Active Directory Powershell – Advanced Filter


Here is the list of supported operators in Active Directory Powershell Advanced Filter:

 

Logical Operator Description Equivalent LDAP operator/expression
-eq Equal to. This will not support wild card search. =
-ne Not equal to. This will not support wild card search. ! x = y
-like Similar to -eq and supports wildcard comparison. The only wildcard character supported is: * =
-notlike Not like. Supports wild card comparison. ! x = y
-approx Approximately equal to ~=
-le Lexicographically less than or equal to <=
-lt Lexicographically less than ! x >= y
-ge Lexicographically greater than or equal to >=
-gt Lexicographically greater than ! x <= y
-and AND &
-or OR |
-not NOT !
-bor Bitwise OR :1.2.840.113556.1.4.804:=
-band Bitwise AND :1.2.840.113556.1.4.803:=
-recursivematch Uses LDAP_MATCHING_RULE_IN_CHAIN (Win2k3 SP2 and above) :1.2.840.113556.1.4.1941:=

 

Example 1:  Get all entries         Get-ADObject -Filter { ObjectClass -like "*" }

        LDAP Filter Equivalent: (objectClass=*)

Example 2: Get entries containing “bob” somewhere in the common name         Get-ADObject -Filter { CN -like "*bob*" }

        LDAP Filter Equivalent:  (cn=*bob*)

Example 3: Get entries with a bad password count greater than five         Get-ADUser -Filter { badpwdcount -ge 5 }

        LDAP Filter Equivalent: (badpwdcount>=5)

Example 4: Get all users with an e-mail attribute         Get-ADUser -filter { email -like "*" }         -or-         Get-ADObject -filter { email -like "*" -and ObjectClass -eq "user" }

LDAP Filter Equivalent: (&(objectClass=user)(email=*))

Example 5: Get all user entries with an e-mail attribute and a surname equal to “smith”         Get-ADUser -Filter { Email -like "*" -and Surname -eq "smith" }         -or-         Get-ADUser -Filter { Email -like "*" -and sn -eq "smith" }

        LDAP Filter Equivalent: (&(sn=smith)(objectClass=user)(email=*))

Example 6: Get all user entries with a common name that starts with “andy” and users with a common name of “steve” or “margaret”         Get-ADUser -Filter { CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret" }         -or-         Get-ADObject -Filter { objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret") }

        LDAP Filter Equivalent: (&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))

Example 7: Get all entries without an e-mail attribute         Get-ADUser -Filter { -not Email -like "*" }         -or-         Get-ADUser -Filter { Email -notlike "*" }

        LDAP Filter Equivalent: (!(email=*))

Example 8: Get all users who did not logon since January 1, 2007         $date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0)         Get-ADUser -Filter { -not LastLogon -le $date }

        LDAP Filter Equivalent:  (&(lastlogon<=X)(objectClass=user))         ## where X is number of 100-nanosecond slices since Jan 1st 1601

Example 9: Get all users who have logged on in the last 5 days         $date = (get-date) - (new-timespan -days 5)         Get-ADUser -Filter { lastLogon -gt $date }

        LDAP Filter Equivalent:  (&(lastLogon>=128812906535515110) (objectClass=user)(!(objectClass=computer)))

Example 10: Get all security groups The following example query string searches for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag (0x80000000 = 2147483648) set.         Get-ADGroup -filter { groupType -band 0x80000000 }         -or-         Get-ADGroup -filter { GroupCategory -eq "Security" }

        LDAP Filter Equivalent: (&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))

Example 11: Check if a user is a member of a group (recursively) The following example query string uses the LDAP_MATCHING_RULE_IN_CHAIN, which is a matching rule OID that is designed to provide a method to look up the ancestry of an object.

        Get-ADUser -Filter { memberOf -RecursiveMatch "CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com" } -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com"  -SearchScope Base                       ## NOTE: The above command will return the user object (Administrator in this case) if it finds a match recursively in memberOf attribute.         -or-         $userObj = Get-ADUser Administrator         $groupObj = Get-ADUser Administrators         Get-ADUser -Filter { memberOf -RecursiveMatch $userObj.DistinguishedName } -SearchBase $groupObj.DistinguishedName -SearchScope Base

        LDAP Filter Equivalent: (memberof:1.2.840.113556.1.4.1941:=(CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com)))

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: