From 809b63a24af4b5b0ebcdaabb677547b4b980a37f Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Tue, 2 Jul 2024 17:09:38 -0500 Subject: [PATCH 1/4] Add about topic to ActiveDirectory --- .../activedirectory/About/About.md | 17 + .../About/about_ActiveDirectory_Filter.md | 359 ++++++++++++++++++ .../activedirectory/About/About.md | 17 + .../About/about_ActiveDirectory_Filter.md | 359 ++++++++++++++++++ .../activedirectory/About/About.md | 17 + .../About/about_ActiveDirectory_Filter.md | 359 ++++++++++++++++++ .../activedirectory/About/About.md | 17 + .../About/about_ActiveDirectory_Filter.md | 359 ++++++++++++++++++ .../activedirectory/About/About.md | 17 + .../About/about_ActiveDirectory_Filter.md | 359 ++++++++++++++++++ .../activedirectory/About/About.md | 17 + .../About/about_ActiveDirectory_Filter.md | 359 ++++++++++++++++++ 12 files changed, 2256 insertions(+) create mode 100644 docset/winserver2012-ps/activedirectory/About/About.md create mode 100644 docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Filter.md create mode 100644 docset/winserver2012r2-ps/activedirectory/About/About.md create mode 100644 docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Filter.md create mode 100644 docset/winserver2016-ps/activedirectory/About/About.md create mode 100644 docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Filter.md create mode 100644 docset/winserver2019-ps/activedirectory/About/About.md create mode 100644 docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Filter.md create mode 100644 docset/winserver2022-ps/activedirectory/About/About.md create mode 100644 docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Filter.md create mode 100644 docset/winserver2025-ps/activedirectory/About/About.md create mode 100644 docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Filter.md diff --git a/docset/winserver2012-ps/activedirectory/About/About.md b/docset/winserver2012-ps/activedirectory/About/About.md new file mode 100644 index 0000000000..adc76085b9 --- /dev/null +++ b/docset/winserver2012-ps/activedirectory/About/About.md @@ -0,0 +1,17 @@ +--- +description: About articles for the ActiveDirectory module. +Help Version: 3.1.0.0 +Locale: en-US +ms.date: 04/22/2013 +title: About articles +--- +# About topics + +## Description + +About topics cover a range of concepts about PowerShell. + +## About Topics + +### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) +Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Filter.md new file mode 100644 index 0000000000..266e7f3a92 --- /dev/null +++ b/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -0,0 +1,359 @@ +--- +title: about_ActiveDirectory_Filter +ms.date: 04/22/2013 +description: Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Filter + +## SHORT DESCRIPTION + +Describes the syntax and behavior of the search filter supported by the Active +Directory module for Windows PowerShell. + +## LONG DESCRIPTION + +Most get-AD* Active Directory module cmdlets use the Filter parameter to search +for objects. The Filter parameter has been implemented to replace the function +of the LDAP Filter and adds support for PowerShell variables, rich data types, +improved error checking and an Active Directory extended form of the PowerShell +Expression Language. + + +- Support for LDAP Filter Syntax + + The LDAP filter syntax is supported through the **LDAPFilter** parameter. You + will find LDAP filter examples along with the new Active Directory module + filter examples in the Filter Examples section of this topic. + + +- Search Breadth and Depth + + The breadth and depth of your filter-driven search can be modified by two + Active Directory module cmdlet parameters: **SearchBase** and **SearchScope**. + + When within the context of the Active Directory provider, if the + **Searchbase** parameter is not specified, **SearchBase** will default to the + current path. When not running under the Active Directory provider, the + **SearchBase** will default to the server's **DefaultNamingContext**. + + The **SearchScope** parameter defaults to the value `Subtree`, of the + enumerated type **ADSearchScope**. + + For more information, see the **SearchBase** and **SearchScope** parameter + descriptions on any `Get-AD*` cmdlet. + +- Search Result Behavior + + The behavior of the Active Directory module when returning results of a + search is modified by two cmdlet parameters: **ResultPageSize** and + **ResultSetSize**. + + **ResultSetSize** controls the maximum number of returned objects. + + **ResultPageSize** specifies the maximum number of objects for each returned + page of information. + + See the **ResultPageSize** and **ResultSetSize** parameter descriptions on + any `Get-AD*` cmdlet for more information. + + +- Timeout Behavior + + The following statements specify timeout conditions within the Active + Directory module and describe what can be done about a timeout them. + + The default Active Directory module timeout for all operations is 2 + minutes. + + For search operation, the Active Directory module uses paging control + with a 2-minute timeout for each page search. + + > [!NOTE] + > Because a search may involve multiple server page requests the overall + > search time may exceed 2 minutes. + + A **TimeoutException** error indicates that a timeout has occurred. + + For a search operation, you can choose to use a smaller page size, set with + the **ResultPageSize** parameter, if you are getting a **TimeoutException** + error. + + If after trying these changes you are still getting a **TimeoutException** + error, consider optimizing your filter using the guidance in the + Optimizing Filters section of this topic. + + +- Optimizing Filters + + You can enhance the search filter behavior by using these guidelines. + + - Avoid using the **Recursive** parameter as it intensifies resource usage of + the search operation. + - Avoid using bitwise AND operators and bitwise OR operators. For more + information, see the Supported Operators section of this topic. + - Avoid using the logical NOT operator. + - Break down your search into multiple queries with narrower conditions. + + For a full description of filter syntax and usage, see the Filter Syntax + section of this topic. + + +## Filter Examples + +The following section shows many examples of filter use in common queries. + +### Example 1 - Get all entries: + +- LDAP Filter Equivalent: `(objectClass=*)` + +```powershell +Get-ADObject -Filter 'ObjectClass -like "*"' +``` + +### Example 2 - Get entries containing "bob" somewhere in the common name + +- LDAP Filter Equivalent: `(cn=*bob*)` + +```powershell +Get-ADObject -Filter 'CN -like "*bob*"' +``` + +### Example 3 - Get entries with a bad password count greater than five + +- LDAP Filter Equivalent: `(&(!badpwdcount<=5)(badpwdcount=*))` + +```powershell +Get-ADUser -Filter 'badpwdcount -ge 5' +``` + +### Example 4 - Get all users with an e-mail attribute + +- LDAP Filter Equivalent: `(&(objectClass=user)(email=*))` + +```powershell +Get-ADUser -filter 'email -like "*"' +``` + +-or- + +```powershell +Get-ADObject -filter 'email -like "*" -and ObjectClass -eq "user"' +``` + +### Example 5 - Get all user entries with an e-mail attribute and a surname equal to "smith": + +- LDAP Filter Equivalent: `(&(sn=smith)(objectClass=user)(email=*))` + +```powershell +Get-ADUser -Filter 'Email -like "*" -and SurName -eq "smith"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -like "*" -and sn -eq "smith"' +``` + + +### Example 6 - Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret" + +- LDAP Filter Equivalent: `(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))` + +```powershell +Get-ADUser -Filter 'CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret"' +``` + + +This example demonstrates a more complex logic and the use of precedence +control via parenthesis. + +```powershell +Get-ADObject -Filter 'objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret")' +``` + +### Example 7 - Get all entries without an e-mail attribute + +- LDAP Filter Equivalent: `(!(email=*))` + +```powershell +Get-ADUser -Filter '-not Email -like "*"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -notlike "*"' +``` + +### Example 8 - Get all users who did not logon since January 1, 2007 + +- LDAP Filter Equivalent: `(&(lastlogon<=X)(objectClass=user))` where X is + number of 100-nanosecond slices since Jan 1st 1601 + +```powershell +$date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0) +Get-ADUser -Filter '-not LastLogon -le $date' +``` + +### Example 9 - Get all users who have logged on in the last 5 days + +- LDAP Filter Equivalent: + + ``` + (&(lastLogon>=128812906535515110) + (objectClass=user)(!(objectClass=computer))) + ``` + +```powershell +$date = (get-date) - (new-timespan -days 5) +Get-ADUser -Filter 'lastLogon -gt $date' +``` + +### Example 10 - Search for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag set + +- LDAP Filter Equivalent: + `(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))` + +The following example query string searches for group objects that have the +ADS_GROUP_TYPE_SECURITY_ENABLED flag set. Be aware that the decimal value of +ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) is used for the +comparison value. + +```powershell +Get-ADGroup -filter 'groupType -band 0x80000000' +``` + +### Example 11 - Search the ancestry of an object + +- LDAP Filter Equivalent: + `(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))` + +The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to +provide a method to look up the ancestry of an object. Many applications using +Active Directory and AD LDS usually work with hierarchical data, which is +ordered by parent-child relationships. Previously, applications performed +transitive group expansion to figure out group membership, which used a lot of +network bandwidth. Applications made multiple round-trips to figure out if an +object fell "in the chain" if a link were traversed through to the end. + +An example of such a query is one designed to check if a user, "user1" is a +member of group "group1". "user1" may not be a direct member of group1. It +could be a member of some other group, which is a member of "group1". + +You would set the base to the user DN and the scope to base, and use the query: + +```powershell +Get-ADUser -Filter 'memberOf -RecursiveMatch "CN=Administrators, CN=Builtin,DC=Fabrikam,DC=com"' -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" +``` + +## Filter Syntax + +The following syntax descriptions use Backus-Naur form to show the PowerShell +Expression Language for the Filter parameter. + +```Syntax + ::= "{" "}" + + ::= | + | + + + ::= | + "(" ")" + + ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt" | + "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | + "-notlike" + + ::= "-and" | "-or" + + ::= "-not" + + ::= | + +::= < this value will be compared to the object data for + attribute using the specified filter operator +``` + + +## Supported Operators + +The following table shows frequently used search filter operators. + +| Operator | Description | LDAP Equivalent | +| --------------- | ------------------------------- | -------------------------- | +| -eq | Equal to. This will | = | +| | not support wild card | | +| | search. | | +| -ne | Not equal to. This will | !x = y | +| | not support wild card | | +| | search. | | +| -approx | Approximately equal to | ~= | +| -le | Lexicographically less than | <= | +| | or equal to | | +| -lt | Lexicographically less than | !x >= y | +| -ge | Lexicographically greater | >= | +| | than or equal to | | +| -gt | Lexicographically greater than | !x <= y | +| | | | +| -and | AND | & | +| -or | OR | | +| -not | NOT | ! | +| -bor | Bitwise OR | :1.2.840.113556.1.4.804:= | +| -band | Bitwise AND | :1.2.840.113556.1.4.803:= | +| -recursivematch | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| | (Note: This control only works | | +| | with Windows 2008 and later.) | | +| -like | Similar to -eq and supports | = | +| | wildcard comparison. The only | | +| | wildcard character | | +| | supported is: * | | +| -notlike | Not like. Supports wild | !x = y | +| | card comparison. | | + +> [!NOTE] +> PowerShell wildcards, other than "*", such as "?" are not supported by the +> **Filter** parameter syntax. + + +### Operator Precedence + +The following listing shows the precedence of operators for filters from +highest to lowest. + +- Highest precedence: -eq | -ge | -le | -approx | -band | -bor | + -recursivematch | -ne | -like | -not | -and +- Lowest precedence: -or + +### Special Characters + +The following escape sequence should be used for specifying special characters +in AD Filter STRING data, that is, data enclosed in double or single quotes. + +| ASCII Character | Escape sequence substitute | +| --------------- | --------------------------------------------------- | +| `"` | `` `" `` (This escape sequence is only required if | +| | STRING data is enclosed in double