Here is some more information about specifying a filter:

The search filter specifies all conditions that must be met for a record to be included in the RecordSet. Each condition is in the form of a conditional statement, such as "(cn=TestUser)", which has a boolean result. Each such condition is enclosed in parenthesis. The general form of a condition is an attribute and a value separated by an operator, which is usually the equals sign "=". Other operators that can separate attributes and values are ">=", and "<=" (the operators "<" and ">" are not supported). Conditions can be combined using the following operators.

& - The "And" operator (the ampersand). All conditions operated by "&" must be met in order for a record to be included.

| - The "Or" operator (the pipe symbol). Any condition operated by "|" must be met for the record to be included.

! - The "Not" operator (the exclamation point). The condition must return False to be included.

Conditions can be nested using parenthesis. In addition, you can use the "*" wildcard character in the search filter.

Search filter examples:

To return all user objects with cn (Common Name) beginning with the string "Joe":
"(&(objectCategory=person)(objectClass=user)(cn=Joe*))"

To return all computer objects with no entry for description:
"(&(objectCategory=computer)(!description=*))"

To return all user and contact objects:
"(objectCategory=person)"

To return all group objects with any entry for description:
"(&(objCategory=group)(description=*))"

To return all groups with cn starting with "Test" or "Admin":
"(&(objectCategory=group)(|(cn=Test*)(cn=Admin*)))"

To retrieve the object with GUID = "90395FB99AB51B4A9E9686C66CB18D99":
"(objectGUID=\90\39\5F\B9\9A\B5\1B\4A\9E\96\86\C6\6C\B1\8D\99)"

To return all users with "Password Never Expires" set:
"(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"

To return all users with disabled accounts:
"(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"

To return all distribution groups:
"(&(objectCategory=group)(!groupType:1.2.840.113556.1.4.803:2147483648))"

To return all users with "Allow access" checked on the "Dial-in" tab of the user properties dialog of Active Directory Users & Computers. This is all users allowed to dial-in. Note that "TRUE" is case sensitive:
"(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))"

To return all user objects created after a specified date (09/01/2002):
"(&(objectCategory=person)(objectClass=user)(whenCreated>=20020901000000.0Z))"

To return all users that must change their password the next time they logon:
"(&(objectCategory=person)(objectClass=user)(pwdLastSet=0))"