LDAP Filter Builder

Compose escaped LDAP search filters: disabled accounts, lockouts, stale machines, group members.

Why this exists

LDAP filter syntax is fiddly and special characters must be escaped or the query silently returns nothing. Common queries (disabled accounts, never-expiring passwords, recursive group membership) need bitwise OIDs nobody memorises.

How to use

Pick a preset, or build conditions: attribute, operator, value.
Combine with AND / OR, values are escaped per RFC 4515 automatically.
Copy the filter into PowerShell (Get-ADUser -LDAPFilter) or your LDAP tool.

Presets

Stale afterdaysExpiring withindays

Conditions

Attribute

Operator

Value

Values are escaped per RFC 4515 (* ( ) \ NUL). The in chain operator takes a DN (left unescaped). A preset overrides the builder until you edit a condition.

Filter

Pick a preset or fill in a condition to build a filter.

Use it in PowerShell

Get-ADUser -LDAPFilter '<filter>'

Wrap the filter in single quotes so PowerShell doesn’t mangle the parentheses. The same string works in ldapsearch -b and most LDAP tools.

Common attributes

Identity

Contact & org

Membership

Account state

Timestamps (FILETIME)

Computers & services

Exchange / extension

AD gotchas

LDAP has no strict < / >, only <= / >=.
Bitwise matches need a decimal value (not hex / a constant) and no spaces in the assertion.
memberOf excludes the primary group, use primaryGroupID for Domain Users (513).
accountExpires= 0 or 9223372036854775807 both mean “never”.
lastLogonTimestamp lags by up to ~14 days; use lastLogon (per-DC, non-replicated) for precision.