Validating a filter
When specifying an LDAP search filter, you cannot use object properties of the ADSI objects that aren't LDAP database attributes but interface properties of the regarding object.
A list of the affected properties can be viewed in the Self ADSI Scripting Tutorial under the topic 'Object Properties of ADSI Objects'.
An example: If you look for local security groups in the ADS following two flags will have to be set for the group Type attribute: ADS_GROUP_TYPE_LOCAL_GROUP (0x00000004) ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000) The addition of these values is the hex value 0x80000004, calculated in the decimal number 2147483652 - this has to be used in the LDAP filter: (group Type=2147483652) It's a completely different thing if you want to compose filters for attributes whose data types appear as binary hex values (the according data type is often referred to as 'Octet String').
Which attributes are integrated exactly in the ANR search is specified by the attribute search flags in the directory schema.
By doing so, a so-called ANR set of attributes is declared.
Following attributes are part of the ANR set by default: The syntax of ANR filters is as follows: (anr=Philipp) or (anr=p f) or (anr=Foeck) All these filters would find the user 'Foeckeler, Philipp'.
The second one is able to find 'Philipp Foeckeler' as well as 'Fritz Paul'.