Get-ADObject Filter vs LDAP Filter

Get-ADObject Filter Definition:

<filter> ::= “{” <FilterComponentList> “}”
<FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent>
<FilterComponent> ::= <attr> <FilterOperator> <value> | “(” <FilterComponent> “)”
<FilterOperator> ::= “-eq” | “-le” | “-ge” | “-ne” | “-lt” | “-gt”| “-approx” | “-bor” | “-band” | “-recursivematch” | “-like” | “-notlike”
<JoinOperator> ::= “-and” | “-or”
<NotOperator> ::= “-not”
<attr> ::= <PropertyName> | <LDAPDisplayName of the attribute>
<value>::= <compare this value with an <attr> by using the specified <FilterOperator>>

LDAP Filter Definition:

<filter> ::= ‘(‘ <filtercomp> ‘)’
<filtercomp> ::= <and> | <or> | <not> | <item>
<and> ::= ‘&’ <filterlist>
<or> ::= ‘|’ <filterlist>
<not> ::= ‘!’ <filter>
<filterlist> ::= <filter> | <filter> <filterlist>
<item> ::= <simple> | <present> | <substring>
<simple> ::= <attr> <filtertype> <value>
<filtertype> ::= <equal> | <approx> | <ge> | <le>
<equal> ::= ‘=’
<approx> ::= ‘~=’
<ge> ::= ‘>=’
<le> ::= ‘<=’
<present> ::= <attr> ‘=*’
<substring> ::= <attr> ‘=’ <initial> <any> <final>
<initial> ::= NULL | <value>
<any> ::= ‘*’ <starval>
<starval> ::= NULL | <value> ‘*’ <starval>
<final> ::= NULL | <value>

Examples:

Find all users that are member of “Group1”

(memberof:1.2.840.113556.1.4.1941:=CN=Group1,OU=groupsOU,DC=domain,DC=com)
{memberof -recursivematch ‘CN=Group1,OU=groupsOU,DC=domain,DC=com’ }

Find all groups that ‘user1’ is a member of

(member:1.2.840.113556.1.4.1941:=CN=user1,CN=users,DC=domain,DC=com)
{member-recursivematch ‘CN=user1,CN=users,DC=domain,DC=com’ }

Find all enabled account

(&(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
{objectCategory -eq ‘Person’ -and -not userAccountControl -band 2}
{objectCategory -eq ‘Person’ -and Enabled -eq $true}

Get all users with email address

(&(objectClass=user)(mail=*))
{objectClass -eq ‘user’ -and EmailAddress -eq ‘*’}

Get all user entries with a common name that starts with “andy”, “steve”, or “margaret”:

(&(objectClass=user)(| (cn=andy*)(cn=steve*)(cn=margaret*)))
{objectClass -eq ‘user’ -and ( Name -like ‘andy*’ -or Name -like ‘steve*’ -or Name -like ‘margaret*’)}

 

 

Advertisements
This entry was posted in Active Directory, Powershell. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s