quotes.) | +| `'` | `''` (This escape sequence is only required if | +| | STRING data is enclosed in single quotes.) | +| NUL | `\00` (This is a standard LDAP escape sequence.) | +| `\` | `\5c` (This is a standard LDAP escape sequence.) | + +### LDAP Special Characters + +ADFilter parser will automatically convert all the below characters found in +STRING data, that is data enclosed in " " or ' ' to their LDAP escape sequence. +End users need not know about these LDAP escape sequence. + +| ASCII Character | Escape sequence substitute | +| --------------- | ----------------------------------------------- | +| `*` | `\2a` (Character `*` will only be converted in | +| | -eq and -ne comparisons Users should use | +| | -like and -notlike operators for wildcard | +| | comparison.) | +| `(` | `\28` | +| `)` | `\29` | +| `/` | `\2f` | diff --git a/docset/winserver2012r2-ps/activedirectory/About/About.md b/docset/winserver2012r2-ps/activedirectory/About/About.md new file mode 100644 index 0000000000..adc76085b9 --- /dev/null +++ b/docset/winserver2012r2-ps/activedirectory/About/About.md @@ -0,0 +1,17 @@ +--- +description: About articles for the ActiveDirectory module. +Help Version: 3.1.0.0 +Locale: en-US +ms.date: 04/22/2013 +title: About articles +--- +# About topics + +## Description + +About topics cover a range of concepts about PowerShell. + +## About Topics + +### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) +Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Filter.md new file mode 100644 index 0000000000..266e7f3a92 --- /dev/null +++ b/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -0,0 +1,359 @@ +--- +title: about_ActiveDirectory_Filter +ms.date: 04/22/2013 +description: Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Filter + +## SHORT DESCRIPTION + +Describes the syntax and behavior of the search filter supported by the Active +Directory module for Windows PowerShell. + +## LONG DESCRIPTION + +Most get-AD* Active Directory module cmdlets use the Filter parameter to search +for objects. The Filter parameter has been implemented to replace the function +of the LDAP Filter and adds support for PowerShell variables, rich data types, +improved error checking and an Active Directory extended form of the PowerShell +Expression Language. + + +- Support for LDAP Filter Syntax + + The LDAP filter syntax is supported through the **LDAPFilter** parameter. You + will find LDAP filter examples along with the new Active Directory module + filter examples in the Filter Examples section of this topic. + + +- Search Breadth and Depth + + The breadth and depth of your filter-driven search can be modified by two + Active Directory module cmdlet parameters: **SearchBase** and **SearchScope**. + + When within the context of the Active Directory provider, if the + **Searchbase** parameter is not specified, **SearchBase** will default to the + current path. When not running under the Active Directory provider, the + **SearchBase** will default to the server's **DefaultNamingContext**. + + The **SearchScope** parameter defaults to the value `Subtree`, of the + enumerated type **ADSearchScope**. + + For more information, see the **SearchBase** and **SearchScope** parameter + descriptions on any `Get-AD*` cmdlet. + +- Search Result Behavior + + The behavior of the Active Directory module when returning results of a + search is modified by two cmdlet parameters: **ResultPageSize** and + **ResultSetSize**. + + **ResultSetSize** controls the maximum number of returned objects. + + **ResultPageSize** specifies the maximum number of objects for each returned + page of information. + + See the **ResultPageSize** and **ResultSetSize** parameter descriptions on + any `Get-AD*` cmdlet for more information. + + +- Timeout Behavior + + The following statements specify timeout conditions within the Active + Directory module and describe what can be done about a timeout them. + + The default Active Directory module timeout for all operations is 2 + minutes. + + For search operation, the Active Directory module uses paging control + with a 2-minute timeout for each page search. + + > [!NOTE] + > Because a search may involve multiple server page requests the overall + > search time may exceed 2 minutes. + + A **TimeoutException** error indicates that a timeout has occurred. + + For a search operation, you can choose to use a smaller page size, set with + the **ResultPageSize** parameter, if you are getting a **TimeoutException** + error. + + If after trying these changes you are still getting a **TimeoutException** + error, consider optimizing your filter using the guidance in the + Optimizing Filters section of this topic. + + +- Optimizing Filters + + You can enhance the search filter behavior by using these guidelines. + + - Avoid using the **Recursive** parameter as it intensifies resource usage of + the search operation. + - Avoid using bitwise AND operators and bitwise OR operators. For more + information, see the Supported Operators section of this topic. + - Avoid using the logical NOT operator. + - Break down your search into multiple queries with narrower conditions. + + For a full description of filter syntax and usage, see the Filter Syntax + section of this topic. + + +## Filter Examples + +The following section shows many examples of filter use in common queries. + +### Example 1 - Get all entries: + +- LDAP Filter Equivalent: `(objectClass=*)` + +```powershell +Get-ADObject -Filter 'ObjectClass -like "*"' +``` + +### Example 2 - Get entries containing "bob" somewhere in the common name + +- LDAP Filter Equivalent: `(cn=*bob*)` + +```powershell +Get-ADObject -Filter 'CN -like "*bob*"' +``` + +### Example 3 - Get entries with a bad password count greater than five + +- LDAP Filter Equivalent: `(&(!badpwdcount<=5)(badpwdcount=*))` + +```powershell +Get-ADUser -Filter 'badpwdcount -ge 5' +``` + +### Example 4 - Get all users with an e-mail attribute + +- LDAP Filter Equivalent: `(&(objectClass=user)(email=*))` + +```powershell +Get-ADUser -filter 'email -like "*"' +``` + +-or- + +```powershell +Get-ADObject -filter 'email -like "*" -and ObjectClass -eq "user"' +``` + +### Example 5 - Get all user entries with an e-mail attribute and a surname equal to "smith": + +- LDAP Filter Equivalent: `(&(sn=smith)(objectClass=user)(email=*))` + +```powershell +Get-ADUser -Filter 'Email -like "*" -and SurName -eq "smith"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -like "*" -and sn -eq "smith"' +``` + + +### Example 6 - Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret" + +- LDAP Filter Equivalent: `(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))` + +```powershell +Get-ADUser -Filter 'CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret"' +``` + + +This example demonstrates a more complex logic and the use of precedence +control via parenthesis. + +```powershell +Get-ADObject -Filter 'objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret")' +``` + +### Example 7 - Get all entries without an e-mail attribute + +- LDAP Filter Equivalent: `(!(email=*))` + +```powershell +Get-ADUser -Filter '-not Email -like "*"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -notlike "*"' +``` + +### Example 8 - Get all users who did not logon since January 1, 2007 + +- LDAP Filter Equivalent: `(&(lastlogon<=X)(objectClass=user))` where X is + number of 100-nanosecond slices since Jan 1st 1601 + +```powershell +$date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0) +Get-ADUser -Filter '-not LastLogon -le $date' +``` + +### Example 9 - Get all users who have logged on in the last 5 days + +- LDAP Filter Equivalent: + + ``` + (&(lastLogon>=128812906535515110) + (objectClass=user)(!(objectClass=computer))) + ``` + +```powershell +$date = (get-date) - (new-timespan -days 5) +Get-ADUser -Filter 'lastLogon -gt $date' +``` + +### Example 10 - Search for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag set + +- LDAP Filter Equivalent: + `(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))` + +The following example query string searches for group objects that have the +ADS_GROUP_TYPE_SECURITY_ENABLED flag set. Be aware that the decimal value of +ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) is used for the +comparison value. + +```powershell +Get-ADGroup -filter 'groupType -band 0x80000000' +``` + +### Example 11 - Search the ancestry of an object + +- LDAP Filter Equivalent: + `(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))` + +The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to +provide a method to look up the ancestry of an object. Many applications using +Active Directory and AD LDS usually work with hierarchical data, which is +ordered by parent-child relationships. Previously, applications performed +transitive group expansion to figure out group membership, which used a lot of +network bandwidth. Applications made multiple round-trips to figure out if an +object fell "in the chain" if a link were traversed through to the end. + +An example of such a query is one designed to check if a user, "user1" is a +member of group "group1". "user1" may not be a direct member of group1. It +could be a member of some other group, which is a member of "group1". + +You would set the base to the user DN and the scope to base, and use the query: + +```powershell +Get-ADUser -Filter 'memberOf -RecursiveMatch "CN=Administrators, CN=Builtin,DC=Fabrikam,DC=com"' -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" +``` + +## Filter Syntax + +The following syntax descriptions use Backus-Naur form to show the PowerShell +Expression Language for the Filter parameter. + +```Syntax + ::= "{" "}" + + ::= | + | + + + ::= | + "(" ")" + + ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt" | + "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | + "-notlike" + + ::= "-and" | "-or" + + ::= "-not" + + ::= | + +::= < this value will be compared to the object data for + attribute using the specified filter operator +``` + + +## Supported Operators + +The following table shows frequently used search filter operators. + +| Operator | Description | LDAP Equivalent | +| --------------- | ------------------------------- | -------------------------- | +| -eq | Equal to. This will | = | +| | not support wild card | | +| | search. | | +| -ne | Not equal to. This will | !x = y | +| | not support wild card | | +| | search. | | +| -approx | Approximately equal to | ~= | +| -le | Lexicographically less than | <= | +| | or equal to | | +| -lt | Lexicographically less than | !x >= y | +| -ge | Lexicographically greater | >= | +| | than or equal to | | +| -gt | Lexicographically greater than | !x <= y | +| | | | +| -and | AND | & | +| -or | OR | | +| -not | NOT | ! | +| -bor | Bitwise OR | :1.2.840.113556.1.4.804:= | +| -band | Bitwise AND | :1.2.840.113556.1.4.803:= | +| -recursivematch | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| | (Note: This control only works | | +| | with Windows 2008 and later.) | | +| -like | Similar to -eq and supports | = | +| | wildcard comparison. The only | | +| | wildcard character | | +| | supported is: * | | +| -notlike | Not like. Supports wild | !x = y | +| | card comparison. | | + +> [!NOTE] +> PowerShell wildcards, other than "*", such as "?" are not supported by the +> **Filter** parameter syntax. + + +### Operator Precedence + +The following listing shows the precedence of operators for filters from +highest to lowest. + +- Highest precedence: -eq | -ge | -le | -approx | -band | -bor | + -recursivematch | -ne | -like | -not | -and +- Lowest precedence: -or + +### Special Characters + +The following escape sequence should be used for specifying special characters +in AD Filter STRING data, that is, data enclosed in double or single quotes. + +| ASCII Character | Escape sequence substitute | +| --------------- | --------------------------------------------------- | +| `"` | `` `" `` (This escape sequence is only required if | +| | STRING data is enclosed in double quotes.) | +| `'` | `''` (This escape sequence is only required if | +| | STRING data is enclosed in single quotes.) | +| NUL | `\00` (This is a standard LDAP escape sequence.) | +| `\` | `\5c` (This is a standard LDAP escape sequence.) | + +### LDAP Special Characters + +ADFilter parser will automatically convert all the below characters found in +STRING data, that is data enclosed in " " or ' ' to their LDAP escape sequence. +End users need not know about these LDAP escape sequence. + +| ASCII Character | Escape sequence substitute | +| --------------- | ----------------------------------------------- | +| `*` | `\2a` (Character `*` will only be converted in | +| | -eq and -ne comparisons Users should use | +| | -like and -notlike operators for wildcard | +| | comparison.) | +| `(` | `\28` | +| `)` | `\29` | +| `/` | `\2f` | diff --git a/docset/winserver2016-ps/activedirectory/About/About.md b/docset/winserver2016-ps/activedirectory/About/About.md new file mode 100644 index 