In my previous post I discussed about the various features available in -Filter parameter aka “advanced filter”. This post extends the previous one and discusses about the various operators supported in Advanced Filter and also give examples using each one of them. Most of the examples are picked from our on-the-box help, which you can access by typing:

PS C:\> get-help about_ActiveDirectory_Filter   ## this works only in newer builds

Here is the list of supported operators in Active Directory Powershell Advanced Filter:


Logical Operator Description Equivalent LDAP operator/expression
-eq Equal to. This will not support wild card search. =
-ne Not equal to. This will not support wild card search. ! x = y
-like Similar to -eq and supports wildcard comparison. The only wildcard character supported is: * =
-notlike Not like. Supports wild card comparison. ! x = y
-approx Approximately equal to ~=
-le Lexicographically less than or equal to <=
-lt Lexicographically less than ! x >= y
-ge Lexicographically greater than or equal to >=
-gt Lexicographically greater than ! x <= y
-and AND &
-or OR |
-not NOT !
-bor Bitwise OR :1.2.840.113556.1.4.804:=
-band Bitwise AND :1.2.840.113556.1.4.803:=
-recursivematch Uses LDAP_MATCHING_RULE_IN_CHAIN (Win2k3 SP2 and above) :1.2.840.113556.1.4.1941:=

Example 1:  Get all entries
        Get-ADObject -Filter { ObjectClass -like "*" }

        LDAP Filter Equivalent: (objectClass=*)

Example 2: Get entries containing "bob" somewhere in the common name
        Get-ADObject -Filter { CN -like "*bob*" }

        LDAP Filter Equivalent:  (cn=*bob*)

Example 3: Get entries with a bad password count greater than five
        Get-ADUser -Filter { badpwdcount -ge 5 }

        LDAP Filter Equivalent: (badpwdcount>=5)

Example 4: Get all users with an e-mail attribute
        Get-ADUser -filter { email -like "*" }
        Get-ADObject -filter { email -like "*" -and ObjectClass -eq "user" }

        LDAP Filter Equivalent: (&(objectClass=user)(email=*))

Example 5: Get all user entries with an e-mail attribute and a surname equal to "smith"
        Get-ADUser -Filter { Email -like "*" -and Surname -eq "smith" }
        Get-ADUser -Filter { Email -like "*" -and sn -eq "smith" }

        LDAP Filter Equivalent: (&(sn=smith)(objectClass=user)(email=*))

Example 6: Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret"
        Get-ADUser -Filter { CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret" }
        Get-ADObject -Filter { objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret") }

        LDAP Filter Equivalent: (&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))

Example 7: Get all entries without an e-mail attribute
        Get-ADUser -Filter { -not Email -like "*" }
        Get-ADUser -Filter { Email -notlike "*" }

        LDAP Filter Equivalent: (!(email=*))

Example 8: Get all users who did not logon since January 1, 2007
        $date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0)
        Get-ADUser -Filter { -not LastLogon -le $date }

        LDAP Filter Equivalent:  (&(lastlogon<=X)(objectClass=user))
        ## where X is number of 100-nanosecond slices since Jan 1st 1601

Example 9: Get all users who have logged on in the last 5 days
        $date = (get-date) - (new-timespan -days 5)
        Get-ADUser -Filter { lastLogon -gt $date }

        LDAP Filter Equivalent:  (&(lastLogon>=128812906535515110) (objectClass=user)(!(objectClass=computer)))

Example 10: Get all security groups
The following example query string searches for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag (0x80000000 = 2147483648) set.
        Get-ADGroup -filter { groupType -band 0x80000000 }
        Get-ADGroup -filter { GroupCategory -eq "Security" }

        LDAP Filter Equivalent: (&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))

Example 11: Check if a user is a member of a group (recursively)
The following example query string uses the LDAP_MATCHING_RULE_IN_CHAIN, which is a matching rule OID that is designed to provide a method to look up the ancestry of an object.

        Get-ADUser -Filter { memberOf -RecursiveMatch "CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com" } -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com"  -SearchScope Base
                      ## NOTE: The above command will return the user object (Administrator in this case) if it finds a match recursively in memberOf attribute.
        $userObj = Get-ADUser Administrator
        $groupObj = Get-ADUser Administrators
        Get-ADUser -Filter { memberOf -RecursiveMatch $userObj.DistinguishedName } -SearchBase $groupObj.DistinguishedName -SearchScope Base

        LDAP Filter Equivalent: (memberof:1.2.840.113556.1.4.1941:=(CN=Administrators,CN=Builtin,DC=Fabrikam,DC=com)))


Swaminathan Pattabiraman [MSFT]
Developer – Active Directory Powershell Team