Get-aduser -filter -memberof group name issues

Similar Messages

• Get-ADUser Excluding Specific Groups

  I'm using Get-ADUser to retrieve all of the users in the DC except those in three specific groups previously defined using their distinguished name. The below returns 14 users when it should return 5.
  $users = Get-ADUser -Filter { ((memberof -notlike $grp1) -and (memberof -notlike $grp2) -and
  (memberof -notlike $grp3))} | MyFunction | Where-Object {$_.Enabled -ne $false}
  Any thoughts? Thanks in advance.

  Enabled is a default property for Get-ADUser so you should include this in the filter (server side) rather than filtering client side.
  What is 'MyFunction'?
  I tend to validate the groups using Get-ADObject first.
  For example...
  $group = (Get-ADObject -Filter {cn -like "group"}).DistinguishedName
  $users = Get-ADObject -Filter {memberof -like $group}
  I've tried filtering the memberof without having the distinguishedname, and using wildcards but it fails (which might be where you are having an issue).  The wildcards work fine against CN.
  These all work...
  {cn -like "group"}
  {cn -like "group*"}
  {cn -like "*group*"}
  It might be something to do with the fact that the memberof property is a multi-attribute field and each group is listed against the user with its distinguished name.
  Hopefully, someone will be able to explain why wildcards don't seem to work.

• Get-ADUser -Filter {extensionAttribute1 -ne "aaa"} to get the users

  I need get these users who's extensionAttribute1 is null or blank.
  I can run this commamd well :
  Get-ADUser -Filter {extensionAttribute1 -eq "aaa"} -SearchBase "OU=Sales,OU=aaa,DC=ccc,DC=ddd,DC=org"
  but when i change the "-eq" with "-ne", this command return nothing.
  Get-ADUser -Filter {extensionAttribute1 -ne "aaa"} -SearchBase "OU=Sales,OU=aaa,DC=ccc,DC=ddd,DC=org"
  Anyone can please help me to check the problem?
  thanks and regards,
  adsnow
  adsnow

  Hi,
  You can use the PowerShell command given below, to get the names of AD Users whose extensionAttribute1 is null or blank,
  Get-ADUser -Filter {extensionAttribute1 -notlike "*"} -SearchBase "OU=Sales,OU=aaa,DC=ccc,DC=ddd,DC=org" | select name
  FYI:
  To get the names of AD Users with any value set for extensionAttribute1 as,
  Get-ADUser -Filter {extensionAttribute1 -like "*"} -SearchBase "OU=Sales,OU=aaa,DC=ccc,DC=ddd,DC=org" | select name
  Regards,
  Gopi
  JiJi
  Technologies

• Help with get-aduser -filter command

  Hi! I'm having problems with getting user info from displayname
  function searchuzv {
  $uzvinfo=$InputBoxuzv.text;
  $uzvcheck = Get-ADUser -filter "DisplayName -like '*$uzvinfo*'"
  If i run Get-ADUser -filter "DisplayName -like '*$uzvinfo*'" line separately, everything is ok, and working, but when I run function, I m getting error "Get-ADUser : The search filter cannot be recognized"
  My objective is get user info when only part of displayname is provided.
  I suppose there is problem with syntax, but I can't find anything about this.
  Any suggestions?
  Bert regards,
  Ronald

  Hi Ronald,
  Try this.
  function searchuzv
  $uzvinfo=$InputBoxuzv.text
  $uzvDisp = "*"+$uzvinfo+"*"
  $uzvcheck = Get-ADUser -filter "DisplayName -like $uzvDisp"
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• Using get-aduser -filter to find blank spaces only

  Hello all,
  What I'm trying to do is pretty simple. I want to use the -filter parameter of the get-aduser cmdlet to find a defined attribute that only contains a space. For example, I want to find any users that have extensionattribute1 equal to " ". I've
  tried the following code but I get the error "the search filter cannot be recognized":
  get-aduser -filter {extensionattribute1 -eq " "}
  What I don't want to use is -like "* *", as that will give me values that contain a space anywhere. I only want to return users that have extensionattribute1 equal to one space.
  Any ideas?

