my*))

All users who are members of a specified group:

(&(objectCategory=person)(objectClass=user)(memberOf=CN=MyGroup,OU=MyOU,DC=domain,DC=my))

All users who are members of a specified group, including nested groups:

(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=MyOU,DC=domain,DC=my))

Groups

Default filter:

(|(objectclass=group)(objectclass=organizationalRole)(objectclass=posixGroup))

Groups whose description contains the word security:

(&(objectclass=group)(description=*security*))

Groups that are members of a specified group:

(&(objectCategory=group)(objectClass=group)(memberOf=CN=MyGroup,OU=MyOU,DC=domain,DC=my))

Groups that are members of a specified group, including nested groups:

(&(objectCategory=group)(objectClass=group)(memberOf:1.2.840.113556.1.4.1941:=CN=MyGroup,OU=MyOU,DC=domain,DC=my))

Only security groups:

(&(objectCategory=group)(objectClass=group)(groupType:1.2.840.113556.1.4.803:=2147483648))

Only distribution groups:

(&(objectCategory=group)(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=2147483648)))

Filter features

  • Using DN filters, you can load information about nested groups and users who are members of nested groups. At the same time, groups and login restrictions apply directly to the parent group, but not to nested objects;
  • The expression after a logical operator must be enclosed in parentheses.

Example:

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

In Microsoft products, some logical operators can often be specified directly.

Example:

(!userAccountControl:1.2.840.113556.1.4.803:=2)

Wildcard search for groups is not supported. This is a technical limitation of most LDAP servers, so a filter like the following cannot be used:

(&(objectCategory=group)(objectClass=group)(memberOf=CN=My*,OU=MyOU,DC=domain,DC=my))
LLM version
© 2014–2025 «Passwork»
Company
About usPrivacy policyISO 27001 certificateRelease notesRoadmapBlog
Browser extension
Google ChromeMozilla FirefoxMicrosoft EdgeApple Safari
Mobile application
App StoreGoogle Play
For business
TeamsSmall businessBusiness and corporatesEnterpriseOn-premise solutionPassword sharing toolSecret management
Help
User manualTechnical documentationHelp center