0000000000..adc76085b9 --- /dev/null +++ b/docset/winserver2016-ps/activedirectory/About/About.md @@ -0,0 +1,17 @@ +--- +description: About articles for the ActiveDirectory module. +Help Version: 3.1.0.0 +Locale: en-US +ms.date: 04/22/2013 +title: About articles +--- +# About topics + +## Description + +About topics cover a range of concepts about PowerShell. + +## About Topics + +### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) +Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Filter.md new file mode 100644 index 0000000000..266e7f3a92 --- /dev/null +++ b/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -0,0 +1,359 @@ +--- +title: about_ActiveDirectory_Filter +ms.date: 04/22/2013 +description: Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Filter + +## SHORT DESCRIPTION + +Describes the syntax and behavior of the search filter supported by the Active +Directory module for Windows PowerShell. + +## LONG DESCRIPTION + +Most get-AD* Active Directory module cmdlets use the Filter parameter to search +for objects. The Filter parameter has been implemented to replace the function +of the LDAP Filter and adds support for PowerShell variables, rich data types, +improved error checking and an Active Directory extended form of the PowerShell +Expression Language. + + +- Support for LDAP Filter Syntax + + The LDAP filter syntax is supported through the **LDAPFilter** parameter. You + will find LDAP filter examples along with the new Active Directory module + filter examples in the Filter Examples section of this topic. + + +- Search Breadth and Depth + + The breadth and depth of your filter-driven search can be modified by two + Active Directory module cmdlet parameters: **SearchBase** and **SearchScope**. + + When within the context of the Active Directory provider, if the + **Searchbase** parameter is not specified, **SearchBase** will default to the + current path. When not running under the Active Directory provider, the + **SearchBase** will default to the server's **DefaultNamingContext**. + + The **SearchScope** parameter defaults to the value `Subtree`, of the + enumerated type **ADSearchScope**. + + For more information, see the **SearchBase** and **SearchScope** parameter + descriptions on any `Get-AD*` cmdlet. + +- Search Result Behavior + + The behavior of the Active Directory module when returning results of a + search is modified by two cmdlet parameters: **ResultPageSize** and + **ResultSetSize**. + + **ResultSetSize** controls the maximum number of returned objects. + + **ResultPageSize** specifies the maximum number of objects for each returned + page of information. + + See the **ResultPageSize** and **ResultSetSize** parameter descriptions on + any `Get-AD*` cmdlet for more information. + + +- Timeout Behavior + + The following statements specify timeout conditions within the Active + Directory module and describe what can be done about a timeout them. + + The default Active Directory module timeout for all operations is 2 + minutes. + + For search operation, the Active Directory module uses paging control + with a 2-minute timeout for each page search. + + > [!NOTE] + > Because a search may involve multiple server page requests the overall + > search time may exceed 2 minutes. + + A **TimeoutException** error indicates that a timeout has occurred. + + For a search operation, you can choose to use a smaller page size, set with + the **ResultPageSize** parameter, if you are getting a **TimeoutException** + error. + + If after trying these changes you are still getting a **TimeoutException** + error, consider optimizing your filter using the guidance in the + Optimizing Filters section of this topic. + + +- Optimizing Filters + + You can enhance the search filter behavior by using these guidelines. + + - Avoid using the **Recursive** parameter as it intensifies resource usage of + the search operation. + - Avoid using bitwise AND operators and bitwise OR operators. For more + information, see the Supported Operators section of this topic. + - Avoid using the logical NOT operator. + - Break down your search into multiple queries with narrower conditions. + + For a full description of filter syntax and usage, see the Filter Syntax + section of this topic. + + +## Filter Examples + +The following section shows many examples of filter use in common queries. + +### Example 1 - Get all entries: + +- LDAP Filter Equivalent: `(objectClass=*)` + +```powershell +Get-ADObject -Filter 'ObjectClass -like "*"' +``` + +### Example 2 - Get entries containing "bob" somewhere in the common name + +- LDAP Filter Equivalent: `(cn=*bob*)` + +```powershell +Get-ADObject -Filter 'CN -like "*bob*"' +``` + +### Example 3 - Get entries with a bad password count greater than five + +- LDAP Filter Equivalent: `(&(!badpwdcount<=5)(badpwdcount=*))` + +```powershell +Get-ADUser -Filter 'badpwdcount -ge 5' +``` + +### Example 4 - Get all users with an e-mail attribute + +- LDAP Filter Equivalent: `(&(objectClass=user)(email=*))` + +```powershell +Get-ADUser -filter 'email -like "*"' +``` + +-or- + +```powershell +Get-ADObject -filter 'email -like "*" -and ObjectClass -eq "user"' +``` + +### Example 5 - Get all user entries with an e-mail attribute and a surname equal to "smith": + +- LDAP Filter Equivalent: `(&(sn=smith)(objectClass=user)(email=*))` + +```powershell +Get-ADUser -Filter 'Email -like "*" -and SurName -eq "smith"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -like "*" -and sn -eq "smith"' +``` + + +### Example 6 - Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret" + +- LDAP Filter Equivalent: `(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))` + +```powershell +Get-ADUser -Filter 'CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret"' +``` + + +This example demonstrates a more complex logic and the use of precedence +control via parenthesis. + +```powershell +Get-ADObject -Filter 'objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret")' +``` + +### Example 7 - Get all entries without an e-mail attribute + +- LDAP Filter Equivalent: `(!(email=*))` + +```powershell +Get-ADUser -Filter '-not Email -like "*"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -notlike "*"' +``` + +### Example 8 - Get all users who did not logon since January 1, 2007 + +- LDAP Filter Equivalent: `(&(lastlogon<=X)(objectClass=user))` where X is + number of 100-nanosecond slices since Jan 1st 1601 + +```powershell +$date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0) +Get-ADUser -Filter '-not LastLogon -le $date' +``` + +### Example 9 - Get all users who have logged on in the last 5 days + +- LDAP Filter Equivalent: + + ``` + (&(lastLogon>=128812906535515110) + (objectClass=user)(!(objectClass=computer))) + ``` + +```powershell +$date = (get-date) - (new-timespan -days 5) +Get-ADUser -Filter 'lastLogon -gt $date' +``` + +### Example 10 - Search for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag set + +- LDAP Filter Equivalent: + `(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))` + +The following example query string searches for group objects that have the +ADS_GROUP_TYPE_SECURITY_ENABLED flag set. Be aware that the decimal value of +ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) is used for the +comparison value. + +```powershell +Get-ADGroup -filter 'groupType -band 0x80000000' +``` + +### Example 11 - Search the ancestry of an object + +- LDAP Filter Equivalent: + `(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))` + +The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to +provide a method to look up the ancestry of an object. Many applications using +Active Directory and AD LDS usually work with hierarchical data, which is +ordered by parent-child relationships. Previously, applications performed +transitive group expansion to figure out group membership, which used a lot of +network bandwidth. Applications made multiple round-trips to figure out if an +object fell "in the chain" if a link were traversed through to the end. + +An example of such a query is one designed to check if a user, "user1" is a +member of group "group1". "user1" may not be a direct member of group1. It +could be a member of some other group, which is a member of "group1". + +You would set the base to the user DN and the scope to base, and use the query: + +```powershell +Get-ADUser -Filter 'memberOf -RecursiveMatch "CN=Administrators, CN=Builtin,DC=Fabrikam,DC=com"' -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" +``` + +## Filter Syntax + +The following syntax descriptions use Backus-Naur form to show the PowerShell +Expression Language for the Filter parameter. + +```Syntax + ::= "{" "}" + + ::= | + | + + + ::= | + "(" ")" + + ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt" | + "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | + "-notlike" + + ::= "-and" | "-or" + + ::= "-not" + + ::= | + +::= < this value will be compared to the object data for + attribute using the specified filter operator +``` + + +## Supported Operators + +The following table shows frequently used search filter operators. + +| Operator | Description | LDAP Equivalent | +| --------------- | ------------------------------- | -------------------------- | +| -eq | Equal to. This will | = | +| | not support wild card | | +| | search. | | +| -ne | Not equal to. This will | !x = y | +| | not support wild card | | +| | search. | | +| -approx | Approximately equal to | ~= | +| -le | Lexicographically less than | <= | +| | or equal to | | +| -lt | Lexicographically less than | !x >= y | +| -ge | Lexicographically greater | >= | +| | than or equal to | | +| -gt | Lexicographically greater than | !x <= y | +| | | | +| -and | AND | & | +| -or | OR | | +| -not | NOT | ! | +| -bor | Bitwise OR | :1.2.840.113556.1.4.804:= | +| -band | Bitwise AND | :1.2.840.113556.1.4.803:= | +| -recursivematch | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| | (Note: This control only works | | +| | with Windows 2008 and later.) | | +| -like | Similar to -eq and supports | = | +| | wildcard comparison. The only | | +| | wildcard character | | +| | supported is: * | | +| -notlike | Not like. Supports wild | !x = y | +| | card comparison. | | + +> [!NOTE] +> PowerShell wildcards, other than "*", such as "?" are not supported by the +> **Filter** parameter syntax. + + +### Operator Precedence + +The following listing shows the precedence of operators for filters from +highest to lowest. + +- Highest precedence: -eq | -ge | -le | -approx | -band | -bor | + -recursivematch | -ne | -like | -not | -and +- Lowest precedence: -or + +### Special Characters + +The following escape sequence should be used for specifying special characters +in AD Filter STRING data, that is, data enclosed in double or single quotes. + +| ASCII Character | Escape sequence substitute | +| --------------- | --------------------------------------------------- | +| `"` | `` `" `` (This escape sequence is only required if | +| | STRING data is enclosed in double quotes.) | +| `'` | `''` (This escape sequence is only required if | +| | STRING data is enclosed in single quotes.) | +| NUL | `\00` (This is a standard LDAP escape sequence.) | +| `\` | `\5c` (This is a standard LDAP escape sequence.) | + +### LDAP Special Characters + +ADFilter parser will automatically convert all the below characters found in +STRING data, that is data enclosed in " " or ' ' to their LDAP escape sequence. +End users need not know about these LDAP escape sequence. + +| ASCII Character | Escape sequence substitute | +| --------------- | ----------------------------------------------- | +| `*` | `\2a` (Character `*` will only be converted in | +| | -eq and -ne comparisons Users should use | +| | -like and -notlike operators for wildcard | +| | comparison.) | +| `(` | `\28` | +| `)` | `\29` | +| `/` | `\2f` | diff --git a/docset/winserver2019-ps/activedirectory/About/About.md b/docset/winserver2019-ps/activedirectory/About/About.md new file mode 100644 index 0000000000..adc76085b9 --- /dev/null +++ b/docset/winserver2019-ps/activedirectory/About/About.md @@ -0,0 +1,17 @@ +--- +description: About articles for the ActiveDirectory module. +Help Version: 3.1.0.0 +Locale: en-US +ms.date: 04/22/2013 +title: About articles +--- +# About topics + +## Description + +About topics cover a range of concepts about PowerShell. + +## About Topics + +### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) +Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Filter.md new file mode 100644 index 0000000000..266e7f3a92 --- /dev/null +++ b/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -0,0 +1,359 @@ +--- +title: about_ActiveDirectory_Filter +ms.date: 04/22/2013 +description: Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Filter + +## SHORT DESCRIPTION + +Describes the syntax and behavior of the search filter supported by the Active +Directory module for Windows PowerShell. + +## LONG DESCRIPTION + +Most get-AD* Active Directory module cmdlets