Summary<\/b>: Learn how to use the Filter<\/b> parameter and the Windows PowerShell Expression Language on the Active Directory module cmdlets.<\/p>\n
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\")
Hey, Scripting Guy! I do not know why you like ADSI so much. The syntax is obscure, and it makes things hard to read. Yesterday’s blog that used Get-ADComputer<\/b> could have been so much better if you had left out that stupid ADSI filter. What gives, Scripting Guy? You’re not turning developer on me are you?<\/p>\n
—JJ<\/p>\n
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\")
Hello JJ,<\/p>\n
Microsoft Scripting Guy, Ed Wilson, is here. No JJ, I am not turning developer on you, but Windows PowerShell is a great way to allow one to get in touch with their “inner developer.” I have been writing code for a very long time. Back when I bought my first computer (an Osborne<\/a>), if I wanted a program to do something like balance a check book, I had to write it myself. It was a great way to learn programming (if somewhat error prone and slow). Since then, I have written everything from assembly (at the University) through C++. Truly and honestly though, Windows PowerShell is the most fun. Even though I can write code, I do not consider myself a developer. In my heart-of-hearts, I am an IT Pro and a hardware geek<\/a>.<\/p>\n So what is the deal with using ADSI and LDAP? For one thing, it is standard. My early experience with messaging systems was all X.500<\/a> based, and from there, it is a short hop to LDAP. Familiarity with LDAP dialect permits one to easily use some of the many examples of LDAP dialect and ADO to query Active Directory on the Scripting Guys Script Repository. It is trivial to “steal” the LDAP query and plug it in to Get-ADComputer<\/b> or Get-ADObject<\/b>, regardless of the native language of the original script. As an example of this, consider the VBScript, Search for User Phone Numbers Beginning with 425<\/a>, <\/i>on the Scripting Guys Script repository. The essence of this 20 line script is shown here.<\/p>\n objCommand.CommandText = _<\/p>\n “<LDAP:\/\/dc=fabrikam,dc=com>;(&(objectCategory=User)” & _<\/p>\n “(telephoneNumber=425*));Name;Subtree” <\/p>\n I take the filter portion of the script and I end up with the following LDAP filter.<\/p>\n “(&(objectCategory=User)(telephonenumber=425*))”<\/p>\n This filter is exactly what I need when I plug it in to the LDAPFilter<\/b> parameter of the Get-ADUser<\/b> cmdlet. In fact, the hard part was already done when I found the LDAP dialect ADO query in the previous VBScript—not to mention the cool factor of taking a 20-line VBScript and shrinking it to a single Windows PowerShell line as shown here.<\/p>\n Get-ADUser -LDAPFilter “(&(objectCategory=User)(telephonenumber=425*))”<\/p>\n One problem with using the filter<\/b> <\/i>parameter instead of an LDAP filter is having to learn a new filter syntax. (Of course, all the examples in Backus-Naur Form<\/a> do not really help the average IT Pro much with this learning task). Another problem with using the filter<\/b> <\/i>parameter is that generally the syntax is more work than the corresponding LDAP filter. For example, the query to find users with phone numbers that begin with 425 is shown here.<\/p>\n Get-ADUser -Filter {(objectCategory -eq “User”) -and (TelephoneNumber-like “425*”)}<\/p>\n You can see that the syntax is similar to the LDAP filter, but it uses the Windows PowerShell operators instead of the LDAP operators. In addition, the quotation marks are required.<\/p>\n To rewrite the LDAP query that returns only servers, I would use the command shown here.<\/p>\n Get-ADComputer -Filter {(objectcategory -eq “computer”) -AND (OperatingSystem -like ‘*server*’)}<\/p>\n One thing to keep in mind is that the filter<\/b> <\/i>parameter does not support Regular Expressions in the filter. Therefore, I cannot use the following command because it generates an error.<\/p>\n Get-ADComputer -Filter {(objectcategory -eq “computer”) -AND (OperatingSystem -match ‘server’)} -Properties operatingsystem<\/p>\n The command and the error message are shown here.<\/p>\n The following table lists the supported filter operators.<\/p>\nReuse LDAP queries from other scripting languages<\/h2>\n
Query Active Directory without LDAP<\/h2>\n
![\"Image](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/1803.HSG-8-16-12-01.png\" "\\"Image")
<\/a><\/p>\n