Get-Aduser Filtering Issue

Similar Messages

• Get-aduser filters

  My organization has a lot of users, including limited-use accounts and service accounts. Sometimes I just want to perform a query on "real" users which have a specific format:
  1) all "real" users start with the letter "s"
  2) they all have a 5 digit number after the "s"
  3) they all end with an "n" or a "d"
  How would I do a get-aduser to return just the "real" users in my organization? Do I need some sort of regex, or can I use get-aduser -filter 'samaccountname -like xxxxx' ?
  Thank you
  [email protected]

  I don't think you'd need a loop, at the worst, a where-object piped after:
  $users = get-aduser -filter * | Where-Object {$_.samaccountname -match "[Ss]{1}[0-9]{5}[NnDd]{1}"}
  [email protected]
  Don't discount the provider filter just because it won't filter exactly what you want:
  Get-ADUser -Filter {SamAccountName -like 's*'} |
  where { ($_.SamAccountName -match "[Ss]{1}[0-9]{5}[NnDd]{1}") }
  will eliminate all the accounts that don't start with "s" up front, cutting down on what's left to filter in Where-Object.
  [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

• Get-ADUser Script Runs but issues error command before returning all results

  Greetings;
  I am running Windows Server 2008-R2 and try to execute a PowerShell command as follows:
  I am trying to locate user objects that have been inactive since September 1 and do not have any Exchange mailboxes. The query does run and I do get a number of records, however, the error is issued, as shown above.
  can you please shed some light as to why I am getting this error message? I do appreciate your time.
  Behrooz

  I see this thread isn't answered yet, so I'm taking another shot at it.  I am positive my script is going to give you the results you are looking for. I have reproduced this in my lab.
  What I did:
  - I created a set of users in an OU in my domain.
  - I populated the 'employeeType' property on a handful of them
  - I created mailboxes fora subset of those users on my Exchange server
  - I did NOT log in with any of these accounts, but that is the easy part.
  Run this query and you will get a returned set of accounts that:
  - Have not logged on since 9/1/2013
  - Do NOT have a mailbox (this is query-able through Get-ADUser because the HomeMDB property is only populated when you have a mailbox.  Using the Exchange tools is not necessary)
  - Accounts that do NOT have any anything in their 'employeeType' property.
  Get-AdUser -filter * -properties * |
  Where-Object {$_.HomeMDB -eq $NULL -AND
  $_.employeeType -eq $NULL -AND
  $_.lastlogondate -ge "9/01/2013"} |
  Select displayname,distinguishedname,samaccountname,employeetype |
  Export-Csv "employeetype.csv" -notypeinformation
  ** This result is going to find people with NO employeeType.  If that is the opposite of what you're looking for, change that like from -eq (equal) to -ne (not equal) or you can use -like and -notlike.  Both give the same results.
  Your results will export to a CSV and will not print to the screen.  Again, with the way this is written, the employeetype column will be empty.
  If you want to copy and paste this script, please paste it into the ISE and push play.  If you save it as a .ps1, you'll have to ensure you have the appropriate executionpolicy set (Open PS as an admin, run 'set-executionpolicy unrestricted')
  If you chose to run it in a PS window as is, please ensure this whole syntax is all on one line.
  Okay! Come back and tell me you were successful and mark me as the answer!! :)
  Chris Ream

• Get-aduser -filter -memberof group name issues

  I want to use powershell to return all users who are domain admins into a CSV
  Are these commands close to what I should be doing?
  get-aduser -filter -memberof "domain admin" 
  get-adgroupmember -filter "-eq 'Domain Admin'"
  Then I will exporting to CSV with this working part of the script.
  -Properties * | Select-Object -Property Name,DisplayName,Title,EmailAddress,GivenName,sn,StreetAddress,Office,City,State,PostalCode,Country,OfficePhone,Company,HomePhone,mobile,Department | Sort-Object -Property Name | export-csv c:\UserPropertiesCSV.csv