use the Filter parameter to search +for objects. The Filter parameter has been implemented to replace the function +of the LDAP Filter and adds support for PowerShell variables, rich data types, +improved error checking and an Active Directory extended form of the PowerShell +Expression Language. + + +- Support for LDAP Filter Syntax + + The LDAP filter syntax is supported through the **LDAPFilter** parameter. You + will find LDAP filter examples along with the new Active Directory module + filter examples in the Filter Examples section of this topic. + + +- Search Breadth and Depth + + The breadth and depth of your filter-driven search can be modified by two + Active Directory module cmdlet parameters: **SearchBase** and **SearchScope**. + + When within the context of the Active Directory provider, if the + **Searchbase** parameter is not specified, **SearchBase** will default to the + current path. When not running under the Active Directory provider, the + **SearchBase** will default to the server's **DefaultNamingContext**. + + The **SearchScope** parameter defaults to the value `Subtree`, of the + enumerated type **ADSearchScope**. + + For more information, see the **SearchBase** and **SearchScope** parameter + descriptions on any `Get-AD*` cmdlet. + +- Search Result Behavior + + The behavior of the Active Directory module when returning results of a + search is modified by two cmdlet parameters: **ResultPageSize** and + **ResultSetSize**. + + **ResultSetSize** controls the maximum number of returned objects. + + **ResultPageSize** specifies the maximum number of objects for each returned + page of information. + + See the **ResultPageSize** and **ResultSetSize** parameter descriptions on + any `Get-AD*` cmdlet for more information. + + +- Timeout Behavior + + The following statements specify timeout conditions within the Active + Directory module and describe what can be done about a timeout them. + + The default Active Directory module timeout for all operations is 2 + minutes. + + For search operation, the Active Directory module uses paging control + with a 2-minute timeout for each page search. + + > [!NOTE] + > Because a search may involve multiple server page requests the overall + > search time may exceed 2 minutes. + + A **TimeoutException** error indicates that a timeout has occurred. + + For a search operation, you can choose to use a smaller page size, set with + the **ResultPageSize** parameter, if you are getting a **TimeoutException** + error. + + If after trying these changes you are still getting a **TimeoutException** + error, consider optimizing your filter using the guidance in the + Optimizing Filters section of this topic. + + +- Optimizing Filters + + You can enhance the search filter behavior by using these guidelines. + + - Avoid using the **Recursive** parameter as it intensifies resource usage of + the search operation. + - Avoid using bitwise AND operators and bitwise OR operators. For more + information, see the Supported Operators section of this topic. + - Avoid using the logical NOT operator. + - Break down your search into multiple queries with narrower conditions. + + For a full description of filter syntax and usage, see the Filter Syntax + section of this topic. + + +## Filter Examples + +The following section shows many examples of filter use in common queries. + +### Example 1 - Get all entries: + +- LDAP Filter Equivalent: `(objectClass=*)` + +```powershell +Get-ADObject -Filter 'ObjectClass -like "*"' +``` + +### Example 2 - Get entries containing "bob" somewhere in the common name + +- LDAP Filter Equivalent: `(cn=*bob*)` + +```powershell +Get-ADObject -Filter 'CN -like "*bob*"' +``` + +### Example 3 - Get entries with a bad password count greater than five + +- LDAP Filter Equivalent: `(&(!badpwdcount<=5)(badpwdcount=*))` + +```powershell +Get-ADUser -Filter 'badpwdcount -ge 5' +``` + +### Example 4 - Get all users with an e-mail attribute + +- LDAP Filter Equivalent: `(&(objectClass=user)(email=*))` + +```powershell +Get-ADUser -filter 'email -like "*"' +``` + +-or- + +```powershell +Get-ADObject -filter 'email -like "*" -and ObjectClass -eq "user"' +``` + +### Example 5 - Get all user entries with an e-mail attribute and a surname equal to "smith": + +- LDAP Filter Equivalent: `(&(sn=smith)(objectClass=user)(email=*))` + +```powershell +Get-ADUser -Filter 'Email -like "*" -and SurName -eq "smith"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -like "*" -and sn -eq "smith"' +``` + + +### Example 6 - Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret" + +- LDAP Filter Equivalent: `(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))` + +```powershell +Get-ADUser -Filter 'CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret"' +``` + + +This example demonstrates a more complex logic and the use of precedence +control via parenthesis. + +```powershell +Get-ADObject -Filter 'objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret")' +``` + +### Example 7 - Get all entries without an e-mail attribute + +- LDAP Filter Equivalent: `(!(email=*))` + +```powershell +Get-ADUser -Filter '-not Email -like "*"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -notlike "*"' +``` + +### Example 8 - Get all users who did not logon since January 1, 2007 + +- LDAP Filter Equivalent: `(&(lastlogon<=X)(objectClass=user))` where X is + number of 100-nanosecond slices since Jan 1st 1601 + +```powershell +$date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0) +Get-ADUser -Filter '-not LastLogon -le $date' +``` + +### Example 9 - Get all users who have logged on in the last 5 days + +- LDAP Filter Equivalent: + + ``` + (&(lastLogon>=128812906535515110) + (objectClass=user)(!(objectClass=computer))) + ``` + +```powershell +$date = (get-date) - (new-timespan -days 5) +Get-ADUser -Filter 'lastLogon -gt $date' +``` + +### Example 10 - Search for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag set + +- LDAP Filter Equivalent: + `(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))` + +The following example query string searches for group objects that have the +ADS_GROUP_TYPE_SECURITY_ENABLED flag set. Be aware that the decimal value of +ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) is used for the +comparison value. + +```powershell +Get-ADGroup -filter 'groupType -band 0x80000000' +``` + +### Example 11 - Search the ancestry of an object + +- LDAP Filter Equivalent: + `(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))` + +The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to +provide a method to look up the ancestry of an object. Many applications using +Active Directory and AD LDS usually work with hierarchical data, which is +ordered by parent-child relationships. Previously, applications performed +transitive group expansion to figure out group membership, which used a lot of +network bandwidth. Applications made multiple round-trips to figure out if an +object fell "in the chain" if a link were traversed through to the end. + +An example of such a query is one designed to check if a user, "user1" is a +member of group "group1". "user1" may not be a direct member of group1. It +could be a member of some other group, which is a member of "group1". + +You would set the base to the user DN and the scope to base, and use the query: + +```powershell +Get-ADUser -Filter 'memberOf -RecursiveMatch "CN=Administrators, CN=Builtin,DC=Fabrikam,DC=com"' -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" +``` + +## Filter Syntax + +The following syntax descriptions use Backus-Naur form to show the PowerShell +Expression Language for the Filter parameter. + +```Syntax + ::= "{" "}" + + ::= | + | + + + ::= | + "(" ")" + + ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt" | + "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | + "-notlike" + + ::= "-and" | "-or" + + ::= "-not" + + ::= | + +::= < this value will be compared to the object data for + attribute using the specified filter operator +``` + + +## Supported Operators + +The following table shows frequently used search filter operators. + +| Operator | Description | LDAP Equivalent | +| --------------- | ------------------------------- | -------------------------- | +| -eq | Equal to. This will | = | +| | not support wild card | | +| | search. | | +| -ne | Not equal to. This will | !x = y | +| | not support wild card | | +| | search. | | +| -approx | Approximately equal to | ~= | +| -le | Lexicographically less than | <= | +| | or equal to | | +| -lt | Lexicographically less than | !x >= y | +| -ge | Lexicographically greater | >= | +| | than or equal to | | +| -gt | Lexicographically greater than | !x <= y | +| | | | +| -and | AND | & | +| -or | OR | | +| -not | NOT | ! | +| -bor | Bitwise OR | :1.2.840.113556.1.4.804:= | +| -band | Bitwise AND | :1.2.840.113556.1.4.803:= | +| -recursivematch | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| | (Note: This control only works | | +| | with Windows 2008 and later.) | | +| -like | Similar to -eq and supports | = | +| | wildcard comparison. The only | | +| | wildcard character | | +| | supported is: * | | +| -notlike | Not like. Supports wild | !x = y | +| | card comparison. | | + +> [!NOTE] +> PowerShell wildcards, other than "*", such as "?" are not supported by the +> **Filter** parameter syntax. + + +### Operator Precedence + +The following listing shows the precedence of operators for filters from +highest to lowest. + +- Highest precedence: -eq | -ge | -le | -approx | -band | -bor | + -recursivematch | -ne | -like | -not | -and +- Lowest precedence: -or + +### Special Characters + +The following escape sequence should be used for specifying special characters +in AD Filter STRING data, that is, data enclosed in double or single quotes. + +| ASCII Character | Escape sequence substitute | +| --------------- | --------------------------------------------------- | +| `"` | `` `" `` (This escape sequence is only required if | +| | STRING data is enclosed in double quotes.) | +| `'` | `''` (This escape sequence is only required if | +| | STRING data is enclosed in single quotes.) | +| NUL | `\00` (This is a standard LDAP escape sequence.) | +| `\` | `\5c` (This is a standard LDAP escape sequence.) | + +### LDAP Special Characters + +ADFilter parser will automatically convert all the below characters found in +STRING data, that is data enclosed in " " or ' ' to their LDAP escape sequence. +End users need not know about these LDAP escape sequence. + +| ASCII Character | Escape sequence substitute | +| --------------- | ----------------------------------------------- | +| `*` | `\2a` (Character `*` will only be converted in | +| | -eq and -ne comparisons Users should use | +| | -like and -notlike operators for wildcard | +| | comparison.) | +| `(` | `\28` | +| `)` | `\29` | +| `/` | `\2f` | diff --git a/docset/winserver2022-ps/activedirectory/About/About.md b/docset/winserver2022-ps/activedirectory/About/About.md new file mode 100644 index 0000000000..adc76085b9 --- /dev/null +++ b/docset/winserver2022-ps/activedirectory/About/About.md @@ -0,0 +1,17 @@ +--- +description: About articles for the ActiveDirectory module. +Help Version: 3.1.0.0 +Locale: en-US +ms.date: 04/22/2013 +title: About articles +--- +# About topics + +## Description + +About topics cover a range of concepts about PowerShell. + +## About Topics + +### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) +Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Filter.md new file mode 100644 index 0000000000..266e7f3a92 --- /dev/null +++ b/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -0,0 +1,359 @@ +--- +title: about_ActiveDirectory_Filter +ms.date: 04/22/2013 +description: Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Filter + +## SHORT DESCRIPTION + +Describes the syntax and behavior of the search filter supported by the Active +Directory module for Windows PowerShell. + +## LONG DESCRIPTION + +Most get-AD* Active Directory module cmdlets use the Filter parameter to search +for objects. The Filter parameter has been implemented to replace the function +of the LDAP Filter and adds support for PowerShell variables, rich data types, +improved error checking and an Active Directory extended form of the PowerShell +Expression Language. + + +- Support for LDAP Filter Syntax + + The LDAP filter syntax is supported through the **LDAPFilter** parameter. You + will find LDAP filter examples along with the new Active Directory module + filter examples in the Filter Examples section of this topic. + + +- Search Breadth and Depth + + The breadth and depth of your filter-driven search can be modified by two + Active Directory module cmdlet parameters: **SearchBase** and **SearchScope**. + + When within the context of the Active Directory provider, if the + **Searchbase** parameter is not specified, **SearchBase** will default to the + current path. When not running under the Active Directory provider, the + **SearchBase** will