Exclude OU but maintain nested OU with same name


This topic contains 8 replies, has 4 voices, and was last updated by  Mike Maggs 2 years, 1 month ago.

  • Author
  • #28932

    Mike Maggs

    I have an ou structure with multiple nested ou's and a lot of ou's with the same name.

    example – cn=abc1234,ou=MAG,ou=ABC1234,dc=magglab,dc=com

    I ahve not been able to exclude the MAG ou in line 3 without excluding it throughout the domain. I have 1000's of OU's called MAG nested under 1000's of OUs. (BTW this was inherited 🙁 )

    PS C:\Comps> get-adcomputer -resultsetsize 5000 -filter * -properties distinguishedname,Operatingsystem | select name,op
    eratingsystem,distinguishedname | where-object { $_.distinguishedName -notlike "*ou=MAG*" }

    This shows everything except any OU labeled MAG which i undertsand is by design. What i do not understand is how can i run this to show me everything except this OU level
    "OU=MAG,dc=magglab,dc=com" but still show me all nested OU's with the name MAG?

  • #28933

    Bob McCoy

    You're not going to be able to do it without expanding your -notlike operand to include the additional bit of information, i.e., if it immediately precedes the dc portion of the DN.

    $list = @"
    "@ -split "`r`n"
    $list | where {$_ -notlike "*ou=mag,dc*"} | foreach {
        "... $_"

    Alternatively you could have done it with a RegEx as well.

    $list | where {$_ -notmatch "ou=mag,dc"} | foreach {
  • #28949

    Mike Maggs


    Are you saying i would need to run get-adorganizationalunit to capture all my OU's, then create the $variable to add all of the OU's together?

    Also in my example i would need to adjust the last line where i am trying to omit this OU and all sub OU's beneath it.

    Would be like this — CN=maggtest,ou=MAG,OU=ONEMORE,dc=magglab,dc=com
    Do I need to add 1 additional level to the example

    $list | where {$_ -notlike "*ou=mag,ou=onemore,dc*"} | foreach {

  • #28951

    Chris Wolfenden

    Hi Mike,

    Are you just trying to get all AD computers except the ones found within magglab.com\MAG and its respective Sub OUs? If so, expanding the where-object expression to "*ou=mag,dc*", as Bob mentioned, should work. The distinguished name of all computers in that Mag OU and its sub OUs will end in ou=MAG,dc=magglab,dc=com.

    Get-ADComputer -ResultSetSize 5000 -Filter * -Properties DistinguishedName,OperatingSystem | Select-Object Name,OperatingSystem,DistinguishedName | Where-Object { $_.DistinguishedName -notlike "*OU=MAG,DC=magglab,DC=com" }
  • #28952

    Bob McCoy

    No, my use of the $last variable was just to hold your sample data so I could show that the expanded -like operand worked. And your clarification above only left me more confused as to what you are trying to accomplish.

    Are there multiple OUs off the root of the domain you want to exclude? If so, that's relatively easy with a -notmatch Regex.

    $list | where {$_ -notmatch "ou=(mag|onemore|yetanother),dc"} | foreach {
  • #28955

    Mike Maggs

    Bob YES I am trying to see if there are any computers remaining in any of the MAG OUs but i need to exclude — CN=maggtest,ou=MAG,OU=ONEMORE,dc=magglab,dc=com

    As i mentioned there are about 1000 OUs and each OU has a subtree of OUs of which each one includes an OU named MAG.

    Once i determine there are no objects inside these OUs I will then need to delete them as well.. Does this help at all?

    I guess what is throwing me is that I only want to look in the MAG OU of the Subtree and not this one... MAG,OU=ONEMORE,dc=magglab,dc=com

    I will look into the -notmatch REGEX options. Thanks for the direction.

  • #28962

    Curtis Smith

    Mike, as Bob has said, you only need to add more data to your where filter.


    In your current where-object filter, you are finding anything with "ou=MAG". As you can see that matches all three lines above.

    However, if you add more data to your filter "OU=MAG,dc=magglab,dc=com", it only matches the third line in the sample data.

    get-adcomputer -resultsetsize 5000 -filter * -properties distinguishedname,Operatingsystem | select name,operatingsystem,distinguishedname | where-object { $_.distinguishedName -notlike "*OU=MAG,dc=magglab,dc=com" }
  • #28963

    Curtis Smith

    Re-reading your last post, you added an additional criteria. You only want to the computer objects if they are in a MAG OU, as long at that MAG OU is not the OU=MAG,dc=magglab,dc=com MAG OU.

    For that you will need to define the additional condition.

    get-adcomputer -resultsetsize 5000 -filter * -properties distinguishedname,Operatingsystem | select name,operatingsystem,distinguishedname | where-object {$_.distinguishedName -like "*ou=MAG*" -AND $_.distinguishedName -notlike "*OU=MAG,dc=magglab,dc=com" }

    The first part of the criteria says only show Object that have ou=MAG in the distinguishedname, and the second part says don't so the ones that have OU=MAG,dc=magglab,dc=com in the distinguishedname.

  • #29012

    Mike Maggs

    Bob / Curtis

    Thank you very much that did it for me. Now i have to figure out how to capture all these nested OUs so i can delete them in one shot. Going to see what i can put together from what you both have provided.

    Thanks for sharing



You must be logged in to reply to this topic.