JSI Tip 9818. What operators can I use when filtering an Active Directory query?

NOTE: See How can I filter an Active Directory query using a bitwise flag?

NOTE: See How can I filter an Active Directory query by testing an attribute to be NOT EQUAL?

NOTE: See How can I filter an Active Directory query by testing an attribute to be this OR that?

When you compose an LDAP (Lightweight Directory Access Protocol) query, or a DSQUERY query, or an Adfind.exe query, the following table lists the operators that you can use:

Operator    Description
= Equal to
~= Approximately equal to
<= Lexicographically less than or equal to
>= Lexicographically greater than or equal to
& AND
| OR
! NOT

Approximately equal to

The (sn~=Schulman) filter should find objects whose surname attribute has a value that sounds like Schulman, but I haven't been able to make it work. (It isn't finding Shulman).

Lexicographically less than or equal to AND Lexicographically greater than or equal to

Attributes that have some inherent ordering can be filtered. (snsn attribute uses the case-ignore syntax. An attribute that has an integer syntax would be ordered numerically. If an attribute has no inherent ordering, these operators cannot be used.

To search for greater than or less than, use the compliment. To find users that have logged on more that 1000 times, use (!logonCount=10).

When searching for any of the following characters, use the escape sequence:

Character    Escape sequence
* \2a
( \28
) \29
\ \5c
NUL \00
/ \2f

NOTE: If you wish to search binary data, encode each byte of binary data with the backslash (\) followed by two hexadecimal digits, like 0x00000004 is encoded as \00\00\00\04.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish