diff --git a/.env.example b/.env.example
index 9581358e1d..7e3fd239df 100644
--- a/.env.example
+++ b/.env.example
@@ -185,6 +185,16 @@ LDAP_PASSWORD=super_secret
 
 LDAP_AUTH_FIELD=uid
 
+#
+# If you wish to only authenticate users from a specific group, use the
+# group filter. Leave empty or remove if not in use.
+#
+# Example: cn=Administrators,dc=local,dc=com
+#
+# The group filter will only be applied after the user is authenticated.
+#
+LDAP_GROUP_FILTER=
+
 #
 # Remote user guard settings
 #
diff --git a/app/Ldap/Rules/UserDefinedRule.php b/app/Ldap/Rules/UserDefinedRule.php
new file mode 100644
index 0000000000..70c2c1c817
--- /dev/null
+++ b/app/Ldap/Rules/UserDefinedRule.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace FireflyIII\Ldap\Rules;
+
+use LdapRecord\Laravel\Auth\Rule;
+use LdapRecord\Models\ActiveDirectory\Group;
+
+/**
+ * Class UserDefinedRule
+ */
+class UserDefinedRule extends Rule
+{
+    /**
+     * Check if the rule passes validation.
+     *
+     * @return bool
+     */
+    public function isValid()
+    {
+        // LDAP_GROUP_FILTER
+        $groupFilter = config('ldap.group_filter');
+        if (null !== $groupFilter && '' !== (string)$groupFilter) {
+            $administrators = Group::find('cn=Administrators,dc=local,dc=com');
+
+            return $this->user->groups()->recursive()->exists($administrators);
+        }
+
+        return true;
+    }
+}
diff --git a/config/auth.php b/config/auth.php
index e9fa206dd4..f042c7fb1f 100644
--- a/config/auth.php
+++ b/config/auth.php
@@ -22,6 +22,7 @@
 declare(strict_types=1);
 
 use FireflyIII\Ldap\AttributeHandler;
+use FireflyIII\Ldap\Rules\UserDefinedRule;
 
 return [
     /*
@@ -109,7 +110,9 @@ return [
             'driver'   => 'ldap',
             //'model'    => LdapRecord\Models\ActiveDirectory\User::class,
             'model'    => LdapRecord\Models\OpenLDAP\User::class,
-            'rules'    => [],
+            'rules'    => [
+                UserDefinedRule::class
+            ],
             'database' => [
                 'model'           => FireflyIII\User::class,
                 'sync_passwords'  => false,
diff --git a/config/ldap.php b/config/ldap.php
index ace62f4df5..4a0ab707fd 100644
--- a/config/ldap.php
+++ b/config/ldap.php
@@ -37,6 +37,8 @@ return [
 
     'default' => env('LDAP_CONNECTION', 'default'),
 
+    'group_filter' => env('LDAP_GROUP_FILTER'),
+
     /*
     |--------------------------------------------------------------------------
     | LDAP Connections