用问号通配符过滤Get-Adgroup似乎不起作用

发布于 2025-01-23 16:18:12 字数 687 浏览 0 评论 0原文

我正在尝试获取一个以“用户-### - ”开头的广告组列表（＃是数字0-9）。

我尝试使用Get-Adgroup -filter {name-like“ users- [0-9] [0-9] [0-9] [0-9] [0-9] - *”} and and <代码> get-adgroup -filter {name-like“用户 - ???? - *”} ，但没有结果。

我当然可以使用get-adgroup -filter {name-like“用户 - *”}，但这还包括所有在用户后有四个字符以外的东西的组。

然后，我决定尝试使用object和该代码返回预期组

get-adgroup -filter * | wher-object {$_。Name-like“用户 - [0-9] [0-9] [0-9] [0-9] [0-9] - *”

} “ https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about/about/about_wildcards?view=powershell-7.2”我尝试了应该工作，但实际上没有。

有人知道我在做什么错，或者这只是ADGroup过滤的工作方式的错误？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

Hello爱情风 2025-01-30 16:18:12

根据Microsoft关于通配符的文档，我尝试过的这两种方式都应该起作用，但实际上不使用。

这是一个合理的假设，但是-filter参数由activedirectory模块中的某些cmdlet展示的参数是欺骗性构造 - 它是设计为的看起来像 powershell的本机操作员语法，但是“在引擎盖下” CMDLET将过滤器表达式转换为有效的LDAP查询过滤器：

name -like "Users-*"
# is translated to
(name=Users-*)

$_.Name -like "Users-[0-9][0-9][0-9][0-9]-*"
# is translated to
(Name=Users-[0-9][0-9][0-9][0-9]-*)

因为LDAP无法识别Wildcard范围构造[0-9] ，它最终会向目录存储询问名称字面意思以用户开头的对象 - [0-9] [0-9] [0-9] [0-9] [0-9] [0-9] - - ？也是如此。

由于*是LDAP接受的唯一通配符，因此您可以获得的最接近：

Get-ADGroup -Filter {name -like "Users-*-*"}

然后使用where-object在客户端上进一步过滤结果（在这种情况下，我们'回到Powershell进行比较，我们可以再次使用所有通配符）：

Get-ADGroup -Filter {name -like "Users-*-*"} | Where-Object Name -like 'Users-[0-9][0-9][0-9][0-9]-*'

According to Microsoft documentation about wildcards, both ways I tried should work, but they actually don't.

That's a reasonable assumption, but the -Filter parameter exposed by some cmdlets in the ActiveDirectory module is a deceptive construct - it's designed to look like PowerShell's native operator syntax, but "underneath the hood" the cmdlet translates the filter expression to a valid LDAP query filter:

name -like "Users-*"
# is translated to
(name=Users-*)

$_.Name -like "Users-[0-9][0-9][0-9][0-9]-*"
# is translated to
(Name=Users-[0-9][0-9][0-9][0-9]-*)

Since LDAP doesn't recognize the wildcard range construct [0-9], it ends up querying the directory store for objects where the name literally starts with Users-[0-9][0-9][0-9][0-9]- - same goes for ?.

Since * is the only wildcard accepted by LDAP, the closest you can get is:

Get-ADGroup -Filter {name -like "Users-*-*"}

And then filter the results further on the client with Where-Object (in which case we're back to PowerShell performing the comparison and we can use all the wildcards again):

Get-ADGroup -Filter {name -like "Users-*-*"} | Where-Object Name -like 'Users-[0-9][0-9][0-9][0-9]-*'

回复收藏 0 原文

茶色山野 2025-01-30 16:18:12

如：：

注意：除“*”，例如“？”之外，Powershell通配符。不是
由-filter参数语法支持。

在这种情况下，您可以将-LDAPFILTER与组合在一起，where-object可以保持查询兼容和高效：

Get-ADGroup -LDAPFilter "(name=Users-*-*)" | Where-Object {
    $_.Name -like "Users-[0-9][0-9][0-9][0-9]-*"
}

As stated in about_ActiveDirectory_Filter:

Note: PowerShell wildcards, other than "*", such as "?" are not
supported by the -Filter parameter syntax.