default to the server's **DefaultNamingContext**. + + The **SearchScope** parameter defaults to the value `Subtree`, of the + enumerated type **ADSearchScope**. + + For more information, see the **SearchBase** and **SearchScope** parameter + descriptions on any `Get-AD*` cmdlet. + +- Search Result Behavior + + The behavior of the Active Directory module when returning results of a + search is modified by two cmdlet parameters: **ResultPageSize** and + **ResultSetSize**. + + **ResultSetSize** controls the maximum number of returned objects. + + **ResultPageSize** specifies the maximum number of objects for each returned + page of information. + + See the **ResultPageSize** and **ResultSetSize** parameter descriptions on + any `Get-AD*` cmdlet for more information. + + +- Timeout Behavior + + The following statements specify timeout conditions within the Active + Directory module and describe what can be done about a timeout them. + + The default Active Directory module timeout for all operations is 2 + minutes. + + For search operation, the Active Directory module uses paging control + with a 2-minute timeout for each page search. + + > [!NOTE] + > Because a search may involve multiple server page requests the overall + > search time may exceed 2 minutes. + + A **TimeoutException** error indicates that a timeout has occurred. + + For a search operation, you can choose to use a smaller page size, set with + the **ResultPageSize** parameter, if you are getting a **TimeoutException** + error. + + If after trying these changes you are still getting a **TimeoutException** + error, consider optimizing your filter using the guidance in the + Optimizing Filters section of this topic. + + +- Optimizing Filters + + You can enhance the search filter behavior by using these guidelines. + + - Avoid using the **Recursive** parameter as it intensifies resource usage of + the search operation. + - Avoid using bitwise AND operators and bitwise OR operators. For more + information, see the Supported Operators section of this topic. + - Avoid using the logical NOT operator. + - Break down your search into multiple queries with narrower conditions. + + For a full description of filter syntax and usage, see the Filter Syntax + section of this topic. + + +## Filter Examples + +The following section shows many examples of filter use in common queries. + +### Example 1 - Get all entries: + +- LDAP Filter Equivalent: `(objectClass=*)` + +```powershell +Get-ADObject -Filter 'ObjectClass -like "*"' +``` + +### Example 2 - Get entries containing "bob" somewhere in the common name + +- LDAP Filter Equivalent: `(cn=*bob*)` + +```powershell +Get-ADObject -Filter 'CN -like "*bob*"' +``` + +### Example 3 - Get entries with a bad password count greater than five + +- LDAP Filter Equivalent: `(&(!badpwdcount<=5)(badpwdcount=*))` + +```powershell +Get-ADUser -Filter 'badpwdcount -ge 5' +``` + +### Example 4 - Get all users with an e-mail attribute + +- LDAP Filter Equivalent: `(&(objectClass=user)(email=*))` + +```powershell +Get-ADUser -filter 'email -like "*"' +``` + +-or- + +```powershell +Get-ADObject -filter 'email -like "*" -and ObjectClass -eq "user"' +``` + +### Example 5 - Get all user entries with an e-mail attribute and a surname equal to "smith": + +- LDAP Filter Equivalent: `(&(sn=smith)(objectClass=user)(email=*))` + +```powershell +Get-ADUser -Filter 'Email -like "*" -and SurName -eq "smith"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -like "*" -and sn -eq "smith"' +``` + + +### Example 6 - Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret" + +- LDAP Filter Equivalent: `(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))` + +```powershell +Get-ADUser -Filter 'CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret"' +``` + + +This example demonstrates a more complex logic and the use of precedence +control via parenthesis. + +```powershell +Get-ADObject -Filter 'objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret")' +``` + +### Example 7 - Get all entries without an e-mail attribute + +- LDAP Filter Equivalent: `(!(email=*))` + +```powershell +Get-ADUser -Filter '-not Email -like "*"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -notlike "*"' +``` + +### Example 8 - Get all users who did not logon since January 1, 2007 + +- LDAP Filter Equivalent: `(&(lastlogon<=X)(objectClass=user))` where X is + number of 100-nanosecond slices since Jan 1st 1601 + +```powershell +$date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0) +Get-ADUser -Filter '-not LastLogon -le $date' +``` + +### Example 9 - Get all users who have logged on in the last 5 days + +- LDAP Filter Equivalent: + + ``` + (&(lastLogon>=128812906535515110) + (objectClass=user)(!(objectClass=computer))) + ``` + +```powershell +$date = (get-date) - (new-timespan -days 5) +Get-ADUser -Filter 'lastLogon -gt $date' +``` + +### Example 10 - Search for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag set + +- LDAP Filter Equivalent: + `(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))` + +The following example query string searches for group objects that have the +ADS_GROUP_TYPE_SECURITY_ENABLED flag set. Be aware that the decimal value of +ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) is used for the +comparison value. + +```powershell +Get-ADGroup -filter 'groupType -band 0x80000000' +``` + +### Example 11 - Search the ancestry of an object + +- LDAP Filter Equivalent: + `(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))` + +The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to +provide a method to look up the ancestry of an object. Many applications using +Active Directory and AD LDS usually work with hierarchical data, which is +ordered by parent-child relationships. Previously, applications performed +transitive group expansion to figure out group membership, which used a lot of +network bandwidth. Applications made multiple round-trips to figure out if an +object fell "in the chain" if a link were traversed through to the end. + +An example of such a query is one designed to check if a user, "user1" is a +member of group "group1". "user1" may not be a direct member of group1. It +could be a member of some other group, which is a member of "group1". + +You would set the base to the user DN and the scope to base, and use the query: + +```powershell +Get-ADUser -Filter 'memberOf -RecursiveMatch "CN=Administrators, CN=Builtin,DC=Fabrikam,DC=com"' -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" +``` + +## Filter Syntax + +The following syntax descriptions use Backus-Naur form to show the PowerShell +Expression Language for the Filter parameter. + +```Syntax + ::= "{" "}" + + ::= | + | + + + ::= | + "(" ")" + + ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt" | + "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | + "-notlike" + + ::= "-and" | "-or" + + ::= "-not" + + ::= | + +::= < this value will be compared to the object data for + attribute using the specified filter operator +``` + + +## Supported Operators + +The following table shows frequently used search filter operators. + +| Operator | Description | LDAP Equivalent | +| --------------- | ------------------------------- | -------------------------- | +| -eq | Equal to. This will | = | +| | not support wild card | | +| | search. | | +| -ne | Not equal to. This will | !x = y | +| | not support wild card | | +| | search. | | +| -approx | Approximately equal to | ~= | +| -le | Lexicographically less than | <= | +| | or equal to | | +| -lt | Lexicographically less than | !x >= y | +| -ge | Lexicographically greater | >= | +| | than or equal to | | +| -gt | Lexicographically greater than | !x <= y | +| | | | +| -and | AND | & | +| -or | OR | | +| -not | NOT | ! | +| -bor | Bitwise OR | :1.2.840.113556.1.4.804:= | +| -band | Bitwise AND | :1.2.840.113556.1.4.803:= | +| -recursivematch | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| | (Note: This control only works | | +| | with Windows 2008 and later.) | | +| -like | Similar to -eq and supports | = | +| | wildcard comparison. The only | | +| | wildcard character | | +| | supported is: * | | +| -notlike | Not like. Supports wild | !x = y | +| | card comparison. | | + +> [!NOTE] +> PowerShell wildcards, other than "*", such as "?" are not supported by the +> **Filter** parameter syntax. + + +### Operator Precedence + +The following listing shows the precedence of operators for filters from +highest to lowest. + +- Highest precedence: -eq | -ge | -le | -approx | -band | -bor | + -recursivematch | -ne | -like | -not | -and +- Lowest precedence: -or + +### Special Characters + +The following escape sequence should be used for specifying special characters +in AD Filter STRING data, that is, data enclosed in double or single quotes. + +| ASCII Character | Escape sequence substitute | +| --------------- | --------------------------------------------------- | +| `"` | `` `" `` (This escape sequence is only required if | +| | STRING data is enclosed in double quotes.) | +| `'` | `''` (This escape sequence is only required if | +| | STRING data is enclosed in single quotes.) | +| NUL | `\00` (This is a standard LDAP escape sequence.) | +| `\` | `\5c` (This is a standard LDAP escape sequence.) | + +### LDAP Special Characters + +ADFilter parser will automatically convert all the below characters found in +STRING data, that is data enclosed in " " or ' ' to their LDAP escape sequence. +End users need not know about these LDAP escape sequence. + +| ASCII Character | Escape sequence substitute | +| --------------- | ----------------------------------------------- | +| `*` | `\2a` (Character `*` will only be converted in | +| | -eq and -ne comparisons Users should use | +| | -like and -notlike operators for wildcard | +| | comparison.) | +| `(` | `\28` | +| `)` | `\29` | +| `/` | `\2f` | diff --git a/docset/winserver2025-ps/activedirectory/About/About.md b/docset/winserver2025-ps/activedirectory/About/About.md new file mode 100644 index 0000000000..adc76085b9 --- /dev/null +++ b/docset/winserver2025-ps/activedirectory/About/About.md @@ -0,0 +1,17 @@ +--- +description: About articles for the ActiveDirectory module. +Help Version: 3.1.0.0 +Locale: en-US +ms.date: 04/22/2013 +title: About articles +--- +# About topics + +## Description + +About topics cover a range of concepts about PowerShell. + +## About Topics + +### [about_ActiveDirectory_Filter](about_ActiveDirectory_Filter.md) +Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. diff --git a/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Filter.md new file mode 100644 index 0000000000..266e7f3a92 --- /dev/null +++ b/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -0,0 +1,359 @@ +--- +title: about_ActiveDirectory_Filter +ms.date: 04/22/2013 +description: Describes the syntax and behavior of the search filter supported by the Active Directory module for Windows PowerShell. +Locale: en-US +schema: 2.0.0 +--- + +# about_ActiveDirectory_Filter + +## SHORT DESCRIPTION + +Describes the syntax and behavior of the search filter supported by the Active +Directory module for Windows PowerShell. + +## LONG DESCRIPTION + +Most get-AD* Active Directory module cmdlets use the Filter parameter to search +for objects. The Filter parameter has been implemented to replace the function +of the LDAP Filter and adds support for PowerShell variables, rich data types, +improved error checking and an Active Directory extended form of the PowerShell +Expression Language. + + +- Support for LDAP Filter Syntax + + The LDAP filter syntax is supported through the **LDAPFilter** parameter. You + will find LDAP filter examples along with the new Active Directory module + filter examples in the Filter Examples section of this topic. + + +- Search Breadth and Depth + + The breadth and depth of your filter-driven search can be modified by two + Active Directory module cmdlet parameters: **SearchBase** and **SearchScope**. + + When within the context of the Active Directory provider, if the + **Searchbase** parameter is not specified, **SearchBase** will default to the + current path. When not running under the Active Directory provider, the + **SearchBase** will default to the server's **DefaultNamingContext**. + + The **SearchScope** parameter defaults to the value `Subtree`, of the + enumerated type **ADSearchScope**. + + For more information, see the **SearchBase** and **SearchScope** parameter + descriptions on any `Get-AD*` cmdlet. + +- Search Result Behavior + + The behavior of the Active Directory module when returning results of a + search is modified by two cmdlet parameters: **ResultPageSize** and + **ResultSetSize**. + + **ResultSetSize** controls the maximum number of returned objects. + + **ResultPageSize** specifies the maximum number of objects for each returned + page of information. + + See the **ResultPageSize** and **ResultSetSize** parameter descriptions on + any `Get-AD*` cmdlet for more information. + + +- Timeout