none
get-aduser -filter { DistinguishedName -notlike .... does not work! RRS feed

  • Question

  • Hello

    Does anyone have an explanation of why this command does not work.

    I want to make it work, without using LDAPFilter

    get-aduser -filter { DistinguishedName -notlike "*OU=Cloud,DC=cloud,DC=local" } 

    I get no results

    if i run a filter * i get:

    DistinguishedName : CN=svcsc2012,OU=Cloud,DC=cloud,DC=local
    Enabled           : True
    GivenName         : svcsc2012
    Name              : svcsc2012
    ObjectClass       : user
    ObjectGUID        : 8fa5a111-243e-42f3-9570-b11b9fbcb6ef
    SamAccountName    : svcsc2012
    SID               : S-1-5-21-3106746516-1520913103-3519165319-1108
    Surname           : 
    UserPrincipalName : svcsc2012@cloud.local

    DistinguishedName : CN=User1,CN=Users,DC=cloud,DC=local
    Enabled           : True
    GivenName         : User1
    Name              : User1
    ObjectClass       : user
    ObjectGUID        : 0eadc81c-de9b-4f49-b2c5-9289280b21e7
    SamAccountName    : User1
    SID               : S-1-5-21-3106746516-1520913103-3519165319-2103
    Surname           : 
    UserPrincipalName : User1@cloud.local

    So howcome the notlike does not work?

    I tried with -like also, sam result.

    Thank you :)



    Best Regards
    Jakob Gottlieb Svendsen
    Trainer/Consultant - Coretech A/S - Blog
    MCT - MCTS - VB.NET - C#.NET - Powershell - VBScript Mastering System Center Orchestrator 2012 - 3 day workshop - worldwide training click here


    Wednesday, December 11, 2013 6:02 PM
    Moderator

Answers

  • Well, you could call Get-ADOrganizationalUnit, then make a separate call to Get-ADUser (with a SearchScope of OneLevel) for each one that isn't on your blacklist.  Depending on how many users and OUs you're talking about, though, that might run even slower than using Where-Object, because of all the extra round-trip queries involved.

    It looks like I may not be remembering correctly about DN being a constructed attribute.  I did find this old TechNet wiki article from Richard Mueller, though: http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

    He says: "The wildcard character"*" is allowed, except when the<AD Attribute> is a DN attribute. Examples of DN attributes aredistinguishedName, manager, directReports, member, and memberOf. If the attribute is DN, then only the equality operator is allowed and you must specify the full distinguished name for the value (or the"*" character for all objects with any value for the attribute). Do not enclose the DN value in parentheses (as is done erroneously in some documentation)."

    I don't know the reasoning behind this, but there you go. 


    Wednesday, December 11, 2013 6:24 PM

All replies

  • As I recall, you can't use DistinguishedName in a filter or LDAP filter, because it's a constructed attribute (or something along those lines).  To filter on distinguishedName, you have to use Where-Object.

    Wednesday, December 11, 2013 6:08 PM
  • thnx for reply!

    HA HA! i have to laugh, not of your reply but at the design of this!.

    I have heard about the constructed attributes (or what they are called) that cannot be used in the filter , but i did not i my wildest fantasy think that DistinguishedName would be one of them!

    No other property from the default output has the DN in it.

    Where-object is not a acceptable solution imho since we will put too much load on the server.

    but ok,if it is only one OU that does not have a lot of users in it, then it might be OK

    How would you , without using LDAPFilter or where-object, Get alle users, except ones in a specific OU?

    (not using LDAPFilter cause it is hard to learn for the users that need to use this script, and trying to teach them best practices, which where-object is not. especially in Active Directory ;) )


    Best Regards
    Jakob Gottlieb Svendsen
    Trainer/Consultant - Coretech A/S - Blog
    MCT - MCTS - VB.NET - C#.NET - Powershell - VBScript Mastering System Center Orchestrator 2012 - 3 day workshop - worldwide training click here

    Wednesday, December 11, 2013 6:14 PM
    Moderator
  • Well, you could call Get-ADOrganizationalUnit, then make a separate call to Get-ADUser (with a SearchScope of OneLevel) for each one that isn't on your blacklist.  Depending on how many users and OUs you're talking about, though, that might run even slower than using Where-Object, because of all the extra round-trip queries involved.

    It looks like I may not be remembering correctly about DN being a constructed attribute.  I did find this old TechNet wiki article from Richard Mueller, though: http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

    He says: "The wildcard character"*" is allowed, except when the<AD Attribute> is a DN attribute. Examples of DN attributes aredistinguishedName, manager, directReports, member, and memberOf. If the attribute is DN, then only the equality operator is allowed and you must specify the full distinguished name for the value (or the"*" character for all objects with any value for the attribute). Do not enclose the DN value in parentheses (as is done erroneously in some documentation)."

    I don't know the reasoning behind this, but there you go. 


    Wednesday, December 11, 2013 6:24 PM
  • oh you found something .. i tried too, did success!

    you win the google (bing) war! ;-)

    Thank you so much.

    i dont understand either though, and why does the help describe nothing about this. 

    oh well life goes on, i will recommend to make it using the LDAPFilter then :)

    (edit: i like your suggestion using get-ou but i think you are right about the performance) ;)


    Best Regards
    Jakob Gottlieb Svendsen
    Trainer/Consultant - Coretech A/S - Blog
    MCT - MCTS - VB.NET - C#.NET - Powershell - VBScript Mastering System Center Orchestrator 2012 - 3 day workshop - worldwide training click here


    Wednesday, December 11, 2013 6:33 PM
    Moderator
  • All DN attributes, like distinguishedName, member, memberOf, manager, directReports, etc., can be used in filters but you must specify the full DN value. Wildcards (or the -Like or -NotLike operator) are not allowed.


    Richard Mueller - MVP Directory Services

    Wednesday, December 11, 2013 8:27 PM
    Moderator
  • Try this.  Lookup the full OU DN using Get-ADOrganizationalUnit then pipe it to searchbase.

    $OUName = "MY_OU"
    $DN = (Get-ADOrganizationalUnit -filter {Name -eq $OUName}).DistinguishedName
    $users = Get-ADUser -filter * -SearchBase $DN -Properties Name,LastLogonDate,Enabled,Description
    $users | select Name,LastLogonDate,Enabled,Description | ft


    Thursday, March 16, 2017 7:18 PM
  • Mike Plichta wrote:

    $OUName = "MY_OU"
    $DN = (Get-ADOrganizationalUnit -filter {Name -eq $OUName}).DistinguishedName
    $users = Get-ADUser -filter * -SearchBase $DN -Properties Name,LastLogonDate,Enabled,Description
    $users | select Name,LastLogonDate,Enabled,Description | ft
    The question was how to exclude objects that sit in a specific DN. This code definitely does not do that.

    -- Bill Stewart [Bill_Stewart]

    Thursday, March 16, 2017 7:52 PM
    Moderator
  • Also, Name does not necessarily uniquely identify the OU. You can have several OUs with the same Relative Distinguished Name. Really, you must specify the full distinguished name of the OU. That is why the -Identity parameter of Get-ADOrganizationalUnit only accepts the GUID or the distinguishedName.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, March 16, 2017 9:36 PM
    Moderator