none
Advanced filter for get aduser RRS feed

  • Question

  • I am trying to get only users that start with name E or 9 and are not in the PersonalDevices OU.

    I know i can do it with a pipe but adding a pipe adds tons of time where as the filter is much faster.

    All of these give me only users that start with 9 or E but they also give me users in the PersonalDevices OU.

    Thanks for any help

    Get-ADUser -Filter {(   (name  -like "9*") -and (distinguishedname -notlike "PersonalDevices")   ) -or (  (name  -like "e*") -and (distinguishedname -notlike "PersonalDevices") )   }  -ResultSetSize 10
    Get-ADUser -Filter {(   (name  -like "9*" -and distinguishedname -notlike "PersonalDevices")   ) -or (  (name  -like "e*" -and distinguishedname -notlike "PersonalDevices") )   }  -ResultSetSize 10
    Get-ADUser -Filter {(   name  -like "9*" -and distinguishedname -notlike "PersonalDevices"   ) -or (  name  -like "e*" -and distinguishedname -notlike "PersonalDevices" )   }  -ResultSetSize 10
    Get-ADUser -Filter {(   name  -like "9*" -and distinguishedname -notlike "PersonalDevices"   -or   name  -like "e*" -and distinguishedname -notlike "PersonalDevices" )   }  -ResultSetSize 10
    Get-ADUser -Filter {   name  -like "9*" -and distinguishedname -notlike "PersonalDevices"   -or   name  -like "e*" -and distinguishedname -notlike "PersonalDevices"    }  -ResultSetSize 10
    
    Get-ADUser -Filter {(   (name  -like "9*") -and (distinguishedname -notlike "*PersonalDevices*")   ) -or (  (name  -like "e*") -and (distinguishedname -notlike "*PersonalDevices*") )   }  -ResultSetSize 10
    Get-ADUser -Filter {(   (name  -like "9*" -and distinguishedname -notlike "*PersonalDevices*")   ) -or (  (name  -like "e*" -and distinguishedname -notlike "*PersonalDevices*") )   }  -ResultSetSize 10
    Get-ADUser -Filter {(   name  -like "9*" -and distinguishedname -notlike "*PersonalDevices*"   ) -or (  name  -like "e*" -and distinguishedname -notlike "*PersonalDevices*" )   }  -ResultSetSize 10
    Get-ADUser -Filter {(   name  -like "9*" -and distinguishedname -notlike "*PersonalDevices*"   -or   name  -like "e*" -and distinguishedname -notlike "*PersonalDevices*" )   }  -ResultSetSize 10
    Get-ADUser -Filter {   name  -like "9*" -and distinguishedname -notlike "*PersonalDevices*"   -or   name  -like "e*" -and distinguishedname -notlike "*PersonalDevices*"    }  -ResultSetSize 10
    
    Get-ADUser -Filter {   name  -like "9*"  -or   name  -like "e*" -and distinguishedname -notlike "*PersonalDevices*"    }  -ResultSetSize 10
    


    Lishron

    Friday, July 10, 2015 1:03 PM

Answers

  • THe simple approach is usually the most likely correct.

    Get-ADUser -Filter "name  -like '9*' -or name  -like 'e*' -and distinguishedname -notlike '*PersonalDevices*'"


    \_(ツ)_/


    • Edited by jrv Friday, July 10, 2015 1:24 PM
    • Marked as answer by Lishron Friday, July 10, 2015 4:26 PM
    Friday, July 10, 2015 1:24 PM

All replies

  • THe simple approach is usually the most likely correct.

    Get-ADUser -Filter "name  -like '9*' -or name  -like 'e*' -and distinguishedname -notlike '*PersonalDevices*'"


    \_(ツ)_/


    • Edited by jrv Friday, July 10, 2015 1:24 PM
    • Marked as answer by Lishron Friday, July 10, 2015 4:26 PM
    Friday, July 10, 2015 1:24 PM
  • You can't use wildcard with distinguishedName in -Filter or -LDAPFilter.
    Friday, July 10, 2015 1:24 PM
  • You can't use wildcard with distinguishedName in -Filter or -LDAPFilter.

    Yes you can.  I use it all of the time.  It works as expected.

    You cannot use a wildcard in an LDAPFilter.

    Here is proof:

    If we use this filter:

    get-aduser -Filter "Name -like 'j*' -or Name -like 'k*'"

    We will get this record with others:

    DistinguishedName : CN=krbtgt,CN=Users,DC=KAHLNET,DC=local
    Enabled           : False
    GivenName         :
    Name              : krbtgt
    ObjectClass       : user
    ObjectGUID        : c59cf349-daf8-4696-9c7c-9bd194dbe2be
    SamAccountName    : krbtgt
    SID               : S-1-5-21-1997746983-321388823-153608166-502
    Surname           :
    UserPrincipalName :

    Adding the dn filter and we no longer get the krbtgt record:

    get-aduser -Filter "Name -like 'j*' -or Name -like 'k*' -and distinguishedname -notlike '*krbtgt*'"

    Works every time.


    \_(ツ)_/

    Friday, July 10, 2015 1:43 PM
  • so get-aduser -Filter "Name -like 'j*' -or Name -like 'k*' -and distinguishedname -like '*krbtgt*'" should get the user, right?

    florian

    Friday, July 10, 2015 1:58 PM
  • OK. Unable to test at the moment so I based my answer on this: https://social.technet.microsoft.com/Forums/scriptcenter/en-US/1af6a749-2628-494c-afde-b67a5b9b77f2/getaduser-filter-distinguishedname-notlike-does-not-work?forum=ITCG
    Friday, July 10, 2015 1:59 PM
  • you need to pipe ...

    Get-ADUser -Filter "name  -like '9*' -or name  -like 'e*'" | % {If (-not($_.distinguishedname -match '.*PersonalDevices.*')) {$_}}


    Friday, July 10, 2015 2:06 PM
  • THe simple approach is usually the most likely correct.

    Get-ADUser -Filter "name  -like '9*' -or name  -like 'e*' -and distinguishedname -notlike '*PersonalDevices*'"


    \_(ツ)_/


    WOW   thanks.

    I did not know i could use the ' (apostrophe) when using wildcards.

    That did the trick


    Lishron

    Friday, July 10, 2015 4:28 PM
  • Yes you can.

    No you can't. Here is proof:

    get-aduser -Filter "Name -like 'j*' -or Name -like 'k*' -and distinguishedname -notlike '*krbtgt*'"

    Returns all users starting with j and not a single user starting with k.

    get-aduser -Filter "Name -like 'k*' -or Name -like 'j*' -and distinguishedname -notlike '*krbtgt*'"

    Returns all users starting with k and not a single user starting with j.

    get-aduser -Filter "distinguishedname -like '*krbtgt*'"

    Returns nothing.

    Friday, July 10, 2015 5:42 PM
  • We have never been able to use wildcards with DN attributes, like distinguishedName or memberOf. This:

    Get-ADUser -Filter "Name -Like 'j*' -Or Name -Like 'k*' -And distinguishedName -NotLike '*krbtgt*'"

    returns only users where Name starts with "j". This returns nothing:

    Get-ADUser -Filter "(Name -Like 'j*' -Or Name -Like 'k*') -And distinguishedName -NotLike '*krbtgt*'"

    So the first must be equivalent to:

    Get-ADUser -Filter "Name -Like 'j*' -Or (Name -Like 'k*' -And distinguishedName -NotLike '*krbtgt*')"


    Richard Mueller - MVP Directory Services


    Saturday, July 11, 2015 11:32 AM
    Moderator