Behavior + + The following statements specify timeout conditions within the Active + Directory module and describe what can be done about a timeout them. + + The default Active Directory module timeout for all operations is 2 + minutes. + + For search operation, the Active Directory module uses paging control + with a 2-minute timeout for each page search. + + > [!NOTE] + > Because a search may involve multiple server page requests the overall + > search time may exceed 2 minutes. + + A **TimeoutException** error indicates that a timeout has occurred. + + For a search operation, you can choose to use a smaller page size, set with + the **ResultPageSize** parameter, if you are getting a **TimeoutException** + error. + + If after trying these changes you are still getting a **TimeoutException** + error, consider optimizing your filter using the guidance in the + Optimizing Filters section of this topic. + + +- Optimizing Filters + + You can enhance the search filter behavior by using these guidelines. + + - Avoid using the **Recursive** parameter as it intensifies resource usage of + the search operation. + - Avoid using bitwise AND operators and bitwise OR operators. For more + information, see the Supported Operators section of this topic. + - Avoid using the logical NOT operator. + - Break down your search into multiple queries with narrower conditions. + + For a full description of filter syntax and usage, see the Filter Syntax + section of this topic. + + +## Filter Examples + +The following section shows many examples of filter use in common queries. + +### Example 1 - Get all entries: + +- LDAP Filter Equivalent: `(objectClass=*)` + +```powershell +Get-ADObject -Filter 'ObjectClass -like "*"' +``` + +### Example 2 - Get entries containing "bob" somewhere in the common name + +- LDAP Filter Equivalent: `(cn=*bob*)` + +```powershell +Get-ADObject -Filter 'CN -like "*bob*"' +``` + +### Example 3 - Get entries with a bad password count greater than five + +- LDAP Filter Equivalent: `(&(!badpwdcount<=5)(badpwdcount=*))` + +```powershell +Get-ADUser -Filter 'badpwdcount -ge 5' +``` + +### Example 4 - Get all users with an e-mail attribute + +- LDAP Filter Equivalent: `(&(objectClass=user)(email=*))` + +```powershell +Get-ADUser -filter 'email -like "*"' +``` + +-or- + +```powershell +Get-ADObject -filter 'email -like "*" -and ObjectClass -eq "user"' +``` + +### Example 5 - Get all user entries with an e-mail attribute and a surname equal to "smith": + +- LDAP Filter Equivalent: `(&(sn=smith)(objectClass=user)(email=*))` + +```powershell +Get-ADUser -Filter 'Email -like "*" -and SurName -eq "smith"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -like "*" -and sn -eq "smith"' +``` + + +### Example 6 - Get all user entries with a common name that starts with "andy" and users with a common name of "steve" or "margaret" + +- LDAP Filter Equivalent: `(&(objectClass=user) | (cn=andy*)(cn=steve)(cn=margaret))` + +```powershell +Get-ADUser -Filter 'CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret"' +``` + + +This example demonstrates a more complex logic and the use of precedence +control via parenthesis. + +```powershell +Get-ADObject -Filter 'objectClass -eq "user" -and (CN -like "andy*" -or CN -eq "steve" -or CN -eq "margaret")' +``` + +### Example 7 - Get all entries without an e-mail attribute + +- LDAP Filter Equivalent: `(!(email=*))` + +```powershell +Get-ADUser -Filter '-not Email -like "*"' +``` + +-or- + +```powershell +Get-ADUser -Filter 'Email -notlike "*"' +``` + +### Example 8 - Get all users who did not logon since January 1, 2007 + +- LDAP Filter Equivalent: `(&(lastlogon<=X)(objectClass=user))` where X is + number of 100-nanosecond slices since Jan 1st 1601 + +```powershell +$date = new-object System.DateTime -ArgumentList @(2007,1,1,0,0,0) +Get-ADUser -Filter '-not LastLogon -le $date' +``` + +### Example 9 - Get all users who have logged on in the last 5 days + +- LDAP Filter Equivalent: + + ``` + (&(lastLogon>=128812906535515110) + (objectClass=user)(!(objectClass=computer))) + ``` + +```powershell +$date = (get-date) - (new-timespan -days 5) +Get-ADUser -Filter 'lastLogon -gt $date' +``` + +### Example 10 - Search for group objects that have the ADS_GROUP_TYPE_SECURITY_ENABLED flag set + +- LDAP Filter Equivalent: + `(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483648))` + +The following example query string searches for group objects that have the +ADS_GROUP_TYPE_SECURITY_ENABLED flag set. Be aware that the decimal value of +ADS_GROUP_TYPE_SECURITY_ENABLED (0x80000000 = 2147483648) is used for the +comparison value. + +```powershell +Get-ADGroup -filter 'groupType -band 0x80000000' +``` + +### Example 11 - Search the ancestry of an object + +- LDAP Filter Equivalent: + `(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x)))` + +The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to +provide a method to look up the ancestry of an object. Many applications using +Active Directory and AD LDS usually work with hierarchical data, which is +ordered by parent-child relationships. Previously, applications performed +transitive group expansion to figure out group membership, which used a lot of +network bandwidth. Applications made multiple round-trips to figure out if an +object fell "in the chain" if a link were traversed through to the end. + +An example of such a query is one designed to check if a user, "user1" is a +member of group "group1". "user1" may not be a direct member of group1. It +could be a member of some other group, which is a member of "group1". + +You would set the base to the user DN and the scope to base, and use the query: + +```powershell +Get-ADUser -Filter 'memberOf -RecursiveMatch "CN=Administrators, CN=Builtin,DC=Fabrikam,DC=com"' -SearchBase "CN=Administrator,CN=Users,DC=Fabrikam,DC=com" +``` + +## Filter Syntax + +The following syntax descriptions use Backus-Naur form to show the PowerShell +Expression Language for the Filter parameter. + +```Syntax + ::= "{" "}" + + ::= | + | + + + ::= | + "(" ")" + + ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt" | + "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | + "-notlike" + + ::= "-and" | "-or" + + ::= "-not" + + ::= | + +::= < this value will be compared to the object data for + attribute using the specified filter operator +``` + + +## Supported Operators + +The following table shows frequently used search filter operators. + +| Operator | Description | LDAP Equivalent | +| --------------- | ------------------------------- | -------------------------- | +| -eq | Equal to. This will | = | +| | not support wild card | | +| | search. | | +| -ne | Not equal to. This will | !x = y | +| | not support wild card | | +| | search. | | +| -approx | Approximately equal to | ~= | +| -le | Lexicographically less than | <= | +| | or equal to | | +| -lt | Lexicographically less than | !x >= y | +| -ge | Lexicographically greater | >= | +| | than or equal to | | +| -gt | Lexicographically greater than | !x <= y | +| | | | +| -and | AND | & | +| -or | OR | | +| -not | NOT | ! | +| -bor | Bitwise OR | :1.2.840.113556.1.4.804:= | +| -band | Bitwise AND | :1.2.840.113556.1.4.803:= | +| -recursivematch | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| | (Note: This control only works | | +| | with Windows 2008 and later.) | | +| -like | Similar to -eq and supports | = | +| | wildcard comparison. The only | | +| | wildcard character | | +| | supported is: * | | +| -notlike | Not like. Supports wild | !x = y | +| | card comparison. | | + +> [!NOTE] +> PowerShell wildcards, other than "*", such as "?" are not supported by the +> **Filter** parameter syntax. + + +### Operator Precedence + +The following listing shows the precedence of operators for filters from +highest to lowest. + +- Highest precedence: -eq | -ge | -le | -approx | -band | -bor | + -recursivematch | -ne | -like | -not | -and +- Lowest precedence: -or + +### Special Characters + +The following escape sequence should be used for specifying special characters +in AD Filter STRING data, that is, data enclosed in double or single quotes. + +| ASCII Character | Escape sequence substitute | +| --------------- | --------------------------------------------------- | +| `"` | `` `" `` (This escape sequence is only required if | +| | STRING data is enclosed in double quotes.) | +| `'` | `''` (This escape sequence is only required if | +| | STRING data is enclosed in single quotes.) | +| NUL | `\00` (This is a standard LDAP escape sequence.) | +| `\` | `\5c` (This is a standard LDAP escape sequence.) | + +### LDAP Special Characters + +ADFilter parser will automatically convert all the below characters found in +STRING data, that is data enclosed in " " or ' ' to their LDAP escape sequence. +End users need not know about these LDAP escape sequence. + +| ASCII Character | Escape sequence substitute | +| --------------- | ----------------------------------------------- | +| `*` | `\2a` (Character `*` will only be converted in | +| | -eq and -ne comparisons Users should use | +| | -like and -notlike operators for wildcard | +| | comparison.) | +| `(` | `\28` | +| `)` | `\29` | +| `/` | `\2f` | From 45f639aa8387069e45794e329fbc32b7595bf5fa Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Tue, 2 Jul 2024 18:00:51 -0500 Subject: [PATCH 2/4] Update docfx.json to include about articles --- docset/docfx.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docset/docfx.json b/docset/docfx.json index bcd6857d85..f847840c84 100644 --- a/docset/docfx.json +++ b/docset/docfx.json @@ -5,32 +5,32 @@ { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "windows" }, { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "winserver2025-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "module" }, + { "files": [ "**/*.yml" ], "exclude": [ "toc.yml", "**/About/*.md" ], "src": "winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "module" }, { "files": [ "toc.yml" ], "src": "winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "module/WindowsServer2025-ps" }, - + { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "windows" }, { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "winserver2022-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "module" }, + { "files": [ "**/*.yml" ], "exclude": [ "toc.yml", "**/About/*.md" ], "src": "winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "module" }, { "files": [ "toc.yml" ], "src": "winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "module/WindowsServer2022-ps" }, { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "windows" }, { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "winserver2019-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "module" }, + { "files": [ "**/*.yml" ], "exclude": [ "toc.yml", "**/About/*.md" ], "src": "winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "module" }, { "files": [ "toc.yml" ], "src": "winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "module/WindowsServer2019-ps" }, { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "windows" }, { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "windows" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "module" }, + { "files": [ "**/*.yml" ], "exclude": [ "toc.yml", "**/About/*.md" ], "src": "winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "module" }, { "files": [ "toc.yml" ], "src": "winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "module/WindowsServer2016-ps" }, { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2012-ps", "version": "winserver2012-ps", "dest": "windows" }, { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2012-ps", "version": "winserver2012-ps", "dest": "winserver2012-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "winserver2012-ps", "version": "winserver2012-ps", "dest": "module" }, + { "files": [ "**/*.yml" ], "exclude": [ "toc.yml", "**/About/*.md" ], "src": "winserver2012-ps", "version": "winserver2012-ps", "dest": "module" }, { "files": [ "toc.yml" ], "src": "winserver2012-ps", "version": "winserver2012-ps", "dest": "module/winserver2012-ps" }, { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "windows" }, { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "winserver2012r2-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "module" }, + { "files": [ "**/*.yml" ], "exclude": [ "toc.yml", "**/About/*.md" ], "src": "winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "module" }, { "files": [ "toc.yml" ], "src": "winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "module/winserver2012r2-ps" }, { "files": [ "**/*.md" ], "src": "docs-conceptual/mdop", "version": "win-mdop2-ps", "dest": "mdop" }, @@ -91,7 +91,7 @@ "garycentric", "AngelaMotherofDragons", "dstrome", - "v-dihans", + "v-dihans", "sdwheeler", "Stacyrch140", "v-stsavell", From 868e8c4e493bff1997ce13d90f27cb111caf8b07 Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Tue, 2 Jul 2024 18:26:48 -0500 Subject: [PATCH 3/4] Update docfx file glob --- docset/docfx.json | 60 +++++++++++++++++++++++------------------------ 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/docset/docfx.json b/docset/docfx.json index f847840c84..dc6f5e5683 100644 --- a/docset/docfx.json +++ b/docset/docfx.json @@ -1,44 +1,44 @@ { "build": { "content": [ - { "files": [ "toc.yml" ], "src": "bread", "dest": "windows/bread" }, + { "dest": "windows/bread", "files": [ "toc.yml" ], "src": "bread" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "windows" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "winserver2025-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml", "**/About/*.md" ], "src": "winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "winserver2025-ps", "version": "WindowsServer2025-ps", "dest": "module/WindowsServer2025-ps" }, + { "dest": "windows", "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2025-ps", "version": "WindowsServer2025-ps" }, + { "dest": "winserver2025-ps", "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2025-ps", "version": "WindowsServer2025-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml", "**/About/*.md" ], "src": "winserver2025-ps", "version": "WindowsServer2025-ps" }, + { "dest": "module/WindowsServer2025-ps", "files": [ "toc.yml" ], "src": "winserver2025-ps", "version": "WindowsServer2025-ps" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "windows" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "winserver2022-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml", "**/About/*.md" ], "src": "winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "winserver2022-ps", "version": "WindowsServer2022-ps", "dest": "module/WindowsServer2022-ps" }, + { "dest": "windows", "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2022-ps", "version": "WindowsServer2022-ps" }, + { "dest": "winserver2022-ps", "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2022-ps", "version": "WindowsServer2022-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml", "**/About/*.md" ], "src": "winserver2022-ps", "version": "WindowsServer2022-ps" }, + { "dest": "module/WindowsServer2022-ps", "files": [ "toc.yml" ], "src": "winserver2022-ps", "version": "WindowsServer2022-ps" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "windows" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "winserver2019-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml", "**/About/*.md" ], "src": "winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "winserver2019-ps", "version": "WindowsServer2019-ps", "dest": "module/WindowsServer2019-ps" }, + { "dest": "windows", "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2019-ps", "version": "WindowsServer2019-ps" }, + { "dest": "winserver2019-ps", "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2019-ps", "version": "WindowsServer2019-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml", "**/About/*.md" ], "src": "winserver2019-ps", "version": "WindowsServer2019-ps" }, + { "dest": "module/WindowsServer2019-ps", "files": [ "toc.yml" ], "src": "winserver2019-ps", "version": "WindowsServer2019-ps" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "windows" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "windows" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml", "**/About/*.md" ], "src": "winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "winserver2016-ps", "version": "WindowsServer2016-ps", "dest": "module/WindowsServer2016-ps" }, + { "dest": "windows", "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2016-ps", "version": "WindowsServer2016-ps" }, + { "dest": "windows", "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2016-ps", "version": "WindowsServer2016-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml", "**/About/*.md" ], "src": "winserver2016-ps", "version": "WindowsServer2016-ps" }, + { "dest": "module/WindowsServer2016-ps", "files": [ "toc.yml" ], "src": "winserver2016-ps", "version": "WindowsServer2016-ps" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2012-ps", "version": "winserver2012-ps", "dest": "windows" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2012-ps", "version": "winserver2012-ps", "dest": "winserver2012-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml", "**/About/*.md" ], "src": "winserver2012-ps", "version": "winserver2012-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "winserver2012-ps", "version": "winserver2012-ps", "dest": "module/winserver2012-ps" }, + { "dest": "windows", "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2012-ps", "version": "winserver2012-ps" }, + { "dest": "winserver2012-ps", "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2012-ps", "version": "winserver2012-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml", "**/About/*.md" ], "src": "winserver2012-ps", "version": "winserver2012-ps" }, + { "dest": "module/winserver2012-ps", "files": [ "toc.yml" ], "src": "winserver2012-ps", "version": "winserver2012-ps" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "windows" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "winserver2012r2-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml", "**/About/*.md" ], "src": "winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "winserver2012r2-ps", "version": "winserver2012r2-ps", "dest": "module/winserver2012r2-ps" }, + { "dest": "windows", "files": [ "**/*.md" ], "src": "docs-conceptual/winserver2012r2-ps", "version": "winserver2012r2-ps" }, + { "dest": "winserver2012r2-ps", "files": [ "toc.yml" ], "src": "docs-conceptual/winserver2012r2-ps", "version": "winserver2012r2-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml", "**/About/*.md" ], "src": "winserver2012r2-ps", "version": "winserver2012r2-ps" }, + { "dest": "module/winserver2012r2-ps", "files": [ "toc.yml" ], "src": "winserver2012r2-ps", "version": "winserver2012r2-ps" }, - { "files": [ "**/*.md" ], "src": "docs-conceptual/mdop", "version": "win-mdop2-ps", "dest": "mdop" }, - { "files": [ "toc.yml" ], "src": "docs-conceptual/mdop", "version": "win-mdop2-ps", "dest": "mdop/win-mdop2-ps" }, - { "files": [ "**/*.yml" ], "exclude": [ "toc.yml" ], "src": "mdop", "version": "win-mdop2-ps", "dest": "module" }, - { "files": [ "toc.yml" ], "src": "mdop", "version": "win-mdop2-ps", "dest": "module/win-mdop2-ps" }, + { "dest": "mdop", "files": [ "**/*.md" ], "src": "docs-conceptual/mdop", "version": "win-mdop2-ps" }, + { "dest": "mdop/win-mdop2-ps", "files": [ "toc.yml" ], "src": "docs-conceptual/mdop", "version": "win-mdop2-ps" }, + { "dest": "module", "exclude": [ "toc.yml" ], "files": [ "**/*.yml" ], "src": "mdop", "version": "win-mdop2-ps" }, + { "dest": "module/win-mdop2-ps", "files": [ "toc.yml" ], "src": "mdop", "version": "win-mdop2-ps" }, - { "files": [ "**/*.md" ], "src": "virtual-directory-module", "dest": "module" } + { "dest": "module", "files": [ "**/*.md" ], "src": "virtual-directory-module" } ], "resource": [ { "files": [ "**/*.png", "**/*.jpg" ], "exclude": [ "**/obj/**", "**/includes/**" ] } From c751618ffdee11ee95f50154180d8ce916cc54c8 Mon Sep 17 00:00:00 2001 From: Sean Wheeler Date: Tue, 2 Jul 2024 18:43:56 -0500 Subject: [PATCH 4/4] fix table --- .../About/about_ActiveDirectory_Filter.md | 60 ++++++++----------- .../About/about_ActiveDirectory_Filter.md | 60 ++++++++----------- .../About/about_ActiveDirectory_Filter.md | 60 ++++++++----------- .../About/about_ActiveDirectory_Filter.md | 60 ++++++++----------- .../About/about_ActiveDirectory_Filter.md | 60 ++++++++----------- .../About/about_ActiveDirectory_Filter.md | 60 ++++++++----------- 6 files changed, 156 insertions(+), 204 deletions(-) diff --git a/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Filter.md index 266e7f3a92..23a83c0a0a 100644 --- a/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Filter.md +++ b/docset/winserver2012-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -283,50 +283,42 @@ Expression Language for the Filter parameter. The following table shows frequently used search filter operators. -| Operator | Description | LDAP Equivalent | -| --------------- | ------------------------------- | -------------------------- | -| -eq | Equal to. This will | = | -| | not support wild card | | -| | search. | | -| -ne | Not equal to. This will | !x = y | -| | not support wild card | | -| | search. | | -| -approx | Approximately equal to | ~= | -| -le | Lexicographically less than | <= | -| | or equal to | | -| -lt | Lexicographically less than | !x >= y | -| -ge | Lexicographically greater | >= | -| | than or equal to | | -| -gt | Lexicographically greater than | !x <= y | -| | | | -| -and | AND | & | -| -or | OR | | -| -not | NOT | ! | -| -bor | Bitwise OR | :1.2.840.113556.1.4.804:= | -| -band | Bitwise AND | :1.2.840.113556.1.4.803:= | -| -recursivematch | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | -| | (Note: This control only works | | -| | with Windows 2008 and later.) | | -| -like | Similar to -eq and supports | = | -| | wildcard comparison. The only | | -| | wildcard character | | -| | supported is: * | | -| -notlike | Not like. Supports wild | !x = y | -| | card comparison. | | +| Operator | Description | LDAP Equivalent | +| ----------------- | -------------------------------------- | -------------------------- | +| `-eq` | Equal to. Wildcards not supported. | = | +| `-ne` | Not equal to. Wildcards not supported. | !x = y | +| `-approx` | Approximately equal to | ~= | +| `-le` | Lexicographically less than | <= | +| | or equal to | | +| `-lt` | Lexicographically less than | !x >= y | +| `-ge` | Lexicographically greater | >= | +| | than or equal to | | +| `-gt` | Lexicographically greater than | !x <= y | +| | | | +| `-and` | AND | & | +| `-or` | OR | | +| `-not` | NOT | ! | +| `-bor` | Bitwise OR | :1.2.840.113556.1.4.804:= | +| `-band` | Bitwise AND | :1.2.840.113556.1.4.803:= | +| `-recursivematch` | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| `-like` | Similar to `-eq` and supports | = | +| | wildcard comparison. The only | | +| | wildcard character supported is: `*` | | +| `-notlike` | Not like. Supports wild | !x = y | +| | card comparison. | | > [!NOTE] > PowerShell wildcards, other than "*", such as "?" are not supported by the > **Filter** parameter syntax. - ### Operator Precedence The following listing shows the precedence of operators for filters from highest to lowest. -- Highest precedence: -eq | -ge | -le | -approx | -band | -bor | - -recursivematch | -ne | -like | -not | -and -- Lowest precedence: -or +- Highest precedence: `-eq`, `-ge`, `-le`, `-approx`, `-band`, `-bor`, + `-recursivematch`, `-ne`, `-like`, `-not`, `-and` +- Lowest precedence: `-or` ### Special Characters diff --git a/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Filter.md index 266e7f3a92..23a83c0a0a 100644 --- a/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Filter.md +++ b/docset/winserver2012r2-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -283,50 +283,42 @@ Expression Language for the Filter parameter. The following table shows frequently used search filter operators. -| Operator | Description | LDAP Equivalent | -| --------------- | ------------------------------- | -------------------------- | -| -eq | Equal to. This will | = | -| | not support wild card | | -| | search. | | -| -ne | Not equal to. This will | !x = y | -| | not support wild card | | -| | search. | | -| -approx | Approximately equal to | ~= | -| -le | Lexicographically less than | <= | -| | or equal to | | -| -lt | Lexicographically less than | !x >= y | -| -ge | Lexicographically greater | >= | -| | than or equal to | | -| -gt | Lexicographically greater than | !x <= y | -| | | | -| -and | AND | & | -| -or | OR | | -| -not | NOT | ! | -| -bor | Bitwise OR | :1.2.840.113556.1.4.804:= | -| -band | Bitwise AND | :1.2.840.113556.1.4.803:= | -| -recursivematch | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | -| | (Note: This control only works | | -| | with Windows 2008 and later.) | | -| -like | Similar to -eq and supports | = | -| | wildcard comparison. The only | | -| | wildcard character | | -| | supported is: * | | -| -notlike | Not like. Supports wild | !x = y | -| | card comparison. | | +| Operator | Description | LDAP Equivalent | +| ----------------- | -------------------------------------- | -------------------------- | +| `-eq` | Equal to. Wildcards not supported. | = | +| `-ne` | Not equal to. Wildcards not supported. | !x = y | +| `-approx` | Approximately equal to | ~= | +| `-le` | Lexicographically less than | <= | +| | or equal to | | +| `-lt` | Lexicographically less than | !x >= y | +| `-ge` | Lexicographically greater | >= | +| | than or equal to | | +| `-gt` | Lexicographically greater than | !x <= y | +| | | | +| `-and` | AND | & | +| `-or` | OR | | +| `-not` | NOT | ! | +| `-bor` | Bitwise OR | :1.2.840.113556.1.4.804:= | +| `-band` | Bitwise AND | :1.2.840.113556.1.4.803:= | +| `-recursivematch` | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| `-like` | Similar to `-eq` and supports | = | +| | wildcard