使用Get-ADUser按两个属性过滤 [英] Filter by two properties with Get-ADUser

问题描述

Get-ADUser -SearchBase "OU=Purgatory,DC=domain,DC=com" -Filter {'enabled -eq $false' -and 'whenChanged -lt $ChangeDate'}

我不知道如何用两个特征过滤。我想按早于$ ChangeDate变量的禁用用户进行筛选。如果我仅通过'enabled -eq $ false'进行过滤，则可以运行，并且如果我仅通过'whenChanged -lt $ ChangeDate'进行过滤， code>，它可以工作。但是，如果我使用-和将它们结合起来，那就没有运气了。

I cant figure out how to filter by two traits. I want to filter by disabled users that are older than the $ChangeDate variable. If I filter just by 'enabled -eq $false', it works, and if I filter just by 'whenChanged -lt $ChangeDate' , it works. But if i use the -and to combine them, no luck.

推荐答案

通常，您应该 避免使用脚本块（ {...} ）作为 -Filter 参数 。

Generally, you should avoid the use of script blocks ({ ... }) as -Filter arguments.

最终，传递给 -Filter 参数的任何内容都是字符串 ，并使用 {...} 只能掩盖这一事实，因为它错误地暗示了封闭的表达式是的一部分PowerShell 代码-并非如此；它是类语言。 aspx rel = nofollow noreferrer> 获取帮助about_ActiveDirectory_Filter

Ultimately, whatever is passed to the -Filter parameter is a string, and using { ... } only obscures that fact, because it falsely suggests that the enclosed expression is a piece of PowerShell code - it is not; it is a severely constrained, PowerShell-like language described in Get-Help about_ActiveDirectory_Filter

这是AD提供程序碰巧会在最终收到的字符串中识别简单变量引用（例如， $ ChangeDate ）（和 {...} 的使用有效地将 ... 作为字符串文字 ），而任何表达式（例如 $ ChangeDate.Year ）都不会被 识别。

What muddies the waters is that the AD provider happens to recognize simple variable references (e.g., $ChangeDate) in the strings it ultimately receives (and use of { ... } effectively passes ... as a string literal), whereas any expression (e.g., $ChangeDate.Year) is not recognized.

• 通常，最安全的方法是使用 expandable （内插）字符串（双引号； ... ）作为 -Filter 参数并引入变量值；也就是说，PowerShell在AD提供程序看到字符串之前，将变量引用替换为其值 。

• Generally, the safest approach is to use expandable (interpolating) strings (double-quoted; "...") as -Filter arguments and "bake in" variable values; that is, PowerShell replaces the variable references with their values before the AD provider sees the string.

但是，目前尚不清楚<必须在这样的字符串中表示em> date 值，这样才能被识别，因此利用 AD 提供程序提供的
变量解释恰好是在 this 情况下最安全的选择（请注意使用单引号（'...'），这意味着字符串按原样传递-PowerShell不执行插值）：

However, it's unclear how date values must be represented inside such a string in order to be recognized as such, so taking advantage of the variable interpretation offered by the AD provider happens to be the safest choice in this case (note the use of single quotes ('...'), which means that the string is passed as-is - PowerShell performs no interpolation):

Get-ADUser -SearchBase "OU=Purgatory,DC=domain,DC=com" `
  -Filter 'enabled -eq $false -and whenChanged -lt $ChangeDate'

同样，请注意，您正在将字符串常量传递给 -Filter ，并且它是 AD提供程序解释嵌入式变量引用，它仅与简单变量引用，而不是表达式。

Again, be aware that you're passing a string literal to -Filter, and that it is the AD provider interpreting the embedded variable references, which only works with simple variable references, not expressions.

关于您尝试过的方法：

{'enabled -eq $ false'-and'whenChanged -lt $ ChangeDate'} 为通过调用 .ToString（）方法有效地传递了该方法，该方法在 {和} 原样。

{'enabled -eq $false' -and 'whenChanged -lt $ChangeDate'} is effectively passed by calling the .ToString() method on it, which passes everything between the { and } as-is.

也就是说，cmdlet / AD提供程序看到了

'enabled -eq $ false'-'whenChanged -lt $ ChangeDate'

作为字符串值，包括单引号，这不是您想要的。

That is, the cmdlet / AD provider sees
'enabled -eq $false' -and 'whenChanged -lt $ChangeDate'
as the string value, including the single quotes, which is not what you intended.

这篇关于使用Get-ADUser按两个属性过滤的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！