Author Posts

September 8, 2016 at 4:51 pm

Hi everybody

Hope someone can help my with this problem

I am pulling users from AD using get-aduser. In this case I need to filter by "Description".
I have tried filtering using the filter parameter and also tried piping it into "Where".... same result.

Here is my -filter
{description -notlike "Description1*" -or description -notlike "Description2*"}
and here is my "where" filter
{$_.description -notlike "Description1*" -or $_.description -notlike "Description2*"}

Btw,
{$_.description -like "Description1*" -or $_.description -like "Description2*"} works as expected 🙂

Am I attemting something illogical?

September 8, 2016 at 5:00 pm

Yes, something illogical. Need to use -and instead of -or.

Say you want to find every description that doesn't contain bob or john

let description equal "bob" therefore we want it to evaluate to false

description is not like "*john*" or description is not like "*bob*", evaluates to:
True (because "*john*" isn't like "bob") -or False, which evaluates to:
True

However

description is not like "*john*" and description is not like "*bob*", evaluates to:
True -and False, which evaluates to:
False

  • This reply was modified 1 year, 11 months ago by  Craig Duff.
  • This reply was modified 1 year, 11 months ago by  Craig Duff.
  • This reply was modified 1 year, 11 months ago by  Craig Duff.

September 8, 2016 at 5:26 pm

Hi Craig

false or false = false
true or true = true
true or false = true
false and false = false
true and true = true
true and false = false

Makes perfect sense as logic tends to do.
Thank you.

September 8, 2016 at 5:42 pm

I'm not sure the cmdlets support -notlike in the -filter parameter; keep in mind all that has to translate to LDAP query syntax under the hood. You might consider using -LdapFilter instead, so you can be more precise. The LDAP syntax is different, but it's what AD uses natively, so you'll be skipping a translation "layer."

As for Where-Object, make sure that you're specifying the Description field to be included in the query results. I'd also use parentheses around the subexpressions, personally:

{ ($_.description -notlike "User*") -or ($_.description -notlike "Admin*") }

But I guess I question the logic a bit. If the Description is "User," that filter will allow it through, because it is not like "Admin*." Conversely, if it is "Admin," the filter will pass it because it is not like "User*." Essentially, any description should make it through that filter.

September 8, 2016 at 6:10 pm

Just tested using "-notlike" as an operator in the filter parameter and it works. Based on what you said about LDAP filters i will definitely take a look

I know about the need to specify the properties that are not returned by default. Been there, done that (ohh, yes). I hope the Powershell team will consider throwing an error when you try to use a property that is nonexistent, like "get-aduser jdoe | select name,description".

And yes, the logic is a bit fuzzy. It makes sense when you express it using human language, but not using logical gates.
I forgot to look at the filter as a one statement that either returns true or false.

Thank you for your response.

September 8, 2016 at 6:53 pm

I know about the need to specify the properties that are not returned by default. Been there, done that (ohh, yes). I hope the Powershell team will consider throwing an error when you try to use a property that is nonexistent, like "get-aduser jdoe | select name,description"

Look into the Set-StrictMode cmdlet.

September 8, 2016 at 9:26 pm

Will do, thank you