I've seen this with both LDAP filters and Get-ADUser:
It seems that you cannot use wildcards when searching with distinguishedName.
So for example the following is not valid:
Get-ADUser -Filter 'distinguishedName -like "CN*"'
The only valid use of wildcards with distinguishedName is to test for existence or non-existence of the value.
e.g. Get-ADUser -Filter 'distinguishedName -like "*"'
The easiest way I have seen to do this is with ADFIND and use the -excldn switch
e.g. adfind -excldn "OU=Admin Accounts,OU=User Management";"OU=Shared Accounts,OU=User Management" -b "OU=User Management,DC=test,DC=com" -f "(&(objectCategory=Person)(objectClass=User))" dn
This will show you just the dn's for the users that are under the OU=User Management,DC=test,DC=com OU structure, but excluding any that have either "OU=Admin Accounts,OU=User Management" or "OU=Shared Accounts,OU=User Management" in their distinguished names.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment