How can I use complex filter expressions for Get-ChildItem in the ActiveDirectory AD: drive? RRS feed

  • Question

  • I'd like to use a complex LDAP filter query, like "|(cn=*name*)(samaccountname=*xxx*)".

    PS AD:\DC=global,DC=loc> Get-ChildItem -Recurse - Filter "|(cn=*name*)(samaccountname=*xxx*)"

    throws an error "search filter not recognized".

    How can I provide a complex LDAP filter query to Get-ChildItem and other Comlets?

    Thursday, June 20, 2019 3:01 PM


All replies

  • 1. The error message tells you the problem. The search filter is not valid. The LDAP syntax you are using is not correct. You need to enclose the expression within ( ).

    2. You don't need to use the AD drive to search Active Directory.

    3. You might be interested in ANR (ambiguous name resolution). Example:

    Get-ADObject -LDAPFilter "(anr=partialnamestring)"

    See for more information about ANR.

    -- Bill Stewart [Bill_Stewart]

    Thursday, June 20, 2019 3:29 PM
  • Alternatively, you can use the activedirectory module and do the following:

    Get-ADObject -LDAPFilter "Filter" -SearchBase "Searchbase"

    Please remember to mark the post(s), which answered your question.

    Thursday, June 20, 2019 3:34 PM
  • From any prompt location.

     Get-ChildItem 'AD:\DC=global,DC=loc'  -Filter '(|(name=*aaaa*)(samaccountname=*xxxx*))' -Recurse

    This is the same as Bill's Get-AdObject but returns  different object and format.  It does not return a user object.


    • Edited by jrv Thursday, June 20, 2019 4:03 PM
    Thursday, June 20, 2019 3:53 PM
  • That's pretty cool.  But you don't want to use get-aduser?
    Thursday, June 20, 2019 8:30 PM
  • Thanks so much for all your valuable and informative answers!

    I was used to utilize Get-AdObject, but I'm keen to see how this different syntax approach might perhaps yield some benefits.

    Friday, June 21, 2019 1:58 AM