Basic LDAP filters

I recently showed how to create an LDAP filter for an attribute that wasn’t set.  I thought it would be useful to show some other LDAP filters.

The examples are from a testing OU in my AD

£> Get-ADUser -SearchBase ‘OU=Testing,DC=Manticore,DC=org’  -Properties * -Filter * | select Name

Name
—-
Dave Green
Dave Brown
Dave White
Jo Daven
Fred Green
Dale Greensmith
Dave Greenly

Finding objects where an attribute matches a given value is probably the easiest:

£> Get-ADUser -SearchBase ‘OU=Testing,DC=Manticore,DC=org’  -Properties * -LDAPFilter ‘(sn=Green)’ | select Name

Name
—-
Dave Green
Fred Green

£> Get-ADUser -SearchBase ‘OU=Testing,DC=Manticore,DC=org’  -Properties * -LDAPFilter ‘(givenName=Dave)’ | select Name

Name
—-
Dave Green
Dave Brown
Dave White

You can also match on substrings

£> Get-ADUser -SearchBase ‘OU=Testing,DC=Manticore,DC=org’  -Properties * -LDAPFilter ‘(sn=Gre*)’ | select Name

Name
—-
Dave Green
Fred Green
Dave Greenly
Dale Greensmith

£> Get-ADUser -SearchBase ‘OU=Testing,DC=Manticore,DC=org’  -Properties * -LDAPFilter ‘(name=D*G*)’ | select Name

Name
—-
Dave Green
Dale Greensmith
Dave Greenly

You can also use an Ambiguous Name Resolution (ANR) filter which expands the filter to check a number of properties including:

displayname

givenname

proxyaddress

name

samaccountname

sn (surname)

£> Get-ADUser -SearchBase ‘OU=Testing,DC=Manticore,DC=org’  -Properties * -LDAPFilter ‘(anr=Green)’ | select Name

Name
—-
Dave Green
Fred Green
Dale Greensmith
Dave Greenly

ANR is useful if you’re not sure what attributes to use but is a more expensive search option as you have to scan a number of attributes per object – indexed attributes help speed the process but its still quicker to hit a single attribute

Next time we’ll look at combining

This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s