The Power of LDAP Filters
A common problem when dealing with Active Directory is the end user trying to parse the results themselves.
Let take this example
$selector.SearchRoot = [ADSI]""
$selector.pagesize = 1000
$adobj= $selector.findall() | where {$_.properties.objectcategory -match "CN=Person"}
foreach ($person in $adobj) {
$date120DaysAgo = [DateTime]::Now.AddDays(-120).ToFileTime()
$LL1 = $person.properties.lastlogontimestamp
if(($LL1 -le $date120DaysAgo) -and ($person.GetDirectoryEntry().psbase.invokeget(‘AccountDisabled’))){$person}
}
Instead of doing the parsing on results side… we should let the server do the work. How do we do that?
With LDAP filters. Here is an example.
$filter = "(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(lastlogontimestamp<=$date))"
$ds = New-Object DirectoryServices.DirectorySearcher([ADSI]"",$filter)
$ds.PageSize = 1000
$users = $ds.FindAll()
$users
Or with Quest tools… even easier!
PS: $filter = "(&(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(lastlogontimestamp<=$date))"
PS: Get-QADUser -LdapFilter $filter
I think you will find with an LDAP filter you can save a TON of time.
Here is the output of measure-command for the two examples above (this was a very small sample.)
Without Filter
————–
Days : 0
Hours : 0
Minutes : 0
Seconds : 3
Milliseconds : 477
Ticks : 34776670
With Filter
———–
Days : 0
Hours : 0
Minutes : 0
Seconds : 0
Milliseconds : 34
Ticks : 340740
If you were to do this on a large AD the difference in time would be HUGE! Here is an example with 600K users…
With Filter
————
Days : 0
Hours : 0
Minutes : 0
Seconds : 17
Milliseconds : 353
Ticks : 173535605
I can’t post one with out filter… because it has been hours and it is still not done 
tshell :: Feb.15.2008 :: Active Directory, All, HowTo, Powershell, Scripting :: No Comments »
[...] The Power of LDAP Filters By Brandon PS: Get-QADUser -LdapFilter $filter. I think you will find with an LDAP filter you can save a TON of time. Here is the output of measure-command for the two examples above (this was a very small sample.) Without Filter ————– … BS on Posh - http://bsonposh.com/modules/wordpress [...]
Hi
Today any time I need to find a list of user I use Findall() and then Pipe the result against my list
How can I use Ladp Filter to search for a list of user ?
Thanks
zhai
I may not understand your question, but it sounds like you have a list of users in a text file and you want to find each one of them? In this case it depends on how large your AD is. If it is small <5K users I would just find all the users. If you have a large AD then I would do this (assuming you have the sAMAccountName in the file.)
$users = get-content Users.txt
foreach($user in $users)
{
$filter = “(&(objectcategory=user)(sAMAccountname=$user))”
$ds = New-Object DirectoryServices.DirectorySearcher([ADSI]“”,$filter)
$ds.Findall()
}
[...] Blog Entry on LDAP Filters————————-http://bsonposh.com/modules/wordpress/?p=78 [...]