locked
How to exclude Organizational Units in Get-ADComputer cmd-let? RRS feed

  • Question

  • Hi! 

    I'm doing an Active Directory Computer query like the following:

    Get-ADComputer -SearchBase "DC=mydomain,DC=com" -Filter {OperatingSystem -NotLike "*Windows Server*"}

    But I try to exclude some Organizational Units in the result query. What would be the best way to do it?

    Thanks in advance!

    Friday, August 3, 2018 6:48 PM

Answers

  • Pipe over to Where object cmdlet and filter out the OU's you do not want, as you cannot filter on DistinguishedName using the Filter parameter. No reason to have SearchBase since you are setting it to the root of the domain.

    Get-ADComputer -Filter "OperatingSystem -notlike '*Windows Server*'" | 
    Where {$_.DistinguishedName -notlike "*OU=SomOU*"}


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful. (99,108,97,121,109,97,110,50,64,110,121,99,97,112,46,114,114,46,99,111,109|%{[char]$_})-join''




    • Edited by clayman2 Friday, August 3, 2018 7:08 PM typo
    • Proposed as answer by Richard MuellerMVP Friday, August 3, 2018 8:08 PM
    • Marked as answer by unorojo Friday, August 3, 2018 8:26 PM
    Friday, August 3, 2018 6:58 PM

All replies

  • Pipe over to Where object cmdlet and filter out the OU's you do not want, as you cannot filter on DistinguishedName using the Filter parameter. No reason to have SearchBase since you are setting it to the root of the domain.

    Get-ADComputer -Filter "OperatingSystem -notlike '*Windows Server*'" | 
    Where {$_.DistinguishedName -notlike "*OU=SomOU*"}


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful. (99,108,97,121,109,97,110,50,64,110,121,99,97,112,46,114,114,46,99,111,109|%{[char]$_})-join''




    • Edited by clayman2 Friday, August 3, 2018 7:08 PM typo
    • Proposed as answer by Richard MuellerMVP Friday, August 3, 2018 8:08 PM
    • Marked as answer by unorojo Friday, August 3, 2018 8:26 PM
    Friday, August 3, 2018 6:58 PM
  • Thanks Clayman

    This is my attemp:

    Get-ADComputer -SearchBase "DC=mydomain,DC=com" -Filter {OperatingSystem -NotLike "*Windows Server*" -and DistinguishedName -notlike "*OU=TR,dc=mydomain,dc=com"}

    Just a question, I've tried with "Filter" (DistinguishedName -notlike "*OU=MAG,dc=magglab,dc=com") before Pipeline, but apparently it doesn't work, only with Where after Pipeline, as shown in your example, is it correct?

    Friday, August 3, 2018 7:54 PM
  • Yes, that is correct. You can only use -eq and -ne operators in a filter with DN syntax attributes, like distinguishedName.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Friday, August 3, 2018 8:04 PM
  • Yes, that is correct. You can only use -eq and -ne operators in a filter with DN syntax attributes, like distinguishedName.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Why is that?
    Saturday, August 4, 2018 10:01 PM
  • Per this reference on the syntax:

    https://docs.microsoft.com/en-us/windows/desktop/ADSchema/s-object-ds-dn

    === quote ===

    For queries that include attributes of DN syntax in a filter, specify full distinguished names. Wildcards (for example, cn=John*) are not supported.

    === end quote ===

    It is a limitation of Active Directory. The same limitation holds even if you use the -LDAPFilter parameter, or a command line utility like dsquery * -Filter. Active Directory maintains these attributes as references to the location of the object in the hierarchy of AD. The value is automatically updated if the object is moved.

    After a pipe the DN attribute value can be treated as a string, so the other operators can be used.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Sunday, August 5, 2018 12:30 AM