Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, November 19, 2015 9:57 AM
Hello,
I have a small problem in powershell and I don't know how to solve it.
I want to write a script that gets all User Objects from active directory and exports them to a csv file.
I want to get all objects in AD that have the objectclass "User" and do not have "not-delete" in the notes-field.
So while this works perfectly fine and gives me all user objects:
$ADUsers = get-aduser -filter 'ObjectClass -eq "user"' -properties *
this does not work:
$ADUsers = get-aduser -filter 'ObjectClass -eq "user" -and info -ne "not-delete"' -properties *
Does anybody know how to connect statements in the -filter property?
Thanks for reading and regards
Martin
All replies (12)
Thursday, November 19, 2015 10:30 AM
Do not use "objectclass -eq user". It is not needed.
Get-AdUser -Filter '-not (info -like "*not-deleted*")'
\(ツ)_/
Thursday, November 19, 2015 10:32 AM
Get-aduser will only return user objects so the ObjectClass clause is a bit redundant. This should do what you want -
Get-Aduser -ldapfilter "(!info=*not-delete*)" -properties *
[string](0..21 | % {([char][int](22+
("5275778524449275827587
42505554247789249585").Substring(($_*2),2)))})`
-replace " "
LinkedIn:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
Thursday, November 19, 2015 10:44 AM
Get-aduser will only return user objects so the ObjectClass clause is a bit redundant. This should do what you want -
Get-Aduser -ldapfilter "(!info=*not-delete*)" -properties *
[string](0..21 | % {([char][int](22+
("5275778524449275827587
42505554247789249585").Substring(($_*2),2)))})`
-replace " "LinkedIn:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
.. only user objects.. OK
get-aduser -Filter {name -like "*p0*"} |select distinguishedname,objectclass |select -first 1
distinguishedname: CN=P00125,OU=Out of Band Management Controller,OU=SCCM,DC=contoso,dc=com
objectclass: computer
Thursday, November 19, 2015 11:00 AM
Get-aduser will only return user objects so the ObjectClass clause is a bit redundant. This should do what you want -
Get-Aduser -ldapfilter "(!info=*not-delete*)" -properties *
I suggest that there is an issue with your system. I cannot get the same results.
\(ツ)_/
Thursday, November 19, 2015 11:04 AM
I am alos pretty sure that Get-AdUser uses objectCategory t select user accounts.
objectcategory
CN=Person,CN=Schema,CN=Configuration,DC=TESTNET,DC=local
\(ツ)_/
Thursday, November 19, 2015 11:09 AM
Get-aduser will only return user objects so the ObjectClass clause is a bit redundant. This should do what you want -
Get-Aduser -ldapfilter "(!info=*not-delete*)" -properties *I suggest that there is an issue with your system. I cannot get the same results.
\(ツ)_/
With my system? In what way? Surely Get-Aduser should only return users and not computers, it's in the name. From the help description:
DESCRIPTION
The Get-ADUser cmdlet gets a user object or performs a search to retrieve multiple user objects.
[string](0..21 | % {([char][int](22+
("5275778524449275827587
42505554247789249585").Substring(($_*2),2)))})`
-replace " "
LinkedIn:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
Thursday, November 19, 2015 2:37 PM
Get-ADUser should only retrieve objects where both objectClass=user and objectCategory=person. This should eliminate all computer objects. If the object retrieved has objectClass=computer, what is the value of sAMAccountType. It should be 805306369 for computers, 805306368 for users.
Richard Mueller - MVP Directory Services
DistinguishedName : CN=Pxxx,OU=Out of Band Management Controller,OU=SCCM,DC=contoso,DC=com
Enabled : True
GivenName :
Name : Pxxx
ObjectClass : computer
ObjectGUID : 405a3700-b8f0-4970-9eb1-abcdefgh
SamAccountName : Pxxx$iME
samaccounttype : 805306368
SID : S-1-5-21-1993962763-000000000-111111111-230059
Surname :
UserPrincipalName : [email protected]
Thursday, November 19, 2015 3:23 PM
OK, that clearly makes no sense. I assume objectCategory is "Person". The fact that sAMAccountName contains the "$" character should make no difference. I have test computer accounts with no "$" character and user accounts with the character, and this does not fool Get-ADUser or Get-ADComputer. I have no explanation for what you experience. The sAMAccountType and objectClass attributes are updated by the system, and I don't believe even admins can alter the values.
The objectClass attribute is multivalued. The PowerShell ObjectClass property retrieves the most specific value in the array. Users have objectClass "user,person,organizationalPerson,top". Computers have "computer,user,person,organizationalPerson,top".
Richard Mueller - MVP Directory Services
Ill post the rest of properties retreived by get-aduser cmdlet for these OoB SCCM objects tomorrow
It was kinda confused for me as well, I usually have to exclude this particular OU from my scripts to retreive just user accounts. These objects (im no SCCM admin) are somehow required for WOL funkcionality .. (SCCM provisioning, https://technet.microsoft.com/en-us/library/gg712319.aspx)
Wednesday, December 16, 2015 11:35 PM
Few links that might be helpful for understanding..
Friday, December 18, 2015 2:56 PM
my personal preference to evaluate more than one condition is to format it like this.
-filter {(conditionone) -and (conditiontwo)}
Dan
Friday, December 18, 2015 3:04 PM
Since we're throwing our preferences around, I generally avoid using scriptblocks in the filter unless absolutely necessary.
PS C:\> Get-ADUser -Filter 'SamAccountName -like "tester*" -and Enabled -eq $false' |
Select SamAccountName,Enabled |
Format-Table -AutoSize
SamAccountName Enabled
tester5 False
tester7 False
EDIT: Additionally:
PS C:\> Get-ADUser -Filter '(SamAccountName -like "tester*" -or SamAccountName -like "testac*") -and Enabled -eq $false' |
Select SamAccountName,Enabled |
Format-Table -AutoSize
SamAccountName Enabled
tester5 False
tester7 False
testac1 False
Friday, December 18, 2015 3:36 PM
Since we're throwing our preferences around, I generally avoid using scriptblocks in the filter unless absolutely necessary.
PS C:\> Get-ADUser -Filter 'SamAccountName -like "tester*" -and Enabled -eq $false' | Select SamAccountName,Enabled | Format-Table -AutoSize SamAccountName Enabled tester5 False tester7 FalseEDIT: Additionally:
PS C:\> Get-ADUser -Filter '(SamAccountName -like "tester*" -or SamAccountName -like "testac*") -and Enabled -eq $false' | Select SamAccountName,Enabled | Format-Table -AutoSize SamAccountName Enabled tester5 False tester7 False testac1 False
That is .4 totalmilliseconds faster, relax your schedule a bit:-)
Dan