- Installing the Active Directory Module in PowerShell
FilterParameter for PowerShell Filters
-LDAPFilterParameter for LDAP Filters in PowerShell
One of the most common challenges when querying Active Directory with PowerShell is how to build filter syntax properly.
Unfortunately, the Filter and LDAP Filter parameters on all Active Directory PowerShell module cmdlets are a black box to many.
This article will dive deep into understanding how to use Active Directory filters and LDAP filters.
Installing the Active Directory Module in PowerShell
There are a few pre-requisites required before proceeding.
- PowerShell Active Directory module installed.
- Domain-joined computer.
- Successfully connect and authenticate to an Active Directory domain controller.
Usually, running the command
Install-Module should fetch the package from a remote CDN and install it on your computer. Still, with the
Active Directory Module, we must establish a pre-requisite package to succeed.
We need to install the pre-requisite package is the
Remote Server Administration Tools.
You may run the PowerShell scripts below to install the
RSAT on your computer or the server.
Installing RSAT for Windows 10:
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online
Installing Remote Server Administration Tools for Windows Server (Multiple Versions from 2008 to 2016):
Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature
Installing the Remote Server Administration Tools feature on your machine will also install the Active Directory Module for Windows PowerShell.
Filter Parameter for PowerShell Filters
PowerShell filters use the standard Windows PowerShell expression syntax. This method is commonly referred to as Active Directory search filter syntax.
These filters are used with the
Inside the filter, you will compare various AD object properties using operators. For example, the
Get-ADUser command returns a
So, if we would like to find all users matching a specific name, you’d use:
Get-ADUser -Filter "Name -eq 'John'"
Property names can be the LDAP name or the canonical name of the property returned with the Active Directory cmdlet.
Property values are usually wrapped in single or double quotes. The only wildcard accepted is the asterisk
We can see above that double quotes surround the filter, yet
John is covered with single quotes.
-LDAPFilter Parameter for LDAP Filters in PowerShell
Lightweight Directory Access Protocol, or LDAP, is a vendor-neutral protocol for accessing and modifying directory data.
We may think of a phonebook when hearing the word directory, but this means so much more in the context of Active Directory.
So many different object types are stored and made accessible by AD, with the LDAP protocol functioning to secure that data. As AD can keep many different data types, applications and users need to query that directory easily.
Active Directory implements LDAP, the Lightweight Directory Access Protocol. Using the
-LDAPFilter parameter with the cmdlets allows you to use LDAP filters, such as those created in Active Directory Users and Computers.
The syntax for LDAP search filters is defined in RFC number 4515. Each filter rule is surrounded by parentheses
Here are some examples of using active directory group filters as a base to begin creating your own.
- All groups with a name (CN) of
- All groups with a name of
Departmentand a description of
- All groups with a name of either
'(|(cn=Professional Services Department)(cn=Share Access))'
- All groups do not have a description of
Prod. Includes those with no description field at all.
- All groups with a description of
Prodbut not with a name of
- All groups whose description is