  Yes, in LDAP syntax you can escape any character with the backslash escape character followed by the two character hex ASCII representation of what you want. You can get foreign characters this way. More on escaping characters here:
  http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
  Richard Mueller - MVP Directory Services

• Get-aduser -Filter email address

  Hi, I have a csv file with a email address and the employ ID. I which to update the emply id according to the email address
  csv:
  Email;employerID;FirstName;LastName;
  [email protected];123456789;a;a;
  [email protected];789456123;b;b;
  I tried querying the user according to email but the user is not found:
  $test = Import-csv -Path \\tsclient\c\temp\test.csv -delimiter ";"
  Foreach ($u in $test) {Get-aduser -Filter { emailaddress -Like $u.email} -Properties emailaddress}
  Which i find strange, because when i run following commandlet the correct address are displayed.
  $test = Import-csv -Path \\tsclient\c\temp\test.csv -delimiter ";"
  Foreach ($u in $test) {write-host $u.email}
  I even tried, but same result:
  $test = Import-csv -Path \\tsclient\c\temp\test.csv -delimiter ";"
  Foreach ($u in $test) {Get-aduser -Filter { emailaddress -Like $($u.email)} -Properties emailaddress}
  What am i doing wrong?
  Answers provided are coming from personal experience, and come with no warranty of success. I as everybody else do make mistakes.

  Get-aduser : Property: 'email' not found in object of type: 'System.Management.Automation.PSCustomObject'.This implies that the object $u does not have a property named email.$test = Import-csv -Path \\tsclient\c\temp\test.csv -delimiter ";"
  Foreach ($u in $test) {$u.email}

• Get-AdUser -Filter for homeDirectory

  I guess there's something I don't know about -filter syntax for this command...
  get-aduser -filter {homeDirectory -like "*\faculty\homes\*"} -property homeDirectory
  returns results, but...
  get-aduser -filter {homeDirectory -like "\\faculty\homes\*"} -property homeDirectory
  ...will not. All results returned by the first have homes starting with \\faculty\homes\...
  What gives?

  Hi,
  you need to use the LDAP escape character for \, which is \5c
  So, you could write it like this:
  $DirectoryInfo = Get-Item \\server\share\User1HomeDirectory
  $strFilter = $DirectoryInfo.FullName.Replace("\","\5c")
  $AdUser = Get-AdUser -Filter {homeDirectory -like $strFilter}
  If ($AdUser.HomeDirectory -like $DirectoryInfo.FullName) { #not abandoned home directory }
  /Fridden
  Just a simple hacker

• Powershell script: to get the AD Security Group Name

  I need PowerShell script that takes input: AD Security Group Name and loop
  through all web applications and their content in the farm to know where this particular group is used.

  hi
  AD groups are represented in Sharepoint as SPUser object with
  SPUser.IsDomainGroup set to true. I.e. you may use the same script which is used for users:
  Powershell script to find permissions for a specific user.
  Blog - http://sadomovalex.blogspot.com
  Dynamic CAML queries via C# - http://camlex.codeplex.com

• Powershell get-aduser filter problem

  Powershell'Filter' = {(Enabled -eq $True) -and ((Office -ne "EXCLUDE") -or (Office -notlike '*'))}
  The filter parameter isn't very user friendly.  Try this and see if it is what you want.

  Hello all, I am trying to filter a script I found here from Martin9700to get users from an ad ou. The original line: 'Filter' = {Enabled -eq $True} works and I am trying to add a filter to exclude users that have Office value of EXCLUDE. If I use: 'Filter' = {(Enabled -eq $True) -and (office -eq "EXCLUDE")} then it will get the user that has EXCLUDE but I can't get any negative to work. I have tried -ne, -notlike and several combos of syntax but I really don't understand much of it. Any help would be greatly appreciated! The complete script is below. Thanks!

• Get-aduser help

  I am trying to get a set of specific users in an OU that are tied to a certain security group. I am wanting the name and the last password set date to try and keep up with password information. I have read-only rights to this domain so special tools don't
  work. Here is my query so far
  get-aduser -filter {Memberof -like "SNbio*"} -Searchbase 'OU=Users,OU=US,OU=Site,OU=Managed Objects,dc=company,dc=net' -properties Name,pwdLastSet
  Without the filter this works to show me all objects in the OU, but again I only want the ones that are members of a certain group to show. If anyone could help I would much appreciate it. 
  Christopher

  The disadvantage of that approach is that you are retrieving all users in the OU, not just the ones that are members of the group, and then filtering them out afterwards. It is more efficient to specify group membership as part of the search filter.
  Bill
  I didn't bother considering the efficiency, but I likely should have, as your suggestion is ultimately better, to include the calculated property. I tested both in my environment and I lost 19 milliseconds. I really could have used that extra time! I fully
  understand the impact this could have in an OU that was populated more so than my environment, and therefore, thank you for pointing this out.

