diff --git a/src/routes/users.js b/src/routes/users.js
index 83acf455b..d00256fcd 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -91,7 +91,9 @@ function list(req, res, next) {
     var perPage = typeof req.query.per_page !== 'undefined'? parseInt(req.query.per_page) : 25;
     if (!perPage || perPage < 0) return next(new HttpError(400, 'per_page query param has to be a postive number'));
 
-    users.getAllPaged(page, perPage, function (error, results) {
+    if (req.query.search && typeof req.query.search !== 'string') return next(new HttpError(400, 'search must be a string'));
+
+    users.getAllPaged(req.query.search || null, page, perPage, function (error, results) {
         if (error) return next(new HttpError(500, error));
 
         results = results.map(users.removeRestrictedFields);
diff --git a/src/test/database-test.js b/src/test/database-test.js
index 9aec6ffdc..f0d728194 100644
--- a/src/test/database-test.js
+++ b/src/test/database-test.js
@@ -523,7 +523,7 @@ describe('database', function () {
         });
 
         it('can get all with group ids paged', function (done) {
-            userdb.getAllWithGroupIdsPaged(1, 2, function (error, all) {
+            userdb.getAllWithGroupIdsPaged(null, 1, 2, function (error, all) {
                 expect(error).to.not.be.ok();
                 expect(all.length).to.equal(2);
 
@@ -537,7 +537,7 @@ describe('database', function () {
                 userCopy.groupIds = [];
                 expect(all[1]).to.eql(userCopy);
 
-                userdb.getAllWithGroupIdsPaged(2, 2, function (error, all) {
+                userdb.getAllWithGroupIdsPaged(null, 2, 2, function (error, all) {
                     expect(error).to.not.be.ok();
                     expect(all.length).to.equal(1);
 
@@ -552,6 +552,21 @@ describe('database', function () {
             });
         });
 
+        it('can get all with group ids paged and search', function (done) {
+            userdb.getAllWithGroupIdsPaged('id1', 1, 2, function (error, all) {
+                expect(error).to.not.be.ok();
+                expect(all.length).to.equal(1);
+
+                var userCopy;
+
+                userCopy = _.extend({}, USER_1);
+                userCopy.groupIds = [];
+                expect(all[0]).to.eql(userCopy);
+
+                done();
+            });
+        });
+
         it('can get all admins', function (done) {
             userdb.getAllAdmins(function (error, all) {
                 expect(error).to.not.be.ok();
diff --git a/src/userdb.js b/src/userdb.js
index 0516d99ae..670686982 100644
--- a/src/userdb.js
+++ b/src/userdb.js
@@ -21,7 +21,8 @@ exports = module.exports = {
 var assert = require('assert'),
     database = require('./database.js'),
     debug = require('debug')('box:userdb'),
-    DatabaseError = require('./databaseerror');
+    DatabaseError = require('./databaseerror'),
+    mysql = require('mysql');
 
 var USERS_FIELDS = [ 'id', 'username', 'email', 'fallbackEmail', 'password', 'salt', 'createdAt', 'modifiedAt', 'resetToken', 'displayName',
     'twoFactorAuthenticationEnabled', 'twoFactorAuthenticationSecret', 'admin' ].join(',');
@@ -116,16 +117,17 @@ function getAllWithGroupIds(callback) {
     });
 }
 
-function getAllWithGroupIdsPaged(page, perPage, callback) {
+function getAllWithGroupIdsPaged(search, page, perPage, callback) {
+    assert(typeof search === 'string' || search === null);
     assert.strictEqual(typeof page, 'number');
     assert.strictEqual(typeof perPage, 'number');
     assert.strictEqual(typeof callback, 'function');
 
-    var query = `SELECT ${USERS_FIELDS},GROUP_CONCAT(groupMembers.groupId) AS groupIds
-        FROM users LEFT OUTER JOIN groupMembers ON users.id = groupMembers.userId
-        GROUP BY users.id
-        ORDER BY users.username
-        ASC LIMIT ${(page-1)*perPage},${perPage}`;
+    var query = `SELECT ${USERS_FIELDS},GROUP_CONCAT(groupMembers.groupId) AS groupIds FROM users LEFT OUTER JOIN groupMembers ON users.id = groupMembers.userId `;
+
+    if (search) query += ' WHERE (users.username LIKE ' + mysql.escape(`%${search}%`) + ') ';
+
+    query += ` GROUP BY users.id ORDER BY users.username ASC LIMIT ${(page-1)*perPage},${perPage} `;
 
     database.query(query, function (error, results) {
         if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
diff --git a/src/users.js b/src/users.js
index cbdadd29e..3167a8c35 100644
--- a/src/users.js
+++ b/src/users.js
@@ -315,12 +315,13 @@ function getAll(callback) {
     });
 }
 
-function getAllPaged(page, perPage, callback) {
+function getAllPaged(search, page, perPage, callback) {
+    assert(typeof search === 'string' || search === null);
     assert.strictEqual(typeof page, 'number');
     assert.strictEqual(typeof perPage, 'number');
     assert.strictEqual(typeof callback, 'function');
 
-    userdb.getAllWithGroupIdsPaged(page, perPage, function (error, results) {
+    userdb.getAllWithGroupIdsPaged(search, page, perPage, function (error, results) {
         if (error) return callback(new UsersError(UsersError.INTERNAL_ERROR, error));
 
         return callback(null, results);