  If you want more information than is being returned by Get-ADGroupMember, you can pipe the results into Get-ADUser.
  Get-ADGroupMember "Domain Admins" |
  Get-ADUser -properties Displayname, Title, EmailAddress, GivenName, sn, StreetAddress, Office, City, State, PostalCode, Country, OfficePhone, Company, HomePhone, Mobile, Department |
  Select-Object Name, DisplayName, Title, EmailAddress, GivenName, sn, StreetAddress, Office, City, State, PostalCode, Country, OfficePhone, Company, HomePhone, Mobile, Department |
  Export-CSV ".\results.csv"

• Microsoft.ActiveDirectory.Management.ADPropertyValueCollection issue on get-aduser

  I am running the command
  get-aduser username -Properties * | select name, publicDelegates, publicDelegatesBL
  But the output only returns Microsoft.ActiveDirectory.Management.ADPropertyValueCollection,
  despite knowing there are delegates setup for the user queried.
  Is there anyway round this? I dont understand why it doesnt return the correct information. I did wonder if its perhaps because there are a number of entries
  in both fields?

  get-aduser username -Properties * | select -Expand publicDelegatesBL
  get-aduser username -Properties * | select name, @{N='publicDelegates';E={$_.publicDelegates -join '|'}}
  \_(ツ)_/

• Get-ADUser Excluding Specific Groups

  I'm using Get-ADUser to retrieve all of the users in the DC except those in three specific groups previously defined using their distinguished name. The below returns 14 users when it should return 5.
  $users = Get-ADUser -Filter { ((memberof -notlike $grp1) -and (memberof -notlike $grp2) -and
  (memberof -notlike $grp3))} | MyFunction | Where-Object {$_.Enabled -ne $false}
  Any thoughts? Thanks in advance.

  Enabled is a default property for Get-ADUser so you should include this in the filter (server side) rather than filtering client side.
  What is 'MyFunction'?
  I tend to validate the groups using Get-ADObject first.
  For example...
  $group = (Get-ADObject -Filter {cn -like "group"}).DistinguishedName
  $users = Get-ADObject -Filter {memberof -like $group}
  I've tried filtering the memberof without having the distinguishedname, and using wildcards but it fails (which might be where you are having an issue).  The wildcards work fine against CN.
  These all work...
  {cn -like "group"}
  {cn -like "group*"}
  {cn -like "*group*"}
  It might be something to do with the fact that the memberof property is a multi-attribute field and each group is listed against the user with its distinguished name.
  Hopefully, someone will be able to explain why wildcards don't seem to work.

• Get-ADuser and formatting results

  What Im looking to do is to output all of my AD Users, including all of their properties, and then output that to a tabular format. The issue I am having is that some of the fields, like MemberOf, dont come through. My script looks like the following:
  Get-ADuser -Filter * -Properties * | Export-CSV C:\Temp\MyFile.csv
  This is almost what I want, but I just need for all of the properties to be expanded. Some end in "..." meaning there is more to be shown, and others such as "MemberOf" show "Microsoft.ActiveDirectory.Management.ADPropertyValueCollection" instead of showing
  the actual groups.
  Thanks in advance for any help!
  Jarrod Sturdivant [email protected]

  I had the same question and the "Exchange Proxy Address (alias) Report" Blog entry helped me a lot in this case.
  Here is my adaption
  $multipcgroups = @()
   $Pclist = import-csv mypclist.csv | foreach {get-adcomputer -identity $_.name -Properties * | select name, memberof}
   foreach ($pc in $pclist) {
   [array]$pcgroups = $pc.memberof
  $ErrorActionPreference = 'SilentlyContinue'
   $pcadgroup = New-Object PSObject -Property @{
  Name = $pc.name
   pcadgroup0 = $pcgroups[0] -replace "OU=SW,OU=Groupx,OU=foo,DC=company,DC=de" -replace "OU=Filter,OU=Technical Roles,DC=company,DC=de"
  pcadgroup1 = $pcgroups[1] -replace "OU=SW,OU=Groupx,OU=foo,DC=company,DC=de" -replace "OU=Filter,OU=Technical Roles,DC=company,DC=de"
  pcadgroup2 = $pcgroups[2] -replace "OU=SW,OU=Groupx,OU=foo,DC=company,DC=de" -replace "OU=Filter,OU=Technical Roles,DC=company,DC=de"
  $ErrorActionPreference = 'Continue'
   $pcadgroupCount = ($pcgroups).count
   if ($pcadgroupCount -gt 0) {
  $multipcgroups += $pcadgroup
   $multipcgroups | select name, pcadgroup0,pcadgroup1,pcadgroup2 | Export-CSV pcadgroups.csv -notype
  regards
  Andreas