In this case, you can combine -LDAPFilter with Where-Object to keep your query compatible and efficient:

Get-ADGroup -LDAPFilter "(name=Users-*-*)" | Where-Object {
    $_.Name -like "Users-[0-9][0-9][0-9][0-9]-*"
}

回复收藏 0 原文

虫児飞 2025-01-30 16:18:12

您可以在这种情况下使用-filter作为预滤波器，因此，至少您只能获得以用户开头的名称的组 -。
然后，在您可以进一步指定的目标子句中，在这种情况下，我将使用Regex -Match，例如：

Get-ADGroup -Filter "Name -like 'Users-*'" | Where-Object { $_.Name -match '^Users-\d{4}-.*' }

PS -filter应该是 String < /strong>，而不是脚本块

You can use -Filter in this case as pre-filter, so at least you will get only groups with names starting with Users-.
Then in a further Where-Object clause you can specify further and in this case I would use regex -match there like:

Get-ADGroup -Filter "Name -like 'Users-*'" | Where-Object { $_.Name -match '^Users-\d{4}-.*' }

P.S. -Filter should be a string, not a scriptblock

回复收藏 0 原文

小兔几 2025-01-30 16:18:12

PowerShell Active Directory模块中的滤波器具有奇数行为。

过滤器

有两种方法可以限制AD CMDLET的输出
吸引人。首先，您可以使用-ldapfilter或-filter参数
过滤输出。第二，您可以将结果输送到
哪些cmdlet。在可能的情况下，第一种方法是更多
高效有两个原因。
过滤是在域控制器上而不是本地进行的
客户。域控制器更有可能是服务器类
用于查询的计算机优化。过滤导致较小的
从域控制器到网络发送的结果集
客户。相比之下，位于object cmdlet仅在本地过滤
结果集后的客户端是从远程计算机发送的。为了
例如，您可以通过开始的部门检索所有用户
使用“ IT”使用wery-object cmdlet如下：
Get -Aduser -Filter * - Properties部门| where -object {$_。部门 - 类似于“ it*”} |选择samaccountname，部门
Get-Aduser语句中的结果集包括
领域。获得相同结果的一种更有效的方法将使用
过滤器，类似于下面：
get -aduser -filter {部门 - 类似于“ it*”} -properties部门|选择samaccountname，部门现在只有所需的用户
包含在Get-Aduser的结果集中。在2,150的测试域中
用户（其中7个具有“ IT”部门）上面的第一个命令
4倍（平均10个试验，16个试验）
两次试验之间的分钟）。差异可能是很大的
有十万用户的域名。
另外，请注意，上述语句使用-properties参数
仅指定所需的属性。公开的默认属性
在这种情况下，始终包括cmdlet，例如samaccountname。如果
您请求所有属性，带有-properties *，结果集将
为每个用户包含许多属性。结果集将很多
如果您仅指定所需的扩展属性，例如
在这种情况下。在测试中重复上面的最后一个命令
具有2,150个用户的域名，但请求所有属性（
- 专家 *）平均需要多75％的时间才能完成。 Get-Aduser CMDLET暴露的默认和扩展属性是
在Active Directory中记录：Get-Aduser默认和扩展
属性。

powershell滤波器语法

PowerShell Active Directory模块CMDLET支持扩展
Powershell表达语言的形式。 Powershell文档
表示应将PowerShell语法过滤器封闭在牙套中。
但是有很多示例单语引号或双引号
而是使用。如您所期望的，这会影响过滤器的方式
解释。
使用字符串属性下表显示了一些示例
PowerShell语法使用字符串属性（例如部门）过滤。
有些过滤器会导致错误，其他过滤器不会引起错误，但从未引起错误
产生结果。变量$ dept定义为以前。

Filter  Result
-Filter {department -eq "IT Department"}    Works
-Filter {department -eq $Dept}  Works
-Filter {department -eq "$Dept"}    No Results
-Filter {department -eq '$Dept'}    No Results
-Filter "department -eq $Dept"  Error
-Filter 'department -eq $Dept'  Works
-Filter {department -eq "it*"}  No Results
-Filter {department -Like "it*"}    Works
-Filter "department -Like ""it*"""  Works
-Filter "department -Like 'it*'"    Works
-Filter 'department -Like "it*"'    Works
-Filter 'department -Like ''it*'''  Works
-Filter {department -ge "IT"}   Works
Some of these results may not be expected.

