LDAP Query Basics

Page 1 of 8

LDAP Query Basics

Topic Last Modified: 2011-01-13
By William Taylor
This article discusses Lightweight Directory Access Protocol (LDAP) queries, which can be useful, but confusing, when
troubleshooting Microsoft Exchange Server and its relationship to its directory. This article provides basic information
about LDAP queries.
Basic LDAP Syntax
Where Can You Use LDAP Queries?
Doing a Search Using Active Directory Users and Computers
Doing a Search Using LDP
Doing a Search Using LDIFDE
Using LDAP Queries in ADModify
For More Information

Basic LDAP Syntax

= (EQUAL TO)
This LDAP argument means a certain attribute must be equal to a certain value to be true. For example, if you
want to find all objects that have the first name of John, you would use:
(givenName=John)
This would return all objects that have the first name of John. Parentheses are included to emphasize the
beginning and end of the LDAP statement.
& (logical AND)
You use this syntax when you have more than one condition, and you want all conditions in the series to be
true. For example, if you want to find all of the people that have the first name of John and live in Dallas, you
would use:
(&(givenName=John)(l=Dallas))
Notice that each argument is in its own set of parentheses. The entire LDAP statement must be encompassed
in a main set of parentheses. The & operator means that each argument must be true for this filter to apply to
your object in question.
! (logical NOT)
This operator is used to exclude objects that have a certain attribute. Suppose you need to find all objects
except those that have the first name of John. You would use the following statement:
(!givenName=John)
This statement would find all objects that do not have the first name of John. Notice that the ! operator goes
directly in front of the argument and inside the argument's set of parentheses. Because there is only one
argument in this statement, it is surrounded with parentheses for illustration.
* (wildcard)
You use the wildcard operator to represent a value that could be equal to anything. One such situation might
be if you wanted to find all objects that have a value for title. You would then use:
(title=*)
This would return all objects that have the title attribute populated with a value. Another example might be if
you know an object's first name starts with Jo. Then, you could use the following to find those:
(givenName=Jo*)
This would apply to all objects whose first name starts with Jo.
The following are more advanced examples of LDAP syntax:

http://technet.microsoft.com/en-us/library/aa996205(d=printer,v=exchg.65).aspx

5/14/2012

LDAP Query Basics

Page 2 of 8

You need a filter to find all objects that are in Dallas or Austin, and that have the first name of John. This
would be:
(&(givenName=John)(|(l=Dallas)(l=Austin)))
You have received 9,548 events in the Application log, and you need to find all of the objects that are
causing this logging event. In this case, you need to find all of the disabled users
(msExchUserAccountControl=2) that do not have a value for msExchMasterAccountSID. This
would be:
(&(msExchUserAccountControl=2)(!msExchMasterAccountSID=*))

Note:
The ! operator in conjunction with the wildcard operator will look for objects where that attribute is not set
to anything.

Where Can You Use LDAP Queries?

While working with Exchange Server, you encounter situations that use LDAP strings. For example, whenever you
set up a recipient or mailbox manager policy or an address list filter, or when you search the Active Directory
directory service, Exchange Server utilizes LDAP. In the next sections, some of the ways in which you can use LDAP
statements are discussed.

Doing a Search Using Active Directory Users and Computers

The following example illustrates how to search using Active Directory Users and Computers:
1. Open Active Directory Users and Computers.
2. Right-click the domain object and select Find.

3. Click the drop-down list next to Find, and then select Custom Search.
4. From the next screen, select the Advanced tab.
5. Type the appropriate LDAP statement under Enter LDAP query.

http://technet.microsoft.com/en-us/library/aa996205(d=printer,v=exchg.65).aspx

5/14/2012

LDAP Query Basics

Page 3 of 8

This example attempts to find all objects that either have prez for their title or test for the start of their name. If
you click Find Now, you should see the appropriate output, as shown in the following screenshot.

Doing a Search Using LDP

You can also search using LDP, which is included in Microsoft Windows Server 2003 and Windows 2000 Server
support tools. This tool gives you the ability to not only search the domain container, but also the Configuration
container. You first would open LDP and connect to a valid domain controller. Then you need to bind using
appropriate credentials. Select View, and then select Tree. Leave the Base DN field blank, and click OK.
Navigate to the container that you want to search, right-click the container, and select Search.

http://technet.microsoft.com/en-us/library/aa996205(d=printer,v=exchg.65).aspx

5/14/2012

LDAP Query Basics

Page 4 of 8

A dialog box appears that should have the correct value in the Base DN field. Type the LDAP statement that you
want to filter by, and something similar to the following should appear.

If you want to search all of the containers below the level you are currently at, make sure to select the option
button for Subtree. Click Run, and it should find all of the matches.

http://technet.microsoft.com/en-us/library/aa996205(d=printer,v=exchg.65).aspx

5/14/2012

LDAP Query Basics

Page 5 of 8

Doing a Search Using LDIFDE

There may be times when you need to do a search for a set of objects that meet a certain criteria, and you want
to build a list of those users. LDIFDE is a command-line tool that you can use to build this list. Suppose you want
to find and save a list of all the users whose mailNickName starts with Jeff. You could then run the following
command.