• Error troubleshooting in AD Module - Get-Aduser w/created filter

  Hi All,
  I'm working as an intern with my university, and I've been tasked with clearing out old student accounts in AD. There are currently over 4000 users in our system, and it's estimated that there are over 3500 old accounts that need to be deleted.
  We are at the 2008 R2 Domain Functional Level.
  I am going to script this through Powershell, but I'm having a terrible time getting a certain query to run properly.
  I am using the following:
  get-aduser -filter {created -lt '1/1/2010' -and lastlogontimestamp -notlike '*'} -properties created
  I will sometimes narrow my query by adding another filter for created -gt '1/1/2008', for instance.
  When I run the command as written, however, it will return several hundred users, but then it spits out the following error after the last displayed result:
  Get-ADUser : The specified method is not supported
  At C:\Users\Administrator.CSC\Desktop\test1.ps1:4 char:15
  + get-aduser <<<< -filter {created -lt '1/1/2010'} -properties created | ft name,samaccountname,created
  + CategoryInfo : NotSpecified: (:) [Get-ADUser], ADException
  + FullyQualifiedErrorId : The specified method is not supported,Microsoft.ActiveDirectory.Management.Commands.GetADUser
  If I narrow my search scope by created date, I can sometimes get the error to not appear. My guess is that there are several accounts in the database that trigger the error (or at least, that's how it appears).
  I have tried running this on both a DC and a non-dc server with server management tools installed. It doesn't matter what other filters are used, so omitting the lastlogontimestamp filter doesn't prevent the error.
  My supervisor seems to think there may be errors in the AD database, but I've done every AD health check I can think of.
  Does anyone have any suggestions?
  Thanks,
  Brandon

  If you have access to Microsoft Connect (I believe you must be an MVP), it would help to vote on this report, as that should help prioritize it.
  You don't need to be a MVP for access to Connect, here's a direct link to the bug report Richard opened:
  https://connect.microsoft.com/PowerShell/feedbackdetail/view/963333/ad-module-cmdlets-raise-error-if-there-are-more-than-256-results
  The command from the report does appear to work for me in v4 (Win7):
  PS C:\> Get-ADUser -Properties Created -Filter "Created -gt '9/1/2014'" | measure
  Count : 260
  I also tested the command that failed in the post above and v3 appears to be working for me as well (WS2012):
  PS C:\> $start = (Get-Date).AddDays(-1)
  PS C:\> get-aduser -filter {modified -gt $start} | measure
  Count : 263
  Perhaps the count needs to be higher to replicate this.
  EDIT: I just created a bunch of new user accounts and I still can't replicate this (v3 on WS2012 again):
  PS C:\> $start = (Get-Date).AddDays(-1)
  PS C:\> get-aduser -filter {modified -gt $start} | measure
  Count : 1803
  EDIT2: DC is WS2008SP2.
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Filtering Issues

  Hello Aperture Users,
  I am having filtering problems that do not make sense. When I filter a folder with in the library for "Calliope Hummingbirds" only I get 508 images but when I apply an additonal keyword of "Male" I get 1094 images that are the original Calliope and any other one that is "Male". This is not what I expect, I expect a smaller number of images that are both Calliope and Male.
  My filter is (the little dark box with a magnifing glass icon on the upper right of the browser window. It is set to find images "include if ALL of the following MATCH".
  Also not that the filtering take a long time 20 or more seconds. My entire library is some 13,000 images not huge, I think. Any ideas how to speed it up. I have a a dual processor G5 Power PC with 4.5 Gigs of Ram.
  Thanks for your help in advance.
  Dick

  Believe you want to filter the NULL values in the grid.if so, refer to the following post, hope it helps
  http://social.technet.microsoft.com/Forums/sharepoint/en-US/23f6367e-17f1-4128-a2cd-bf946dc31414/spgridview-filtering-issues?forum=sharepointdevelopmentprevious
  --Cheers

