none
Get-QADUser -Filter Conditions RRS feed

  • Question

  • Hello,

    I am running a script which relies a specific parameters over accounts set in AD, and i'm struggling to add an AND condition on the end of a multiple OR condition.

    Get-QADUser -LdapFilter "(|(Name=Peter) (Department=Sales) (Building=None) (AccountIsDisabled=false) )

    It works, however they are all OR's. I need the final "AccountIsDisabled" to be in addition to one of the 3 beforehand, so they either need to have a name Peter, Department Sales or Building None, but in any event they should not be Disabled.

    Any Ideas?

    Thanks

    Friday, October 2, 2015 12:16 PM

Answers

  • First, you need to remove the extra spaces. Next, you need to use the correct attributes:

    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(name=Peter)(department=Sales)(building=None)))

    Translation of the above (all one line):

    (objectCategory=person)(objectClass=user) - find user objects (not contacts)

    (!userAccountControl:1.2.840.113556.1.4.803:=2)  - finds accounts that are not disabled (i.e., enabled)

    The rest of the query string means: "Name is 'Peter', or department is 'Sales', or Building is 'None' ".


    -- Bill Stewart [Bill_Stewart]


    Friday, October 2, 2015 1:21 PM
    Moderator

All replies

  • Hi Tarrley,

    try this:

    "(&(|(Name=Peter) (Department=Sales) (Building=None)) (AccountIsDisabled=false) )"

    Cheers,
    Fred


    There's no place like 127.0.0.1

    • Proposed as answer by Mike Laughlin Friday, October 2, 2015 12:23 PM
    • Unproposed as answer by Mike Laughlin Friday, October 2, 2015 2:27 PM
    Friday, October 2, 2015 12:19 PM
  • I'm afraid that returns no results...

    I also changed the & in case it was interpruting the value wrong,

    "(&(|(Name=Peter) (Department=Sales) (Building=None)) (Type=user) )"

    However this still has no results.

    • Edited by Tarrley Friday, October 2, 2015 12:33 PM Adding Info
    Friday, October 2, 2015 12:26 PM
  • First, you need to remove the extra spaces. Next, you need to use the correct attributes:

    (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(name=Peter)(department=Sales)(building=None)))

    Translation of the above (all one line):

    (objectCategory=person)(objectClass=user) - find user objects (not contacts)

    (!userAccountControl:1.2.840.113556.1.4.803:=2)  - finds accounts that are not disabled (i.e., enabled)

    The rest of the query string means: "Name is 'Peter', or department is 'Sales', or Building is 'None' ".


    -- Bill Stewart [Bill_Stewart]


    Friday, October 2, 2015 1:21 PM
    Moderator
  • Hi Tarrley,

    argh, I should have checked out the properties you asked for. For your last query, try this instead:

    "(&(|(Name=Peter) (Department=Sales) (Building=None)) (ObjectClass=user) )"

    This should get you the user in question (Please note that there is probably not a Building Property either, unless you extended your AD Schema.

    For a full list of properties open an AD console, enable advanced view and check a user object's properties. It now has a tab "Attribute-Editor", which contains the full list.

    Cheers,
    Fred


    There's no place like 127.0.0.1


    • Edited by FWN Friday, October 2, 2015 1:26 PM
    • Proposed as answer by Mike Laughlin Friday, October 2, 2015 2:28 PM
    Friday, October 2, 2015 1:22 PM
  • Another addition:

    AccountEnabled or something similar isn't actually in the Ldap Schema. If you want to know whether it's enabled, you need to query the UserAccountControl property like this:

    "(&(|(Name=Peter) (Department=Sales) (Building=None)) (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) )"

    Cheers,
    Fred


    There's no place like 127.0.0.1

    • Proposed as answer by Mike Laughlin Friday, October 2, 2015 2:28 PM
    Friday, October 2, 2015 1:28 PM