例如，您可能会期望在引用的字符串中包含一个变量
上班。最好的政策可能是始终包含PowerShell语法
牙套中的过滤器，避免引用变量。
使用“ -ge”操作员的最后一个示例仅在稀有
情况。过滤器将导致任何部门
在词典上大于或等于“ IT”。例如，它将
返回“测试部门”，因为“ t”大于“ i”。

The filters in the Powershell Active Directory module have odd behaviors.

Filter or Where Clause

There are two ways to restrict the output of an AD cmdlet like
Get-ADUser. First, you can use the -LDAPFilter or -Filter parameters
to filter the output. Second, you can pipe the results to the
Where-Object cmdlet. Where possible, the first method is more
efficient for two reasons.
Filtering is done on the domain controller instead of the local
client. The domain controller is more likely to be a server class
computer optimized for queries. Filtering results in a smaller
resultset sent over the network from the domain controller to the
client. In contrast, the Where-Object cmdlet only filters on the local
client after the resultset has been sent from the remote computer. For
example, you could retrieve all users with a department that starts
with "IT" using the Where-Object cmdlet as follows:
Get-ADUser -Filter * -Properties department | Where-Object {$_.department -Like "it*"} | Select sAMAccountName, department The
resultset from the Get-ADUser statement includes all users in the
domain. A more efficient method to get the same results would use a
filter, similar to below:
Get-ADUser -Filter {department -Like "it*"} -Properties department | Select sAMAccountName, department Now only the users needed are
included in the resultset from Get-ADUser. In a test domain with 2,150
users (7 of which have "IT" departments) the first command above took
4 times as long as the second (average of 10 trials each with 16
minutes between trials). The difference could be substantial in a
domain with ten's of thousands of users.
Also, note that the statements above use the -Properties parameter to
specify only the properties needed. The default properties exposed by
the cmdlet are always included, like sAMAccountName in this case. If
you request all properties, with -Properties *, the resultset will
include many properties for each user. The resultset will be much
smaller if you only specify the extended properties needed, like
department in this case. Repeating the last command above in the test
domain with 2,150 users, but requesting all properties (with
-Properties *) required 75% more time on average to complete. The default and extended properties exposed by the Get-ADUser cmdlet are
documented in Active Directory: Get-ADUser Default and Extended
Properties.

PowerShell Filter Syntax

The PowerShell Active Directory module cmdlets support an extended
form of the PowerShell Expression Language. PowerShell documentation
indicates that PowerShell syntax filters should be enclosed in braces.
But there are many examples where single quotes or double quotes are
used instead. As you might expect, this affects how the filter is
interpreted.
Using String Attributes The following table shows some example
PowerShell syntax filters using string properties, like Department.
Some filters result in error, others do not raise an error but never
produce results. The variable $Dept is defined as previously.

Filter  Result
-Filter {department -eq "IT Department"}    Works
-Filter {department -eq $Dept}  Works
-Filter {department -eq "$Dept"}    No Results
-Filter {department -eq '$Dept'}    No Results
-Filter "department -eq $Dept"  Error
-Filter 'department -eq $Dept'  Works
-Filter {department -eq "it*"}  No Results
-Filter {department -Like "it*"}    Works
-Filter "department -Like ""it*"""  Works
-Filter "department -Like 'it*'"    Works
-Filter 'department -Like "it*"'    Works
-Filter 'department -Like ''it*'''  Works
-Filter {department -ge "IT"}   Works
Some of these results may not be expected.

For example, you might expect enclosing a variable in a quoted string
to work. The best policy might be to always enclose PowerShell syntax
filters in braces, and to refrain from quoting variables.
The last example using the "-ge" operator is only useful in rare
situations. The filter will result in any departments that are
lexicographically greater than or equal to "IT". For example, it will
return "Test Department", because "T" is greater than "I".

回复收藏 0 原文

~没有更多了~