How do I use LDAP Query Builder?

Simply enter your data, click the process button, and get instant results. All processing happens in your browser for maximum privacy and security.

Is LDAP Query Builder free?

Yes! LDAP Query Builder is completely free to use with no registration required. All processing is done client-side in your browser.

Absolutely! All processing happens locally in your browser. Your data never leaves your device, ensuring complete privacy and security.

Ldap Query Builder - Free Online Tool

Last updated March 22, 2026

Finding a User by Username

The most basic LDAP query — find a specific user by their sAMAccountName (login name) in Active Directory:

Visual builder settings:
Attribute: sAMAccountName
Operator: equals (=)
Value: jsmith

Generated LDAP filter:
(sAMAccountName=jsmith)

Use this filter with an LDAP search base of DC=company,DC=com to find the user object for the login name "jsmith".

Finding All Users in an Organizational Unit

Find all user accounts in a specific OU, filtering by objectClass:

Visual builder settings:
AND condition:
  - objectClass = user
  - objectCategory = person

Generated LDAP filter:
(&(objectClass=user)(objectCategory=person))

Search base: OU=Employees,DC=company,DC=com

This returns all user objects (not computers or groups) within the Employees OU.

Finding All Members of a Security Group

Find all users who are direct members of a specific group:

Visual builder settings:
Attribute: memberOf
Operator: equals (=)
Value: CN=IT-Admins,OU=Groups,DC=company,DC=com

Generated LDAP filter:
(memberOf=CN=IT-Admins,OU=Groups,DC=company,DC=com)

This returns all objects (users, computers, other groups) that are direct members of the IT-Admins group.

Finding Disabled User Accounts

In Active Directory, the userAccountControl attribute uses bit flags. The ACCOUNTDISABLE flag has value 2:

Visual builder settings:
AND condition:
  - objectClass = user
  - userAccountControl (bitwise AND) = 2

Generated LDAP filter:
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

The OID 1.2.840.113556.1.4.803 is the LDAP_MATCHING_RULE_BIT_AND operator. This query finds all user accounts where the disabled bit is set.

Finding Users with Expiring Passwords

Find users whose passwords were last set more than 90 days ago (using Active Directory's 100-nanosecond intervals since January 1, 1601):

Visual builder settings:
AND condition:
  - objectClass = user
  - pwdLastSet <= [timestamp for 90 days ago]
  - pwdLastSet != 0 (not set to never expire)

Generated LDAP filter:
(&(objectClass=user)(pwdLastSet<=132800000000000000)(!(pwdLastSet=0)))

The timestamp value is calculated from the current date minus 90 days, converted to Windows FILETIME format (100-nanosecond intervals since 1601-01-01).

Wildcard Search — Finding Users by Name

Use substring filters with wildcards to search for users whose display name contains a string:

Visual builder settings:
Attribute: displayName
Operator: contains (substring)
Value: *Smith*

Generated LDAP filter:
(displayName=*Smith*)

Other wildcard patterns:

Starts with "John":
(displayName=John*)

Ends with "son":
(displayName=*son)

Contains "admin" in description:
(description=*admin*)

Finding Computers by Operating System

Find all Windows Server 2022 machines in the domain:

Visual builder settings:
AND condition:
  - objectClass = computer
  - operatingSystem = Windows Server 2022*

Generated LDAP filter:
(&(objectClass=computer)(operatingSystem=Windows Server 2022*))

Find all workstations running Windows 10 or 11:

AND condition:
  - objectClass = computer
  - OR:
    - operatingSystem = Windows 10*
    - operatingSystem = Windows 11*

Generated LDAP filter:
(&(objectClass=computer)(|(operatingSystem=Windows 10*)(operatingSystem=Windows 11*)))

Nested Group Membership Query

Find all users who are members of a group, including through nested group membership (transitive membership):

Visual builder settings:
Attribute: memberOf (recursive)
Operator: LDAP_MATCHING_RULE_IN_CHAIN
Value: CN=VPN-Users,OU=Groups,DC=company,DC=com

Generated LDAP filter:
(memberOf:1.2.840.113556.1.4.1941:=CN=VPN-Users,OU=Groups,DC=company,DC=com)

The OID 1.2.840.113556.1.4.1941 is the LDAP_MATCHING_RULE_IN_CHAIN operator, which traverses the entire group membership chain recursively. This is an Active Directory-specific extension.

Finding Recently Created Accounts

Find user accounts created in the last 30 days using the whenCreated attribute:

Visual builder settings:
AND condition:
  - objectClass = user
  - whenCreated >= 20240101000000.0Z

Generated LDAP filter:
(&(objectClass=user)(whenCreated>=20240101000000.0Z))

The whenCreated attribute uses Generalized Time format: YYYYMMDDHHMMSS.0Z. Adjust the date value to 30 days before today.

Complex Multi-Condition Query

Find all active users in the Sales department who have email addresses and are members of the CRM-Users group:

Visual builder settings:
AND conditions:
  - objectClass = user
  - objectCategory = person
  - NOT: userAccountControl (bitwise AND) = 2  [not disabled]
  - department = Sales
  - mail = *  [has any email address]
  - memberOf = CN=CRM-Users,OU=Groups,DC=company,DC=com

Generated LDAP filter:
(&
  (objectClass=user)
  (objectCategory=person)
  (!(userAccountControl:1.2.840.113556.1.4.803:=2))
  (department=Sales)
  (mail=*)
  (memberOf=CN=CRM-Users,OU=Groups,DC=company,DC=com)
)

Formatted as a single line for use in LDAP tools:

(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(department=Sales)(mail=*)(memberOf=CN=CRM-Users,OU=Groups,DC=company,DC=com))

LDAP Query Builder Free Online Tool 2026

Use LDAP Query Builder