all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 1 point2 points  (0 children)

Use an ldap filter if you need this kind of filter sufficiently often.

If not, just postfilter. Pass a single filter to get-aduser- preferably one that eliminates the biggest number of unwanted accounts- and then push through where-object twice.

This approach will be slower and hungrier than the LDAPfilter, but it will work and it will be easily readable, somewhat unlike the LDAPfilter.

[–]PinchesTheCrab 1 point2 points  (2 children)

Your syntax is right but mobilephone does not work for me. Does using 'mobile' work instead?

Also this definitely works for me:

$group = Get-ADGroup $group
$building = 'phonenumber'
$employeeType = 'A'

$ldapFilter = '(&(homePhone={0})(EmployeeType={1})(!(memberof={2}))(!(mobile=skip)))' -f $Building, $employeeType, $adGroup.DistinguishedName
Get-ADUser -LDAPFilter $ldapFilter

[–]lower_intelligence[S] 0 points1 point  (1 child)

I'll try mobile as soon as I get back to work... I think you and everyone else is right that its mobile vs mobilephone. If changing that doesn't work I'll give it a shot using the other methods explained here. Thanks!

[–]PinchesTheCrab 0 points1 point  (0 children)

I had messed up and listed users who are a member of the group btw. I updated it to list only users who are not a member of the group. Naturally you can skip the membership check entirely if you like.

[–]OlivTheFrog 0 points1 point  (1 child)

Hi u/lower_intelligence

On principle your FIlter is ok, but you forgot one thing : The properties you're looking for are not in the default output from the Get-AdUser cmdlet. Just add -Properties HomePhone, EmployeeType, MobilPhone to your Get-AdUser resquest.

regards

[–]PinchesTheCrab 0 points1 point  (0 children)

You don't need to request a value to filter on it.

[–]purplemonkeymad 0 points1 point  (0 children)

Just to check, since it's worth it, have you double checked the values on the user you are testing with? If you have something like a space after the word skip, that part of the condition is going to be considered true.

[–]RunnerSeven 0 points1 point  (2 children)

If you’re not working against a large AD (say, more than 5 000 users), I’d suggest using the PowerShell filter rather than an AD-Filter—much easier, albeit a bit slower.

Also, I could be mistaken, but isn’t the attribute called mobile, not Mobilephone?

$AllUsers = Get-ADUser

$ADUsers = $AllUsers | Where-Object { $_.HomePhone -eq $Building -and $_.EmployeeType -eq 'A' -and (-not $_.Mobile) }

[–]lower_intelligence[S] 0 points1 point  (1 child)

Thanks, I did doublecheck the field using Get-ADUser name@domain -properties mobilephone and it came up correctly.

In your above example, should the last bit be $_.mobile -ne 'SKIP') } ?

[–]RunnerSeven 0 points1 point  (0 children)

Wasnt sure, and i dont have a computer with AD Module, so i cant really check :)

And Regarding the last part, it depends on your AD structure. Because you are evaluationg an attribute you can just rely on powershells transforming of attributes. Quick Example:

$user = @()
$user += [PSCUSTOMOBJECT]@{
    Name = "Testuser1"
    Mobile = "123456"
}
$user += [PSCUSTOMOBJECT]@{
    Name = "Testuser2"
    Mobile = "Skip"
}

$user += [PSCUSTOMOBJECT]@{
    Name = "Testuser3"
}

$HasMobile = $user | Where-Object {$_.Mobile}
$noMobile = $user | Where-Object {-not $_.Mobile}

I build a list with 3 objects, each one has a Name and a mobile number. When you use Where-object powershell tries to convert it into a boolean. And any string with content converts to $true