How to Perform LDAP Queries in PowerShell

1. Installing the Active Directory Module in PowerShell
2. Use the Filter Parameter for PowerShell Filters
3. Use the -LDAPFilter Parameter for LDAP Filters in PowerShell

One of the most common challenges when querying Active Directory with PowerShell is how to build filter syntax properly.

Unfortunately, the Filter and LDAP Filter parameters on all Active Directory PowerShell module cmdlets are a black box to many.

This article will dive deep into understanding how to use Active Directory filters and LDAP filters.

Installing the Active Directory Module in PowerShell

There are a few pre-requisites required before proceeding.

• PowerShell Active Directory module installed.
• Domain-joined computer.
• Successfully connect and authenticate to an Active Directory domain controller.

Usually, running the command Install-Module should fetch the package from a remote CDN and install it on your computer. Still, with the Active Directory Module, we must establish a pre-requisite package to succeed.

We need to install the pre-requisite package is the RSAT or Remote Server Administration Tools.

You may run the PowerShell scripts below to install the RSAT on your computer or the server.

Installing RSAT for Windows 10:

Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online

Installing Remote Server Administration Tools for Windows Server (Multiple Versions from 2008 to 2016):

Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature

Installing the Remote Server Administration Tools feature on your machine will also install the Active Directory Module for Windows PowerShell.

Use the Filter Parameter for PowerShell Filters

PowerShell filters use the standard Windows PowerShell expression syntax. This method is commonly referred to as Active Directory search filter syntax.

These filters are used with the Filter parameter.

Inside the filter, you will compare various AD object properties using operators. For example, the Get-ADUser command returns a Name property.

So, if we would like to find all users matching a specific name, you’d use:

Get-ADUser -Filter "Name -eq 'John'"

Property names can be the LDAP name or the canonical name of the property returned with the Active Directory cmdlet.

Property values are usually wrapped in single or double quotes. The only wildcard accepted is the asterisk *.

We can see above that double quotes surround the filter, yet John is covered with single quotes.

Use the -LDAPFilter Parameter for LDAP Filters in PowerShell

Lightweight Directory Access Protocol, or LDAP, is a vendor-neutral protocol for accessing and modifying directory data.

We may think of a phonebook when hearing the word directory, but this means so much more in the context of Active Directory.

So many different object types are stored and made accessible by AD, with the LDAP protocol functioning to secure that data. As AD can keep many different data types, applications and users need to query that directory easily.

Active Directory implements LDAP, the Lightweight Directory Access Protocol. Using the -LDAPFilter parameter with the cmdlets allows you to use LDAP filters, such as those created in Active Directory Users and Computers.

The syntax for LDAP search filters is defined in RFC number 4515. Each filter rule is surrounded by parentheses ().

Here are some examples of using active directory group filters as a base to begin creating your own.

• All groups with a name (CN) of Department.

`'(cn=Department)'

• All groups with a name of Department and a description of Prod.

'(&(cn=Department)(description=Prod))'

• All groups with a name of either Department or Share Access.

'(|(cn=Professional Services Department)(cn=Share Access))'

• All groups do not have a description of Prod. Includes those with no description field at all.

'(!(description=Prod))'

• All groups with a description of Prod but not with a name of Department.

'(&(description=Prod)(!(cn=Department)))'

• All groups whose description is \\fileserver1\share.

'(description=\5c\5cfileserver1\5cshare)'