1. 在AD域控打开“Active Directory用户和计算机”。
2. 右击域对象并选择查找。
3. 单击查找旁边的下拉列表,然后选择自定义搜索。
4. 从下一屏幕中,选择高级选项卡。
5. 在输入 LDAP 查询下,输入相应的 LDAP 语句。

ObjectCategory vs. ObjectClass in a Search Filter

Because of the existence of the class inheritance hierarchy in the schema every object in Active Directory is in fact a member of many classes — four or five on the average. For this reason, the objectClass index is prohibitively large (for example, 4 n , where n is the number of objects in the system). In addition, objectClass has poor selectivity for many possible class values. For example, a search filter of ( objectClass = securityPrincipal ) returns every user and group object in the system.

On the other hand, objectCategory usually refers to the most specific class in the object's class hierarchy. Although objectClass can have multiple values, the attribute objectCategory has only one. Every Active Directory object has an objectCategory attribute whose value is a classSchema object.

Every classSchema object has an attribute called defaultObjectCategory , which is the object category of an instance of the class if none is specified by the user. For most classes, the defaultObjectCategory value is the class itself. In the search filter, you can specify objectCategory = X , where X is the ldapDisplayName of a class, and LDAP automatically expands the filter to objectCategory =< defaultObjectCategory of class X >. The objectCategory attribute has a syntax of distinguished name, and LDAP automatically converts the value for objectCategory to the distinguished name format. For example, if you use objectCategory =contact in the filter, the filter changes to objectCategory =cn=person,cn=schema,cn=configuration,dc=< ForestRootDomain > ("person" is the defaultObjectCategory for the class contact ).

For more information about class inheritance, see "Active Directory Schema" in this book.

 

 

  • Find all Computers that do not have a Description

Notice the "!" that means "NOT".

(objectCategory=computer)(!description=*)

  • Find all Groups that have a Description

(objCategory=group)(description=*)

  • Find all Groups that start with QA or HD

Notice the "|" that means "OR".

(objectCategory=group)(|(cn=QA*)(cn=HD*))

  • Find all Objects where Department, Company or Description is Sales

Notice the "|" that means "OR".

(|(department=Sales)(company=Sales)(description=Sales))

  • Find all Users created after 01.08.2004

(objectCategory=user)(whenCreated>=20040801000000.0Z)

  • Find all Users except Sara

Notice the "!" that means "NOT".

(objectCategory=user)(!cn=sara*)

  • Find all Users that are almost Locked-Out

Notice the ">=" that means "Greater than or equal to".

(objectCategory=user)(badPwdCount>=2)

  • Find all Users that are Disabled

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

  • Find all Users that are Disabled (another option)

(&(objectCategory=person)(objectClass=user)(lockoutTime>=1))

  • Find all Users that are members of QA Users Group in the Help Desk OU in the dpetri.net domain

(objectCategory=user)(memberOf=CN=QA Users,OU=Help Desk,DC=dpetri,DC=net)

  • Find all Users that have an E-Mail Address (not Exchange related)

(objectClass=user)(mail=*)

  • Find all Users that have an E-Mail attribute (Mail Enabled)

(objectClass=user)(email=*)

  • Find all Users that have not changed password since 05.02.2004

Note:Download thedatetointeger8.zipscript. to help you generate this date format.

(&(objectCategory=person)(objectClass=user)(pwdLastSet<=127204308000000000))

  • Find all Users that have never logged in at all

Notice the "|" that means "OR" and the "!" that means "NOT".

(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*)))

  • Find all Users that must change password at next logon

(objectCategory=user)(pwdLastSet=0)

  • Find all Users with Dial-In permissions

(objectCategory=user)(msNPAllowDialin=TRUE)

  • Find all Users with First Name of David

(objectcategory=user)(cn=David*)

  • Find all Users with First Name of David or Dana

Notice the "|" that means "OR".

(objectcategory=user)(|(cn=David*)(cn=Dana*))

  • Find all Users with Mobile numbers 050 or 051

Notice the "|" that means "OR".

(objectcategory=user)(|(mobile=050*)(mobile=051*))

  • Find all Users with Password Never Expires set

(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

  • Find all Users, Groups or Contacts where Company or Description is North

Notice the "|" that means "OR".

(|(objectcategory=user)(objectcategory=group)(objectcategory=contact))(|(description=North*)(company=North*))