6

I had never done any DAP/AD admin or querying. Right now I have a task where I need to get all the USERS in our company's AD; but keep getting computers in the query's result. I use objectClass=user and still get all the computers in the AD. What else am I missing? Is there a way to say "objectClass=user and not objectClass=Computer"? thanks!

Luis Garcia
  • 1,311
  • 6
  • 19
  • 37
  • Objects can have more than one objectClass. It's probably why computers show up in your otherwise valid filter. – ixe013 Feb 26 '13 at 14:34

2 Answers2

15

Try this filter: (&(objectClass=user)(!(objectClass=computer)))

zagyi
  • 17,223
  • 4
  • 51
  • 48
  • 1
    Well, the LDAP syntax is not exactly human friendly. :) It's handy to have a tool that helps writing filters. I use [Apache Directory Studio](http://directory.apache.org/studio/) which is quite nice. – zagyi Feb 26 '13 at 14:34
  • No kidding! I write SQL queries often so was familiar with the logic; but the syntax was very interesting to say the least. Thanks for the tip on the Apache tool, very helpful! – Luis Garcia Feb 26 '13 at 14:49
  • 1
    @zagyi any ideas why (&(objectClass=person)(!(objectClass=computer))) does not return any results on OpenLdap? Btw, (&(objectClass=person)) does returns existing users, and (&(objectClass=computer)) does not return any values (which means I do not have any persons who are also computers. – Kirill G. Sep 11 '19 at 08:46
-1

If you are here in 2019, the answer above is now irrelevant. I have been using the below and it works perfectly, using operators

Get-ADObject -IncludeDeletedObjects -Filter {(ObjectClass -eq "user") 
    -and (-not (objectClass -eq "computer")) -and (Deleted -eq $true)}
Hampus
  • 2,769
  • 1
  • 22
  • 38
tolulee
  • 7
  • 1
  • 2
    Doesn't matter if your in 2019 or any year - the question was about using LDAP and your answer is using Powershell AD module that is not relevant to the question at hand. The original answer is still valid and applies. – lara400 Jul 03 '20 at 21:35