3.1.1.3.1.3.1 Search Filters
Active Directory does not support the extensible match rules defined in [RFC2252] section 8, [RFC2256] section 8, and [RFC2798] section 9. Active Directory exposes extensible match rules, which are defined in section 3.1.1.3.4.4. Other than these rules, the rules that Active Directory uses for comparing values (for example, comparing two String(Unicode) attributes for equality or ordering) are not exposed as extensible match rules. These comparison rules are documented for each syntax type in section 3.1.1.2.2.4. When performing an extensible match search against Active Directory, if the type field of the MatchingRuleAssertion is not specified ([RFC2251] section 4.5.1), the extensible match filter clause is evaluated to "Undefined". The dnAttributes field of the MatchingRuleAssertion is ignored and always treated as if set to FALSE.
Active Directory supports the approxMatch filter clause of [RFC2251] section 4.5.1. However, it is implemented identically to equalityMatch; for example, the filter is TRUE if the values are equal. No approximation is performed. Filter clauses of the form "(X=Y)" and "(X~=Y)" can be freely substituted for each other.
Active Directory in Windows 2000 operating system does not implement three-value logic for search filter evaluation as defined in [RFC2251] section 4.5.1. In Windows 2000, filters evaluate to either "TRUE" or "FALSE". Filters that would evaluate to "Undefined", as per the RFC, are instead evaluated to "FALSE". Active Directory in Windows Server 2003 operating system and later uses three-value logic for evaluating search filters, in conformance with the RFC.
Active Directory does not support constructed attributes (defined in section 3.1.1.4.5) in search filters. When a search operation is performed with such a search filter, Active Directory fails with inappropriateMatching ([RFC2251] section 4.1.10).
Filter clauses of the form (objectClass=*), (distinguishedName=*), (name=*), and (objectGUID=*) always evaluate to TRUE for all objects.
A filter can be constructed recursively such that the filter clause takes the form of another filter. The maximum recursion depth supported by Active Directory is hardcoded to 512.