0

Why do the following two command, with the only difference the -eq and -ne operator give me my list of DCs?

Get-ADComputer -Filter {(operatingsystem -like "*server*") -AND 
(PrimaryGroup -eq "CN=Domain Controllers,CN=Users,DC=domain,DC=com") } 
-Property Name,PrimaryGroup

I'd expect this one to have everything, but domain controllers.

Get-ADComputer -Filter {(operatingsystem -like "*server*") -AND 
(PrimaryGroup -ne "CN=Domain Controllers,CN=Users,DC=domain,DC=com") } 
-Property Name,PrimaryGroup

If I run the equivalent against PrimaryGroupID instead of PrimaryGroup, it works as expected.

Josiah
  • 2,666
  • 5
  • 30
  • 40

2 Answers2

1

I actually get an error when trying both commands. Did a little digging and the filter was causing the problem. Had a quick look in ADSIEdit at a server object. It doesn't appear to have a attribute called "PrimaryGroup".

This was in a 2008 R2 AD running in 2008 R2 forest and domain functional levels.

As an aside, if you want a list of DC in a domain get-ADDomainController will do the job.

regards Arcass

Arcass
  • 932
  • 10
  • 19
  • I actually want all servers except DCs. In the output of the command on the domain I'm working on, it lists PrimaryGroup so I should be able filter against it, no? – Josiah Nov 28 '12 at 04:23
  • @flickerfly Could you add in your OP how do you list the 'PrimaryGroup' attribute? In the ActiveDirectory Schema it doesn't exist. – CB. Nov 28 '12 at 13:06
0

If you want to put one statement on separate lines, you need to put the backtick (`) at the end of the line to tell PowerShell that the statement continues on the next line. However, even then, you cannot split the filter on two different lines. So it should look something like this:

Get-ADComputer -Filter {(operatingsystem -like "*server*") -AND (PrimaryGroup -eq "CN=Domain Controllers,CN=Users,DC=example,DC=com") } `
    -Property Name,PrimaryGroup

As you've found, AD doesn't actually have an attribute called PrimaryGroup. That is a property that PowerShell exposes to you, which interprets the value in the primaryGroupId attribute for you.

The primaryGroupId attribute of any object has the Relative Identifier (RID) of the group. The RID is the last section of number in the SID, but the group also stores this value in its primaryGroupToken atrribute. So you can get this value like this:

$primaryGroupToken = (Get-ADGroup "Domain Controllers" -Properties primaryGroupToken).primaryGroupToken

PowerShell has to convert what you pass into the -Filter parameter into a proper LDAP query, so when you use PrimaryGroup in the filter, PowerShell is doing that for you.

However, doing that lookup is not really necessary in this case, because the Domain Controllers group is a built-in group and always has an RID of 516. So you can do what you're trying to do like this:

Get-ADComputer -Filter "operatingsystem -like '*server*' -AND PrimaryGroupId -eq 516" `
    -Property Name,PrimaryGroup
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84