• Get-ADUser -server

  Hi all
  I am at the beginning of my powershell skills so excuse my silly question.
  I am writing a script where I want to use a specific AD controller. And want to define the server as a variable.
  $dc=srv01.contoso.com
  Get-ADUser -Identity "test" -server $dc -Properties name,enabled
  However I always get the error:
  + Get-ADUser -Identity "test" -server <<<<  $dc -Properties name,enabled
      + CategoryInfo          : InvalidData: (:) [Get-ADUser], ParameterBindingValidationException
      + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.ActiveDirectory.Management.Commands.GetADUser
  If I run:
  Get-ADUser -Identity "test" -server srv01.contoso.com -Properties name,enabled
  It runs with no issues.
  Thanks for your help.

  Hi Grimbi,
  try this:
  $dc = "srv01.contoso.com"
  Get-ADUser -Identity "test" -server $dc -Properties name,enabled
  Why does this happen?
  As a parameter of a command, powershell assumes the input is a string (since the parameter demands a string). However when you Store something in a variable it has to guess about the input type. By wrapping it in double-quote, you tell PowerShell "This
  is a string". Otherwise it can't tell whether it's supposed to be a command, an Alias, etc. .
  Cheers,
  Fred
  There's no place like 127.0.0.1

• Get-ADUser with the -LDAPfilter using a regex

  I'm by no means a novice to PowerShell, but for my first year and 1/2 using it the organization I worked for only had 2003 AD functional level, so to do AD stuff I needed to use the Quest Active Directory tools (get-qaduser). Now that I'm working for a place
  that is a bit more modern on their infrastructure, I just can't seem to wrap my head around get-aduser stuff when dealing with filters and LDAPfilters - AKA, "I'm used to QAD being easy, please help!"
  Could someone give me an overview with lots of examples?
  Thank you.
  [email protected]

  There's definitely examples in both of the links Boe posted. LDAP filtering is certainly different from OPath and takes some getting used to if you haven't seen it before. Here's another set of examples:
  http://clintboessen.blogspot.com/2009/10/ldap-queries-for-group-scope.html
  Is there anything specific you're trying to do with it?
  Don't retire TechNet! -
  (Don't give up yet - 12,700+ strong and growing)
  Ahhh, I see my mistake ... I was asking for just plain old syntax/examples, and what I really wanted was a few examples of the
  entire command.
  I.E.
  get-aduser -LDAPFilter "(badpwdcount>=5)"
  I just never seem to remember what needs quotes, what needs single quotes, what needs parens, what needs brackets ... etc.
  [email protected]

• Get-ADUser : The server has returned the following error: invalid enumeration context.

  I'm running a powershell command to add the email (AD mail) attribute to users in a specific OU.  It seems to work then will bomb out with the error in the title.
  I'm using a "scripting guy" command that I've altered with my specfic OU/domain information however, I'm pasting in the more "generic" version :: Get-ADUser -LDAPFilter "(!(mail=\.name*))" -resultSetSize $null -searchbase "ou=test,dc=nwtraders,dc=com"|
  % {set-aduser -identity $_.distinguishedname -email ($_.samaccountname + "@nwtraders.com")}
  I work for a school district and this command is being used to add the mail attribute to the student's accounts.  I think about 2/3 of the students are completed but the script/command bombs and I'm not sure where or why.  I've resubmitted the
  command several times but I'm not sure whether it's starting from where it bombed or if it's starting again at the beginning and essentially re-doing the ones already completed.
  Can someone point me in the direction of a work around or a resolution to the Get-ADUser error?
  Thanks!!