C:\>ldifded"DC=witaylorroot,DC=com"fc:\output.txtr"(&(objectClass=user)(mailNickName=jeff*))
In this example, you would find three objects and export all of their attributes into the output .txt file that you
specified. If you are exporting the results for thousands of users, however, the export file will be too large. There
is a different option. You can use the -l (lowercase L) switch to specify which attributes to export. The
distinguished name will always export, but if you want nothing else, you can add -l nothing to the string, and
that would streamline the output. An example of this is the following command.

C:\>ldifded"DC=witaylorroot,DC=com"fc:\output.txtlnothingr"(&(objectClass=user)(mailNickName
=jeff*))
Consider that in this case, you want to use the LDIFDE export referenced earlier, but only want to include the
homeMDB attribute in the output. You must use the following command.

C:\>ldifded"DC=witaylorroot,DC=com"fc:\output.txtl"homeMDB"r"(&(objectClass=user)(mailNickNa
me=jeff*))
dn:CN=jeff,OU=55Users,DC=witaylorroot,DC=com
changetype:add
homeMDB:
CN=PrivateInformationStore(WITAYLORNT4EX55),CN=FirstStorageGroup,CN=InformationStore,CN=WITAYLORNT4

http://technet.microsoft.com/en-us/library/aa996205(d=printer,v=exchg.65).aspx

5/14/2012

LDAP Query Basics

Page 6 of 8

EX55,CN=Servers,CN=WITAYLORMIXEDSITE,CN=Administrative Groups,CN=WITAYLORORG,CN=Microsoft Exchange,CN=Se

rvices,CN=Configuration,DC=witaylorroot,DC=com
dn: CN=jeff2,CN=Users,DC=witaylorroot,DC=com
changetype: add
homeMDB:
CN=Private Information Store (WITAYLORNT4EX55),CN=First Storage Group,CN=InformationStore,CN=WITAYLORNT4
EX55,CN=Servers,CN=WITAYLORMIXEDSITE,CN=Administrative Groups,CN=WITAYLORORG,CN=Microsoft Exchange,CN=Se
rvices,CN=Configuration,DC=witaylorroot,DC=com
dn: CN=jeff3,CN=Users,DC=witaylorroot,DC=com
changetype: add
homeMDB:
CN=Private Information Store (WITAYLORNT4EX55),CN=First Storage Group,CN=InformationStore,CN=WITAYLORNT4
EX55,CN=Servers,CN=WITAYLORMIXEDSITE,CN=Administrative Groups,CN=WITAYLORORG,CN=Microsoft Exchange,CN=Se
rvices,CN=Configuration,DC=witaylorroot,DC=com
If you are doing an export without restricting what attributes are exported, you might want to use the -n switch to
suppress any values that would normally be included. This will help prevent the export file size from getting too
large.

Using LDAP Queries in ADModify

To obtain the ADModify tool, contact Microsoft Product Support Services. For more information about how to contact
Microsoft Product Support Services, see the Microsoft Help and Support Web site1.
To obtain the ADModify tool from a third-party Web site, see the following GotDotNet Web site: ADModify.NET:
Workspace Home2.
ADModify is a tool that Microsoft Product Support Services uses on a daily basis. With large Active Directory
environments, it is not always easy to add an entire organizational unit (OU) that could have thousands of users in it
to the list on the right side, and then parse through all of them to find the users you need to change. There is an
alternative. On the first screen, choose Modify Existing User Attributes and click Next. On the Modify Active
Directory Users screen, there is an Advanced button.

http://technet.microsoft.com/en-us/library/aa996205(d=printer,v=exchg.65).aspx

5/14/2012

LDAP Query Basics

Page 7 of 8

If you click the Advanced button, the Custom LDAP Filter dialog box appears. In this dialog box, you type the
LDAP filter that you want to use. In this example, you only want to list the groups that are mail-enabled. It would
look like the following.

Next, click OK. Select the OU or the domain where you want ADModify to search. If you want it to look in lower-level
containers within the one you selected, make sure to select Traverse Subcontainers when Enumerating Users.
Click Add to List, and then click Yes when warned about how long it could take. The objects that meet the criteria
you specified should now appear in the right pane.

From here, highlight the objects that you want to modify, and continue with the wizard.

For More Information

For more information, see the following Microsoft Knowledge Base articles:
255602, "XADM: Browsing and Querying Using the LDP Utility3"
296112, "XADM: Cannot use an organizational unit or the location of an account for recipient policy4"

Links Table

http://technet.microsoft.com/en-us/library/aa996205(d=printer,v=exchg.65).aspx

5/14/2012

LDAP Query Basics

http://go.microsoft.com/fwlink/?LinkId=41364

http://workspaces.gotdotnet.com/ADModify

http://go.microsoft.com/fwlink/?linkid=3052&kbid=255602

http://go.microsoft.com/fwlink/?linkid=3052&kbid=296112

Page 8 of 8

Community Content
Logical OR
the logical OR opperator is "|" as shown in this example:
(&(givenName=John)(|(l=Dallas)(l=Austin)))

12/3/2010
fran_bsas

2012 Microsoft. All rights reserved.

http://technet.microsoft.com/en-us/library/aa996205(d=printer,v=exchg.65).aspx

5/14/2012