Home / server / Questions / 132100
Accepted
dboftlp
Asked: 2010-04-14 12:11:39 +0800 CST

Get-QADComputer -LdapFilter & NOT operator

  • 772

I'm having issues excluding an OU from my LDAP filter

$DaysAgo = (Get-Date).AddDays(-31)
$ft = $DaysAgo.ToFileTime()

Get-QADComputer -SizeLimit 0 -IncludeAllProperties
-SearchRoot 'DC=My,DC=Domain,DC=Local'
-LdapFilter "(&(objectcategory=computer)(lastLogonTimeStamp<=$ft)
(!(ou:dn:=DisabledPCs))(|(operatingsystem=Windows 2000 Professional)
(operatingSystem=Windows XP*)(operatingSystem=Windows 7*)
(operatingSystem=Windows Vista*)(operatingsystem=Windows 2000 Server)
(operatingsystem=Windows Server*)))"

I'm looking to query for all Windows OS systems that haven't logged in to AD for more than 31 days & that are not already in the OU "DisabledPCs", which is where I'll be moving them to.

When I run it now, I'm getting all the systems I'm looking for, including those in the "DisabledPCs" OU... I've tried several variations including:

(&(!(ou:dn:=DisabledPCs)))

As well as putting it in different locations in the filter (not that I thought it would make a difference, but I obviously don't know that...)

Thanks in advance for any help,

-dboftlp

powershell active-directory ldap

2 Answers

  1. What I find easiest with LDAP filters is to break them up in the format below: (Apache DS seems to do this automatically, which is really helpful).

    (&
  (objectcategory=computer)
  (lastLogonTimeStamp<=$ft)
  (!
    (ou:dn:=DisabledPCs)
  )
  (|
   (operatingsystem=Windows 2000 Professional)
   (operatingSystem=Windows XP*)(operatingSystem=Windows 7*)
   (operatingSystem=Windows Vista*)
   (operatingsystem=Windows 2000 Server)
   (operatingsystem=Windows Server*)
  )
)

    So I think maybe, if you reordered the filter more as:

    (&
  (!
    (ou:dn:=DisabledPCs)
  )
  (
    (objectcategory=computer)
    (lastLogonTimeStamp<=$ft)
    (|
     (operatingsystem=Windows 2000 Professional)
     (operatingSystem=Windows XP*)(operatingSystem=Windows 7*)
     (operatingSystem=Windows Vista*)
     (operatingsystem=Windows 2000 Server)
     (operatingsystem=Windows Server*)
    )
  )
)

    I did not test that, but I think making the & two part, the NOT, and then everything else by bracketing it off, ought to do it.

    Let me know if that is any closer.

    • 1
  2. Best Answer

    Just as an FYI from a similar question over on stackoverflow

    "AD doesn't support these kind of extensible match"
    Source

    What I've basically done is totally simplified the script with some help from powershellcommunity.org poster cameronove to come up with the following:

    $DaysAgo = (Get-Date).AddDays(-31)
$ft = $DaysAgo.ToFileTime()
$StComps = Get-QADComputer -SizeLimit 0 -IncludeAllProperties `
-SearchRoot 'DC=MY,DC=DOMAIN,DC=LOCAL' `
-LdapFilter "(&(&(lastLogonTimeStamp<=$ft)(operatingsystem=*Windows*)))" `
| Where { $_.dn -notmatch "DisabledPCs"}

    I simplified the OS filter that helps me avoid other non Win OS's and piped the OU exclusion to not include the OU I want to move systems to later in my script. I'm not including that part here, because I log it to an Excel workbook with a foreach loop and it's much more involved than my original Q?...

    If you are interested in seeing the whole script, feel free to hit me up
    @dboftlp on twitter
    or via dboftlp at gmail dot com

    • 1