LDAP Query Reference
Below is a list of LDAP search filters that could potentially be used for reconnaissance:
Domain Enumeration
| Filter | Description |
|---|---|
(objectCategory=domain)
|
All domain objects |
(primaryGroupID=516) OR (userAccountControl:1.2.840.113556.1.4.803:=8192)
|
All domain controller objects |
(primaryGroupID=521) OR (userAccountControl:1.2.840.113556.1.4.803:=67108864)
|
All domain controller objects (read-only) |
(objectClass=trustedDomain)
|
All trusted domains |
(objectCategory=groupPolicyContainer)
|
All group policy objects |
(|(description="pass")(comment="pass"))
|
Objects with a password in the description or comment |
(objectCategory=nTDSDSA)
|
Global Catalog servers |
Account Enumeration
| Filter | Description |
|---|---|
(&(objectCategory=person)(objectClass=user)) OR (sAMAccountType=805306368)
|
All users |
(userAccountControl:1.2.840.113556.1.4.803:=544)
|
Objects with a "Password Not Required" flag set |
(userAccountControl:1.2.840.113556.1.4.803:=65536)
|
Objects with a "Password Never Expires" flag set |
(!(UserAccountControl:1.2.840.113556.1.4.803:=2))
|
Objects that are enabled (!disabled flag set) |
(adminCount=1)
|
Members of a protected group (AdminSDHolder) |
(|(accountExpires=0)(accountExpires=9223372036854775807))
|
Accounts that never expire |
(samAccountName=*)
|
Objects with a login account name |
(|(homedirectory=*)(scriptpath=*)(profilepath=*))
|
Objects with a home directory, logon script, or profile path |
Computer Enumeration
| Filter | Description |
|---|---|
(objectCategory=Computer) OR (objectClass=computer) OR (sAMAccountType=805306369)
|
All computers |
(primaryGroupID=515) OR (samAccountName=Domain Computers)
|
All domain computers |
(objectCategory=server) OR (objectClass=server)
|
All domain servers |
(ms-MCS-AdmPwd=*)
|
Objects with LAPS password attribute |
Group Enumeration
| Filter | Description |
|---|---|
(objectCategory=group) OR (objectClass=group)
|
All groups |
(sAMAccountType=268435456) OR (groupType:1.2.840.113556.1.4.803:=2147483648)
|
All security groups |
(groupType:1.2.840.113556.1.4.803:=2147483656)
|
All universal security groups |
(groupType:1.2.840.113556.1.4.803:=2147483652)
|
All domain local security groups |
(groupType:1.2.840.113556.1.4.803:=2147483650)
|
All global security groups |
(sAMAccountType=268435457)
|
All non-security groups |
(sAMAccountType=536870912)
|
All alias objects |
(sAMAccountType=536870913)
|
All non-security alias objects |
(primaryGroupID=512) OR (samAccountName=Domain Admins)
|
All domain admins |
(samAccountName=Backup Operators) OR (memberOf=CN=Backup Operators)
|
All backup operators |
(samAccountName=Account Operators) OR (memberOf=CN=Account Operators)
|
All account operators |
(samAccountName=Enterprise Admins) OR (memberOf=CN=Enterprise Admins)
|
All enterprise admins |
(samAccountName=Group Policy Creator Owners) OR (memberOf=CN=Group Policy Creator Owners)
|
All group policy creator owners |
(samAccountName=Server Operators) OR (memberOf=CN=Server Operators)
|
All server operators |
(samAccountName=Remote Desktop Users) OR (memberOf=CN=Remote Desktop Users)
|
All remote desktop users |
(samAccountName=Distributed COM Users) OR (memberOf=CN=Distributed COM Users)
|
All distributed COM users |
(objectcategory=organizationalUnit)
|
All OUs |
(primarygroupid=*)
|
Objects with a primary group ID |
Kerberos Enumeration
| Filter | Description |
|---|---|
(servicePrincipalName=*)
|
All objects with a SPN |
(userAccountControl:1.2.840.113556.1.4.803:=4194304)
|
Objects with Kerberos Pre-Authentication disabled |
(userAccountControl:1.2.840.113556.1.4.803:=2097152)
|
Objects with Kerberos DES enabled |
!(userAccountControl:1.2.840.113556.1.4.803:=1048574)
|
Objects not marked as 'sensitive and not trusted for delegation' |
(userAccountControl:1.2.840.113556.1.4.803:=524288)
|
Objects with unconstrained delegation |
(msDS-AllowedToDelegateTo=*)
|
Objects with constrained delegation |
(msDS-AllowedToActOnBehalfOfOtherIdentity=*)
|
Objects with resource-based constrained delegation |