Active Directory and LDAP are technologies that have been in use for many years now. You’ll find them on almost every Windows server with domain controllers and other important infrastructure devices, as well as plenty of software packages to manage users, computers, groups, etc from the command line or GUI-based systems. This article will teach you how to search Active Directory using PowerShell commands so you can parse through all your AD objects easily!
The “powershell ldap connection” is a PowerShell cmdlet that allows users to connect to an Active Directory or LDAP server. It also includes filters for searching and filtering the data based on criteria.
How to appropriately design filter syntax is one of the most typical stumbling blocks when accessing Active Directory using PowerShell. Many people are confused by the Filter and LDAP Filter arguments on all ActiveDirectory PowerShell module cmdlets.
With Specops’ 100% free Password Auditor Pro, you can find, report, and prevent unsafe Active Directory account passwords in your environment. Now is the time to get it!
In this blog article, we’ll go over how to utilize Active Directory filters in great detail. By the conclusion of this piece, I hope you won’t be attempting to utilize the Where-Object and filter right any more!
Prerequisites
I’ll assume a few things for any of the code I’m going to show you to work:
When searching for items using many of the Active Directory cmdlets, you may use one of two filter languages: Filters in PowerShell or Filters for LDAP.
Filters in PowerShell
Filters in PowerShell use the standard PowerShell expression syntax. This is commonly referred to as Active Directory search filter syntax.
The Filter parameter is used to apply certain filters. Syntax for the Filter parameter
Operators
You’ll need to utilize at least one operator when creating a filter for the Filter parameter. The operators used here are the same ones you’re accustomed to seeing in commands like Where-Object.
The following operators may be used inside the Filter parameter.
| Operator | Explanation |
|---|---|
| -eq | Equal to |
| -le | a value that is a value that is less than or equal to |
| -ge | equal to or more than |
| -ne | not comparable to |
| -lt | Less than |
| -gt | higher than |
| -approx | about the same as |
| -bor | OR (bitwise) |
| -band | AND BITWISE |
| -recursivematch | Using a recursive match |
| -like | Like |
| -notlike | Not like |
| -and | AND (boolean) |
| -or | OR (boolean) |
| -not | NOT (boolean) |
AD Object Properties as a Reference
Using operators, you will compare multiple AD object attributes inside the filter. The Get-AdUser cmdlet, for example, returns a Name property. If you want to locate all people that have the same name as you, type:
PS51> Get-Aduser -Filter “Name -eq ‘Adam Bertram’”
The name or LDAP name of the property returned by the AD cmdlet may be used as a property name.
Single or double quotations are often used to wrap property values. The asterisk (*) is the only valid wildcard. The filter is surrounded by double quotations, while Adam Bertram is surrounded by single quotes, as you can see above.
When using filters, some characters must be escaped. These are the following:
| Character | As a result, | Notes |
|---|---|---|
| “ | `” | Only if the data is wrapped in double quotations is it necessary. |
| ‘ | ’ | Only if the data is wrapped in single quotes is it necessary. |
| NUL | �0 | This is an LDAP escape sequence that is often used. |
| 5c | This is an LDAP escape sequence that is often used. | |
| * | 2a | Escaped on its own. Only in comparisons with the -eq and -ne suffixes. For wildcard comparison, the -like and -notlike operators should be used. |
| ( | /28 | Escaped on its own. |
| ) | /29 | Escaped on its own. |
| / | /2f | Escaped on its own. |
What is LDAP in Active Directory?
Lightweight Directory Access Protocol (LDAP) is a vendor-independent protocol for accessing and changing directory data. When you hear the term directory, you may think of a phone book, but it has a far broader meaning in the context of Active Directory. Active Directory stores and makes available a variety of object kinds, with the LDAP protocol serving as a mechanism of doing so.
Because Active Directory may hold a wide range of data types, applications and users need a simple mechanism to query the directory. Continue reading to understand how Filters for LDAP may help you filter that data!
