diff --git a/modules/post/windows/gather/enum_ad_groups.rb b/modules/post/windows/gather/enum_ad_groups.rb
index ade732c27a..f39cdca71b 100644
--- a/modules/post/windows/gather/enum_ad_groups.rb
+++ b/modules/post/windows/gather/enum_ad_groups.rb
@@ -32,6 +32,7 @@ class Metasploit3 < Msf::Post
 
     register_options([
       OptString.new('ADDITIONAL_FIELDS', [false, 'Additional fields to retrieve, comma separated', nil]),
+      OptString.new('FILTER', [false, 'Customised LDAP filter', nil]),
     ], self.class)
   end
 
@@ -46,7 +47,9 @@ class Metasploit3 < Msf::Post
     max_search = datastore['MAX_SEARCH']
 
     begin
-      q = query('(objectClass=group)', max_search, @user_fields)
+      f = ""
+      f = "(#{datastore['FILTER']})" if datastore['FILTER']
+      q = query("(&(objectClass=group)#{f})", max_search, @user_fields)
     rescue ::RuntimeError, ::Rex::Post::Meterpreter::RequestError => e
       # Can't bind or in a network w/ limited accounts
       print_error(e.message)
diff --git a/modules/post/windows/gather/enum_ad_users.rb b/modules/post/windows/gather/enum_ad_users.rb
index 2fc5ed7779..48b8e86e62 100644
--- a/modules/post/windows/gather/enum_ad_users.rb
+++ b/modules/post/windows/gather/enum_ad_users.rb
@@ -47,6 +47,7 @@ class Metasploit3 < Msf::Post
       OptBool.new('EXCLUDE_LOCKED', [true, 'Exclude in search locked accounts..', false]),
       OptBool.new('EXCLUDE_DISABLED', [true, 'Exclude from search disabled accounts.', false]),
       OptString.new('ADDITIONAL_FIELDS', [false, 'Additional fields to retrieve, comma separated', nil]),
+      OptString.new('FILTER', [false, 'Customised LDAP filter', nil]),
       OptString.new('GROUP_MEMBER', [false, 'Recursively list users that are effectve members of the group DN specified.', nil]),
       OptEnum.new('UAC', [true, 'Filter on User Account Control Setting.', 'ANY',
                           [
@@ -146,6 +147,7 @@ class Metasploit3 < Msf::Post
     inner_filter << '(!(lockoutTime>=1))' if datastore['EXCLUDE_LOCKED']
     inner_filter << '(!(userAccountControl:1.2.840.113556.1.4.803:=2))' if datastore['EXCLUDE_DISABLED']
     inner_filter << "(memberof:1.2.840.113556.1.4.1941:=#{datastore['GROUP_MEMBER']})" if datastore['GROUP_MEMBER']
+    inner_filter << "(#{datastore['FILTER']})" if datastore['FILTER']
     case datastore['UAC']
       when 'ANY'
       when 'NO_PASSWORD'