Saturday, September 22, 2012

Filtering for $null Values with Get-ADUser

Get-ADUser includes a -Filter parameter that lets you define queries for users with specific characteristics. Today I was trying to figure out how to filter for $null values.  Here is my example of why you might care to do this......

Let's say that in your organization, that you always set the Department attribute to match the department that users work in. This could be required for dynamic groups or address books. You've just created 100 new users, but forgot to configure the department. You need to make a query for all of the users without a department configured.

My first attempt was this:
Get-ADUser -Filter {company -eq $null}

However, this generates an error. You can't use $null in a filter.

What finally worked was this:
Get-ADUser -Filter {company -notlike "*"}

The gets a list of users where the company attribute is not like anything.

I should also note that if you try to query for not equal (-ne) then it will skip $null values when comparing. The above example is the only way that I know of to get $null values.

Update Apr 2017:
A quick note that the corollary of  the above is that when you want to query objects with any value set, you can filter for -like "*". I recently used this in a script where I only wanted users with values in the proxyAddresses property that I wanted to copy to the UPN.
Posted by at
Labels:

21 comments:

  1. UnknownFebruary 24, 2014 at 7:53 AM

    You saved my day, pal. Thank you!

    ReplyDelete
  2. AnonymousMay 20, 2014 at 1:38 PM

    Another thanks; not at all intuitive that -ne *skips* null values.

    ReplyDelete
  3. AnonymousDecember 4, 2014 at 6:29 AM

    Thank you!

    ReplyDelete
  4. AnonymousJanuary 23, 2015 at 9:48 AM

    Thanks!

    ReplyDelete
  5. Joshua BinesJanuary 26, 2015 at 10:39 PM

    the -LDAPFilter also gets around this :)

    ReplyDelete
  6. AnonymousMay 29, 2015 at 6:19 PM

    weird one but saved me some time trying to figure out why this wasn't working. Thanks!!

    ReplyDelete
  7. AnonymousDecember 7, 2015 at 3:13 PM

    your post is still relavant

    ReplyDelete
  8. Ryan ChauJanuary 12, 2016 at 10:23 AM

    Thank you...

    ReplyDelete
  9. AnonymousApril 28, 2016 at 8:09 AM

    good stuff thanks!

    ReplyDelete
  10. UnknownMay 16, 2016 at 2:20 AM

    Thanks..

    ReplyDelete
  11. G ManJune 9, 2016 at 8:28 AM

    Thanks man, so simple but was banging my head trying to figure it out!

    ReplyDelete
  12. UnknownOctober 3, 2016 at 3:31 PM

    Yes, TY!!!

    ReplyDelete
  13. DavidFebruary 23, 2017 at 10:03 AM

    Thanks. Great help!

    ReplyDelete
  14. AnonymousMarch 17, 2017 at 7:36 AM

    :) Thumbs up on this one

    ReplyDelete
  15. UnknownApril 4, 2017 at 1:43 PM

    Thanks man.
    Gotta love Microsoft...

    ReplyDelete
  16. JoeNovember 15, 2017 at 10:13 AM

    thanks man!

    ReplyDelete
  17. UnknownFebruary 2, 2018 at 10:58 AM

    Unfortunately, this doesn't work with extended attributes, such as "manager". You get the following error: The following: ''Eq', 'Ne'' are the only operator(s) supported for searching on extended
    attribute: 'Manager'.

    ReplyDelete
    Replies
    1. Byron WrightFebruary 2, 2018 at 5:28 PM

      Kinda ugly, but maybe dump the whole set of users into a variable and then you can evaluate with Where-Object. Terribly inefficient, but might work.

      Delete
  18. Jorn GrotnesSeptember 13, 2019 at 3:36 AM

    If searching for extended attributes, you can use LDAPFilter, I managed to look for empty Managers by using

    get-ADuser -ldapfilter "(!Manager=*)"

    (and using -searchbase to check real users, of course.)

    ReplyDelete
  19. AnonymousJanuary 20, 2021 at 7:52 AM

    even in 2021 still saving a panicked apprentice! thx a lot for the pointer!

    ReplyDelete
  20. AnonymousOctober 18, 2021 at 8:57 AM

    Still great, especially in 2021! Thank you very much.

    ReplyDelete

Subscribe to: Post Comments (Atom)