Inconsistent Behavior with Get-ADGroup

Welcome Forums General PowerShell Q&A Inconsistent Behavior with Get-ADGroup

This topic contains 4 replies, has 4 voices, and was last updated by

 
Participant
1 month, 3 weeks ago.

  • Author
    Posts
  • #114118

    Participant
    Points: 26
    Rank: Member

    I am working on a script for a company to decommission old VMware Servers. Part of this is to remove the A.D. object, any Security Groups associated with the server name, DNS entries, etc. Most of the script is working, but the deletion of security groups is giving me fits. Security groups for the server are usually along the lines of _RDP, _LocalAdmins, _UserAccess_DL, etc. So this works just fine for finding all of the associated groups:

    
    Get-ADGroup -Filter {(name -like "MyServer7101*")} | Out-GridView
    
    

    However, this does not work:

    
    $sMachine = "MyServer7101"
    
    Get-ADGroup -Filter {(name -like "$($sMachine)*")} | Out-GridView
    
    

    I even tried something like this, but no joy:

    
    $sMachine = "MyServer7101"
    
    Get-ADGroup -Filter {(name -like "$($sMachine)*RDP*")} | Out-GridView
    
    

    This does work, but obviously is going to be very slow (10 seconds rather than sub-one second), so is not my first choice.

    
    Get-ADGroup -Filter * | where {$_.Name -match $sMachine} | Out-GridView
    
    

    Just curious if I am somehow borking the syntax. I have looked up examples online and they all seem to be the same way I am doing it, but using hard-coded strings rather than a variable. I did not find any examples using a variable in a for loop.

     

  • #114127

    Participant
    Points: 832
    Helping Hand
    Rank: Major Contributor

    Use the filter parameter without scriptblock and no need to use the Subexpressions until you have to access any properties of members of an object.

    $sMachine = "MyServer7101"
    Get-ADGroup -Filter "name -like '$sMachine*'" | Out-GridView
    

    below links will help you in using code posting tags to post code.

  • #114133

    Participant
    Points: 190
    Helping Hand
    Rank: Participant

    To expand on kvprasoon comment.

    As far as I know it's not an inconsistancy with the Get-ADGroup cmdlet.
    The gotcha is the -filter property and what it expects.
    The same "issue" is there with Get-ADUser and other cmdlets.

    So when using the -filter option, make sure it is or 'becomes' a valid single string in the end.

    E.g.
    Changing:

    $sMachine = "MyServer7101"
    
    Get-ADGroup -Filter {(name -like "$($sMachine)*")} | Out-GridView
    

    To:

    $sMachine = "MyServer7101"
    
    Get-ADGroup -Filter {("name -like '$($sMachine)*'")} | Out-GridView
  • #114144
    js

    Participant
    Points: 316
    Helping Hand
    Rank: Contributor

    The online doc's own examples are inconsistent. Example 2's filter is a string, and example 4's filter is a script block. https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-aduser?view=win10-ps

  • #114156

    Participant
    Points: 190
    Helping Hand
    Rank: Participant

    As I mentioned it's the -filter option that is inconsistent.
    Yes Example 4 works and I would speculate that it's because it's a simple "hardcoded" string.
    {Name -eq $user} works as well.
    But do {Name -eq "$user"} and you have a space in the variable, then you need to add single quotes etc.

    I'm speculating that it's the "internal" parser of the -filter option that is limited in functionality or have some "hidden features".

    Without testing a bunch of different variations I would say the following.
    If you keep it very simple and think of the filter as a string, then it's more likely that the filter will work.

You must be logged in to reply to this topic.