  I don't know the error, so I can only guess there. But the LDAP syntax filter cannot be correct. Can you provide a link to the reference where "Scripting Guy" suggested this?
  As written, you are retrieving all users where the mail attribute does not begin with the string ".name" (case insensitve), where "name" is not a property or attribute, but a string value. LDAP syntax clauses are in the format:
  (<attributeName><operator><value>)
  In your case, <operator> is "=", <attributeName> is "mail", and <value> is ".name". The "\" character is the escape character, which means to interpret the following character (the period in
  this case) literally. You cannot use an attribute name on the right side of the operator (the "="), unless PowerShell has introduced some functionality I am not familiar with to expand the LDAP syntax. For example, the following does not filter
  on users where the first name is the same as the last name:
  (givenName=\.sn)
  Instead, it filters on users where the first name is the string ".sn". Even if "\.name" was interpreted by the Get-ADUser cmdlet to be the "Name" attribute of the user, this would cause problems. "Name" is the
  Relative Distinguished Name of the user (the value of the cn attribute) and it could include commas or spaces. I would expect "\.sAMAccountName" to make more sense.
  Richard Mueller - MVP Directory Services

• Get-aduser help

  I am trying to get a set of specific users in an OU that are tied to a certain security group. I am wanting the name and the last password set date to try and keep up with password information. I have read-only rights to this domain so special tools don't
  work. Here is my query so far
  get-aduser -filter {Memberof -like "SNbio*"} -Searchbase 'OU=Users,OU=US,OU=Site,OU=Managed Objects,dc=company,dc=net' -properties Name,pwdLastSet
  Without the filter this works to show me all objects in the OU, but again I only want the ones that are members of a certain group to show. If anyone could help I would much appreciate it. 
  Christopher

  The disadvantage of that approach is that you are retrieving all users in the OU, not just the ones that are members of the group, and then filtering them out afterwards. It is more efficient to specify group membership as part of the search filter.
  Bill
  I didn't bother considering the efficiency, but I likely should have, as your suggestion is ultimately better, to include the calculated property. I tested both in my environment and I lost 19 milliseconds. I really could have used that extra time! I fully
  understand the impact this could have in an OU that was populated more so than my environment, and therefore, thank you for pointing this out.

• How do I use Get-ADUser to get just the Managers attribute? And then get rid of duplicates in my array/hash table?

  Hello,
        I am trying to just get the Managers of my users in Active Directory. I have gotten it down to the user and their manager, but I don't need the user. Here is my code so far:
  Get-ADUser-filter*-searchbase"OU=REDACTED,
  OU=Enterprise Users, DC=REDACTED, DC=REDACTED"-PropertiesManager|SelectName,@{N='Manager';E={(Get-ADUser$_.Manager).Name}}
  |export-csvc:\managers.csv-append 
  Also, I need to get rid of the duplicate values in my hash table. I tried playing around with -sort unique, but couldn't find a place it would work. Any help would be awesome.
  Thanks,
  Matt

  I would caution that, although it is not likely, managers can also be contact, group, or computer objects. If this is possible in your situation, use Get-ADObject in place of Get-ADUser inside the curly braces.
  Also, if you only want users that have a manager assigned, you can use -LDAPFilter "(manager=*)" in the first Get-ADUser.
  Finally, if you want all users that have been assigned the manager for at least one user, you can use:
  Get-ADUser
  -LDAPFilter "(directReports=*)" |
  Select @{N='Manager';E={ (Get-ADUser
  $_.sAMAccountName).Name }}
  -Unique | Sort Manager |
  Export-Csv .\managerList.csv -NoTypeInformation
  This works because when you assign the manager attribute of a user, this assigns the user to the directReports attribute of the manager. The directReports atttribute is multi-valued (an array in essence).
  Again, if managers can be groups or some other class of object (not likely), then use Get-ADObect throughout and identify by distinguishedName instead of sAMAccountName (since contacts don't have sAMAccountName).
  Richard Mueller - MVP Directory Services

• How can I get back old issues from my TIME app?

  Hi, I hope someone can help me.  I've been trying to get help for a month now.  I had purchased several issues from TIME app but when I just got my ipad 2, I couldn't get the issues back.  I used the same ID and password.  I decided to try buying a new issue and when I did, I had an email from itunes warning me that it was not my usual ID.  I am very confused.  I wrote to TIME and they say I should contact itunes.  I have spent hours trying to contact itunes for help.  They seem uncontactable.  Can someone please tell me if I can somehow get my old issues back?
  Karen

  If they were not backed up or part of photostream, then no, you cannot.