• Error troubleshooting in AD Module - Get-Aduser w/created filter

  Hi All,
  I'm working as an intern with my university, and I've been tasked with clearing out old student accounts in AD. There are currently over 4000 users in our system, and it's estimated that there are over 3500 old accounts that need to be deleted.
  We are at the 2008 R2 Domain Functional Level.
  I am going to script this through Powershell, but I'm having a terrible time getting a certain query to run properly.
  I am using the following:
  get-aduser -filter {created -lt '1/1/2010' -and lastlogontimestamp -notlike '*'} -properties created
  I will sometimes narrow my query by adding another filter for created -gt '1/1/2008', for instance.
  When I run the command as written, however, it will return several hundred users, but then it spits out the following error after the last displayed result:
  Get-ADUser : The specified method is not supported
  At C:\Users\Administrator.CSC\Desktop\test1.ps1:4 char:15
  + get-aduser <<<< -filter {created -lt '1/1/2010'} -properties created | ft name,samaccountname,created
  + CategoryInfo : NotSpecified: (:) [Get-ADUser], ADException
  + FullyQualifiedErrorId : The specified method is not supported,Microsoft.ActiveDirectory.Management.Commands.GetADUser
  If I narrow my search scope by created date, I can sometimes get the error to not appear. My guess is that there are several accounts in the database that trigger the error (or at least, that's how it appears).
  I have tried running this on both a DC and a non-dc server with server management tools installed. It doesn't matter what other filters are used, so omitting the lastlogontimestamp filter doesn't prevent the error.
  My supervisor seems to think there may be errors in the AD database, but I've done every AD health check I can think of.
  Does anyone have any suggestions?
  Thanks,
  Brandon

  If you have access to Microsoft Connect (I believe you must be an MVP), it would help to vote on this report, as that should help prioritize it.
  You don't need to be a MVP for access to Connect, here's a direct link to the bug report Richard opened:
  https://connect.microsoft.com/PowerShell/feedbackdetail/view/963333/ad-module-cmdlets-raise-error-if-there-are-more-than-256-results
  The command from the report does appear to work for me in v4 (Win7):
  PS C:\> Get-ADUser -Properties Created -Filter "Created -gt '9/1/2014'" | measure
  Count : 260
  I also tested the command that failed in the post above and v3 appears to be working for me as well (WS2012):
  PS C:\> $start = (Get-Date).AddDays(-1)
  PS C:\> get-aduser -filter {modified -gt $start} | measure
  Count : 263
  Perhaps the count needs to be higher to replicate this.
  EDIT: I just created a bunch of new user accounts and I still can't replicate this (v3 on WS2012 again):
  PS C:\> $start = (Get-Date).AddDays(-1)
  PS C:\> get-aduser -filter {modified -gt $start} | measure
  Count : 1803
  EDIT2: DC is WS2008SP2.
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Get-Aduser Filtering Issue

  Hey Guys,
  I'm trying to do a get-aduser filter based on two criteria 
  1. the account is enabled
  2. the samaccountname does not contain the word health
  I'm stumped on this one. Here's what i have thus far. I have to be close
  Get-ADuser -Filter 'enabled -eq $true' -and 'SamAccountName -ne "Health*"'
  Thoughts ? This is driving me crazy.
  Rich
  Rich Thompson

  Hi,
  afaik the -Filter-parameter only applies to AD-properties. enabled is a powershell-AD-object property. It is represented by the UserAccountControl flag in the ActiveDirectory (see description
  here) and you'l combine it with the SAMAccountName, similiar to something like this:
  Get-ADUser -filter {((userAccountControl -like "512") -and (samaccountname -notlike "Health*"))}
  Regards
  Sebastian
  You can filter on the Enabled property with no issues. Also, just FYI, -Filter wants a string, not a scriptblock. Scriptblocks will generally work, but not always.
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Get-aduser compare attributes inside the -filter parameter