Filters for LDAP
Active Directory implements LDAP, the Lightweight Directory Access Protocol. Using the LDAPFilter parameter with the cmdlets allows you to use Filters for LDAP, such as those created in Active Directory Users and Computers.
RFC number 4515 defines the syntax for LDAP search filters.
Parentheses are used to separate each filter rule ( ). Filter rules may be grouped together by enclosing the group in parenthesis and using a comparator from the list below:
| Operator | Function |
|---|---|
| & | and |
| | | or |
| ! | not |
Filters for LDAP also have a special matching rule Object IDentifiers (OIDs):
| OID | Purpose |
|---|---|
| 1.2.840.113556.1.4.803 | AND BITWISE |
| 1.2.840.113556.1.4.804 | OR (bitwise) |
| 1.2.840.113556.1.4.1941 | Matching chains (for distinguished name attributes) |
There are four different kinds of filters:
| Operator | Explanation |
|---|---|
| = | Equal to |
| ~= | about the same as |
| >= | equal to or more than |
| <= | a value that is a value that is less than or equal to |
There are four different categories of items:
| Type | Explanation |
|---|---|
| = | Simple |
| =* | Present |
| =something* | Substring |
| Extensible | vary according on the kind |
Certain character values must be ‘escaped’ if used in an LDAP filter, and the LDAP search filter rules must be used with the LDAP names of attributes. These are the following:
| Character | As a result, |
|---|---|
| * | 2a |
| ( | 28 |
| ) | 29 |
| 5c | |
| NUL | �0 |
In most cases, property values for comparison do not need to be enclosed in quotations.
Examples of LDAP Filters
Building Filters for LDAP can be challenging. Here are some examples using active directory group filters you can use as a base to begin creating your own.
- All organizations having the term ‘Professional Services Department’ in their name (cn)
‘(cn=Professional Services Department)’ or ‘cn -eq “Professional Services Department”‘
- ‘Professional Services Department’ and ‘Live’ are all organizations with the name ‘Professional Services Department.’
‘(cn -eq “Professional Services Department”) -and (description -eq “Live”)’ or ‘(&(cn=Professional Services Department)(description=Live))’
- ‘Professional Services Department’ or ‘All Departments Share Access’ are the names of all groups.
‘(|(cn=Professional Services Department)(cn=All Departments Share Access)’ or ‘(|(cn=Professional Services Department)(cn=All Departments Share Access)’ or ‘(|(cn=Professional Services Department)(cn=All Departments Share Access)’
- All of the groups that don’t have a ‘Live’ description. Those with no description field at all are included.
‘(!(description=Live))’
- All of the groups that don’t have a ‘Live’ description. Those with no description field at all are excluded.
‘description -ne “Live”‘ ‘description -ne “Live”‘ ‘description -n
- All groups having the word ‘Live’ in their description but no name ‘Professional Services Department’
‘(description -eq “Live”) -and (cn -ne “Professional Services Department”)’ or ‘(&(description=Live)(!(cn=Professional Services Department)))’
- ‘fileserver1fileshare’ is the description for all groups.
‘(description=5c5cfileserver15cfileshare)’ or ‘description -eq “5c5cfileserver15cfileshare”‘
Using Chain Matching or RecursiveMatch
The RecursiveMatch parameter, or a matching rule OID, is an effective means of answering an often asked issue about querying AD: ‘How can I know all of the groups a user is a part of, both directly and indirectly?’ To discover out, utilize the Active Directory Search Filter memberOf property.
Using a simple LDAP matching rule rather than a huge script may be significantly more efficient. Kristin Diaz is a direct member of the Professional Services Department security group using our example domain domain.local. This is reflected in her memberOf attribute in AD, which solely shows Professional Services Department.