comparison. The only | | +| | wildcard character supported is: `*` | | +| `-notlike` | Not like. Supports wild | !x = y | +| | card comparison. | | > [!NOTE] > PowerShell wildcards, other than "*", such as "?" are not supported by the > **Filter** parameter syntax. - ### Operator Precedence The following listing shows the precedence of operators for filters from highest to lowest. -- Highest precedence: -eq | -ge | -le | -approx | -band | -bor | - -recursivematch | -ne | -like | -not | -and -- Lowest precedence: -or +- Highest precedence: `-eq`, `-ge`, `-le`, `-approx`, `-band`, `-bor`, + `-recursivematch`, `-ne`, `-like`, `-not`, `-and` +- Lowest precedence: `-or` ### Special Characters diff --git a/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Filter.md index 266e7f3a92..23a83c0a0a 100644 --- a/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Filter.md +++ b/docset/winserver2016-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -283,50 +283,42 @@ Expression Language for the Filter parameter. The following table shows frequently used search filter operators. -| Operator | Description | LDAP Equivalent | -| --------------- | ------------------------------- | -------------------------- | -| -eq | Equal to. This will | = | -| | not support wild card | | -| | search. | | -| -ne | Not equal to. This will | !x = y | -| | not support wild card | | -| | search. | | -| -approx | Approximately equal to | ~= | -| -le | Lexicographically less than | <= | -| | or equal to | | -| -lt | Lexicographically less than | !x >= y | -| -ge | Lexicographically greater | >= | -| | than or equal to | | -| -gt | Lexicographically greater than | !x <= y | -| | | | -| -and | AND | & | -| -or | OR | | -| -not | NOT | ! | -| -bor | Bitwise OR | :1.2.840.113556.1.4.804:= | -| -band | Bitwise AND | :1.2.840.113556.1.4.803:= | -| -recursivematch | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | -| | (Note: This control only works | | -| | with Windows 2008 and later.) | | -| -like | Similar to -eq and supports | = | -| | wildcard comparison. The only | | -| | wildcard character | | -| | supported is: * | | -| -notlike | Not like. Supports wild | !x = y | -| | card comparison. | | +| Operator | Description | LDAP Equivalent | +| ----------------- | -------------------------------------- | -------------------------- | +| `-eq` | Equal to. Wildcards not supported. | = | +| `-ne` | Not equal to. Wildcards not supported. | !x = y | +| `-approx` | Approximately equal to | ~= | +| `-le` | Lexicographically less than | <= | +| | or equal to | | +| `-lt` | Lexicographically less than | !x >= y | +| `-ge` | Lexicographically greater | >= | +| | than or equal to | | +| `-gt` | Lexicographically greater than | !x <= y | +| | | | +| `-and` | AND | & | +| `-or` | OR | | +| `-not` | NOT | ! | +| `-bor` | Bitwise OR | :1.2.840.113556.1.4.804:= | +| `-band` | Bitwise AND | :1.2.840.113556.1.4.803:= | +| `-recursivematch` | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| `-like` | Similar to `-eq` and supports | = | +| | wildcard comparison. The only | | +| | wildcard character supported is: `*` | | +| `-notlike` | Not like. Supports wild | !x = y | +| | card comparison. | | > [!NOTE] > PowerShell wildcards, other than "*", such as "?" are not supported by the > **Filter** parameter syntax. - ### Operator Precedence The following listing shows the precedence of operators for filters from highest to lowest. -- Highest precedence: -eq | -ge | -le | -approx | -band | -bor | - -recursivematch | -ne | -like | -not | -and -- Lowest precedence: -or +- Highest precedence: `-eq`, `-ge`, `-le`, `-approx`, `-band`, `-bor`, + `-recursivematch`, `-ne`, `-like`, `-not`, `-and` +- Lowest precedence: `-or` ### Special Characters diff --git a/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Filter.md index 266e7f3a92..23a83c0a0a 100644 --- a/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Filter.md +++ b/docset/winserver2019-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -283,50 +283,42 @@ Expression Language for the Filter parameter. The following table shows frequently used search filter operators. -| Operator | Description | LDAP Equivalent | -| --------------- | ------------------------------- | -------------------------- | -| -eq | Equal to. This will | = | -| | not support wild card | | -| | search. | | -| -ne | Not equal to. This will | !x = y | -| | not support wild card | | -| | search. | | -| -approx | Approximately equal to | ~= | -| -le | Lexicographically less than | <= | -| | or equal to | | -| -lt | Lexicographically less than | !x >= y | -| -ge | Lexicographically greater | >= | -| | than or equal to | | -| -gt | Lexicographically greater than | !x <= y | -| | | | -| -and | AND | & | -| -or | OR | | -| -not | NOT | ! | -| -bor | Bitwise OR | :1.2.840.113556.1.4.804:= | -| -band | Bitwise AND | :1.2.840.113556.1.4.803:= | -| -recursivematch | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | -| | (Note: This control only works | | -| | with Windows 2008 and later.) | | -| -like | Similar to -eq and supports | = | -| | wildcard comparison. The only | | -| | wildcard character | | -| | supported is: * | | -| -notlike | Not like. Supports wild | !x = y | -| | card comparison. | | +| Operator | Description | LDAP Equivalent | +| ----------------- | -------------------------------------- | -------------------------- | +| `-eq` | Equal to. Wildcards not supported. | = | +| `-ne` | Not equal to. Wildcards not supported. | !x = y | +| `-approx` | Approximately equal to | ~= | +| `-le` | Lexicographically less than | <= | +| | or equal to | | +| `-lt` | Lexicographically less than | !x >= y | +| `-ge` | Lexicographically greater | >= | +| | than or equal to | | +| `-gt` | Lexicographically greater than | !x <= y | +| | | | +| `-and` | AND | & | +| `-or` | OR | | +| `-not` | NOT | ! | +| `-bor` | Bitwise OR | :1.2.840.113556.1.4.804:= | +| `-band` | Bitwise AND | :1.2.840.113556.1.4.803:= | +| `-recursivematch` | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| `-like` | Similar to `-eq` and supports | = | +| | wildcard comparison. The only | | +| | wildcard character supported is: `*` | | +| `-notlike` | Not like. Supports wild | !x = y | +| | card comparison. | | > [!NOTE] > PowerShell wildcards, other than "*", such as "?" are not supported by the > **Filter** parameter syntax. - ### Operator Precedence The following listing shows the precedence of operators for filters from highest to lowest. -- Highest precedence: -eq | -ge | -le | -approx | -band | -bor | - -recursivematch | -ne | -like | -not | -and -- Lowest precedence: -or +- Highest precedence: `-eq`, `-ge`, `-le`, `-approx`, `-band`, `-bor`, + `-recursivematch`, `-ne`, `-like`, `-not`, `-and` +- Lowest precedence: `-or` ### Special Characters diff --git a/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Filter.md index 266e7f3a92..23a83c0a0a 100644 --- a/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Filter.md +++ b/docset/winserver2022-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -283,50 +283,42 @@ Expression Language for the Filter parameter. The following table shows frequently used search filter operators. -| Operator | Description | LDAP Equivalent | -| --------------- | ------------------------------- | -------------------------- | -| -eq | Equal to. This will | = | -| | not support wild card | | -| | search. | | -| -ne | Not equal to. This will | !x = y | -| | not support wild card | | -| | search. | | -| -approx | Approximately equal to | ~= | -| -le | Lexicographically less than | <= | -| | or equal to | | -| -lt | Lexicographically less than | !x >= y | -| -ge | Lexicographically greater | >= | -| | than or equal to | | -| -gt | Lexicographically greater than | !x <= y | -| | | | -| -and | AND | & | -| -or | OR | | -| -not | NOT | ! | -| -bor | Bitwise OR | :1.2.840.113556.1.4.804:= | -| -band | Bitwise AND | :1.2.840.113556.1.4.803:= | -| -recursivematch | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | -| | (Note: This control only works | | -| | with Windows 2008 and later.) | | -| -like | Similar to -eq and supports | = | -| | wildcard comparison. The only | | -| | wildcard character | | -| | supported is: * | | -| -notlike | Not like. Supports wild | !x = y | -| | card comparison. | | +| Operator | Description | LDAP Equivalent | +| ----------------- | -------------------------------------- | -------------------------- | +| `-eq` | Equal to. Wildcards not supported. | = | +| `-ne` | Not equal to. Wildcards not supported. | !x = y | +| `-approx` | Approximately equal to | ~= | +| `-le` | Lexicographically less than | <= | +| | or equal to | | +| `-lt` | Lexicographically less than | !x >= y | +| `-ge` | Lexicographically greater | >= | +| | than or equal to | | +| `-gt` | Lexicographically greater than | !x <= y | +| | | | +| `-and` | AND | & | +| `-or` | OR | | +| `-not` | NOT | ! | +| `-bor` | Bitwise OR | :1.2.840.113556.1.4.804:= | +| `-band` | Bitwise AND | :1.2.840.113556.1.4.803:= | +| `-recursivematch` | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| `-like` | Similar to `-eq` and supports | = | +| | wildcard comparison. The only | | +| | wildcard character supported is: `*` | | +| `-notlike` | Not like. Supports wild | !x = y | +| | card comparison. | | > [!NOTE] > PowerShell wildcards, other than "*", such as "?" are not supported by the > **Filter** parameter syntax. - ### Operator Precedence The following listing shows the precedence of operators for filters from highest to lowest. -- Highest precedence: -eq | -ge | -le | -approx | -band | -bor | - -recursivematch | -ne | -like | -not | -and -- Lowest precedence: -or +- Highest precedence: `-eq`, `-ge`, `-le`, `-approx`, `-band`, `-bor`, + `-recursivematch`, `-ne`, `-like`, `-not`, `-and` +- Lowest precedence: `-or` ### Special Characters diff --git a/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Filter.md b/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Filter.md index 266e7f3a92..23a83c0a0a 100644 --- a/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Filter.md +++ b/docset/winserver2025-ps/activedirectory/About/about_ActiveDirectory_Filter.md @@ -283,50 +283,42 @@ Expression Language for the Filter parameter. The following table shows frequently used search filter operators. -| Operator | Description | LDAP Equivalent | -| --------------- | ------------------------------- | -------------------------- | -| -eq | Equal to. This will | = | -| | not support wild card | | -| | search. | | -| -ne | Not equal to. This will | !x = y | -| | not support wild card | | -| | search. | | -| -approx | Approximately equal to | ~= | -| -le | Lexicographically less than | <= | -| | or equal to | | -| -lt | Lexicographically less than | !x >= y | -| -ge | Lexicographically greater | >= | -| | than or equal to | | -| -gt | Lexicographically greater than | !x <= y | -| | | | -| -and | AND | & | -| -or | OR | | -| -not | NOT | ! | -| -bor | Bitwise OR | :1.2.840.113556.1.4.804:= | -| -band | Bitwise AND | :1.2.840.113556.1.4.803:= | -| -recursivematch | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | -| | (Note: This control only works | | -| | with Windows 2008 and later.) | | -| -like | Similar to -eq and supports | = | -| | wildcard comparison. The only | | -| | wildcard character | | -| | supported is: * | | -| -notlike | Not like. Supports wild | !x = y | -| | card comparison. | | +| Operator | Description | LDAP Equivalent | +| ----------------- | -------------------------------------- | -------------------------- | +| `-eq` | Equal to. Wildcards not supported. | = | +| `-ne` | Not equal to. Wildcards not supported. | !x = y | +| `-approx` | Approximately equal to | ~= | +| `-le` | Lexicographically less than | <= | +| | or equal to | | +| `-lt` | Lexicographically less than | !x >= y | +| `-ge` | Lexicographically greater | >= | +| | than or equal to | | +| `-gt` | Lexicographically greater than | !x <= y | +| | | | +| `-and` | AND | & | +| `-or` | OR | | +| `-not` | NOT | ! | +| `-bor` | Bitwise OR | :1.2.840.113556.1.4.804:= | +| `-band` | Bitwise AND | :1.2.840.113556.1.4.803:= | +| `-recursivematch` | Use LDAP_MATCHING_RULE_IN_CHAIN | :1.2.840.113556.1.4.1941:= | +| `-like` | Similar to `-eq` and supports | = | +| | wildcard comparison. The only | | +| | wildcard character supported is: `*` | | +| `-notlike` | Not like. Supports wild | !x = y | +| | card comparison. | | > [!NOTE] > PowerShell wildcards, other than "*", such as "?" are not supported by the > **Filter** parameter syntax. - ### Operator Precedence The following listing shows the precedence of operators for filters from highest to lowest. -- Highest precedence: -eq | -ge | -le | -approx | -band | -bor | - -recursivematch | -ne | -like | -not | -and -- Lowest precedence: -or +- Highest precedence: `-eq`, `-ge`, `-le`, `-approx`, `-band`, `-bor`, + `-recursivematch`, `-ne`, `-like`, `-not`, `-and` +- Lowest precedence: `-or` ### Special Characters