  Hello all,
  What I would like to do is use the -filter parameter of get-aduser to compare 2 attributes within the search itself, instead of having to process the differences afterwards.
  So here is how I normally use -filter:
  get-aduser -filter {(name -like "*") -and (displayname -like "*")} -Properties displayname | `
  Foreach-object{
  If($_.name -eq $_.displayname){
  "Match!"
  As you can see, I have to get all the users and their properties first, and then subsequently I have to use a ForEach-Object loop to determine if there are any matches.
  What I would like to do is do the comparison in the -filter parameter. Something like this:
  get-aduser -filter {name -eq displayname}
  However, I'm not aware of any way to compare attributes within -filter, and I wonder if anyone knows of a way? Or is a subsequent loop the only way to compare?

  Hi,
  You can use -and in the filter:
  Get-ADUser -Filter "SamAccountName -eq 'smithr' -and GivenName -eq 'Robert'"
  I'm not exactly sure if this is what you're asking about though.
  EDIT: I think I know what you're asking now. AFAIK, there is no way to use -Filter to return users who have the same DisplayName attribute as their Name attribute. You need to have something concrete to test against inside of the filter.
  Don't retire TechNet! -
  (Don't give up yet - 12,950+ strong and growing)

• Get-ADUser Script Runs but issues error command before returning all results

  Greetings;
  I am running Windows Server 2008-R2 and try to execute a PowerShell command as follows:
  I am trying to locate user objects that have been inactive since September 1 and do not have any Exchange mailboxes. The query does run and I do get a number of records, however, the error is issued, as shown above.
  can you please shed some light as to why I am getting this error message? I do appreciate your time.
  Behrooz

  I see this thread isn't answered yet, so I'm taking another shot at it.  I am positive my script is going to give you the results you are looking for. I have reproduced this in my lab.
  What I did:
  - I created a set of users in an OU in my domain.
  - I populated the 'employeeType' property on a handful of them
  - I created mailboxes fora subset of those users on my Exchange server
  - I did NOT log in with any of these accounts, but that is the easy part.
  Run this query and you will get a returned set of accounts that:
  - Have not logged on since 9/1/2013
  - Do NOT have a mailbox (this is query-able through Get-ADUser because the HomeMDB property is only populated when you have a mailbox.  Using the Exchange tools is not necessary)
  - Accounts that do NOT have any anything in their 'employeeType' property.
  Get-AdUser -filter * -properties * |
  Where-Object {$_.HomeMDB -eq $NULL -AND
  $_.employeeType -eq $NULL -AND
  $_.lastlogondate -ge "9/01/2013"} |
  Select displayname,distinguishedname,samaccountname,employeetype |
  Export-Csv "employeetype.csv" -notypeinformation
  ** This result is going to find people with NO employeeType.  If that is the opposite of what you're looking for, change that like from -eq (equal) to -ne (not equal) or you can use -like and -notlike.  Both give the same results.
  Your results will export to a CSV and will not print to the screen.  Again, with the way this is written, the employeetype column will be empty.
  If you want to copy and paste this script, please paste it into the ISE and push play.  If you save it as a .ps1, you'll have to ensure you have the appropriate executionpolicy set (Open PS as an admin, run 'set-executionpolicy unrestricted')
  If you chose to run it in a PS window as is, please ensure this whole syntax is all on one line.
  Okay! Come back and tell me you were successful and mark me as the answer!! :)
  Chris Ream

• Microsoft.ActiveDirectory.Management.ADPropertyValueCollection issue on get-aduser

  I am running the command
  get-aduser username -Properties * | select name, publicDelegates, publicDelegatesBL
  But the output only returns Microsoft.ActiveDirectory.Management.ADPropertyValueCollection,
  despite knowing there are delegates setup for the user queried.
  Is there anyway round this? I dont understand why it doesnt return the correct information. I did wonder if its perhaps because there are a number of entries
  in both fields?

  get-aduser username -Properties * | select -Expand publicDelegatesBL
  get-aduser username -Properties * | select name, @{N='publicDelegates';E={$_.publicDelegates -join '|'}}
  \_(ツ)_/