PS51> Get-ADUser -Identity Kristin.Diaz -Property memberOf DistinguishedName : CN=Diaz Kristin,OU=Professional Services,OU=All User Accounts,DC=domain,DC=local Enabled : True GivenName : Kristin MemberOf : {CN=Professional Services Department,OU=All Groups,DC=domain,DC=local} Name : Diaz Kristin ObjectClass : user ObjectGUID : 04fe6336-c541-4e71-b7ed-6fee7db23482 SamAccountName : Kristin.Diaz SID : S-1-5-21-447422785-3715515833-3878445295-1186 Surname : Diaz UserPrincipalName :
You may find out whether they are indirectly a member of All Departments Share Access by using the matching rule OID, or the RecursiveMatch option. Because the Professional Services Department is a member of the All Departments Share Access group, this is the case.
PS51> Get-ADGroup -LDAPFilter ‘(member:1.2.840.113556.1.4.1941:=CN=Diaz Kristin,OU=Professional Services,OU=All User Accounts,DC=domain,DC=local)’
PS51> Get-ADGroup -Filter ‘member -recursivematch “CN=Diaz Kristin,OU=Professional Services,OU=All User Accounts,DC=domain,DC=local”‘
Both provide the following results:
DistinguishedName: CN=All Departments Share Access,OU=All Groups,DC=domain,DC=local Group,DC=domain,DC=local Group,DC=domain,DC=domain,DC=domain,DC=domain,DC=domain,DC=domain, Security Group is a category. Access is shared by all departments, according to the scope. group is an object class. 8ac0e0b7-9225-40a4-b168-a0330960e182 ObjectGUID All Departments Have Access to SamAccountName S-1-5-21-447422785-3715515833-3878445295-1254 S-1-5-21-447422785-3715515833-3878445295-1254 S-1-5-21-447422785-37155158 DistinguishedName: CN=Professional Services Department,OU=All Groups,DC=domain,DC=local Group,DC=domain,DC=local Group,DC=domain,DC=domain,DC=domain,DC=domain,DC=domain,DC=domain, Security Group is a category. Professional Services Department is the umbrella term for a group of people who work in the field of professional services. group is an object class. ObjectGUID: a8432583-7cac-4e8e-8d94-51e1c5bb1989 ObjectGUID: a8432583-7cac-4e8e-8d94-51e1c5bb1989 ObjectGUID: a Department of Professional Services, SamAccountName S-1-5-21-447422785-3715515833-3878445295-1255 S-1-5-21-447422785-3715515833-3878445295-1255 S-1-5-21-447422785-37155158
The parameters SearchBase and SearchScope
Many thousands of things may be found in AD in huge areas. Scope the search to improve efficiency and reduce the amount of items returned for any query.
The SearchBase option controls where a search starts in the AD hierarchy. When utilizing the cmdlets, this is a string representation of a well-known name (by default, the domain’s top). SearchScope is divided into three levels:
A free read-only Password Auditor scan from Specops will check your Active Directory for 750M+ known leaked credentials.
- The item that has been designated as the SearchBase is called Base.
- OneLevel – looks for things that are directly contained by the SearchBase but are not contained in any sub containers.
- SubTree – recursively searches the AD hierarchy for items contained by the SearchBase and any subcontainers.
OU Structure Example
With the SearchBase set to OU=All User Accounts,DC=domain,DC=local in the preceding example, a SearchScope of Base would try to query the OU object itself, a SearchScope of OneLevel would only search the All User Accounts OU, and a SearchScope of SubTree would search both the All User Accounts and Professional Services OUs.
Summary
You should now have a firm grasp on how to use the Active Directory PowerShell cmdlets to filter data. As you can see, there’s a lot that goes into creating the ideal filter syntax. It’s a lot more difficult to create the right filter than it is to use the Where-Object cmdlet.
Spend the effort to learn how to filter AD objects the “correct” way, and you’ll enjoy the benefits of increased performance and efficiency!
Additional Reading
The “powershell ldap query with credentials” is a PowerShell command that allows you to filter Active Directory and LDAP queries.
Related Tags
- powershell ldap query
- active directory search filter examples
- active directory ldap query examples
- ldap powershell commands
- ldap filter generator
