0

I'm running into an odd issue and can't find any information. I am trying to figure out why queries to return disabled users aren't working and return a value of 0 entries.

The following queries work well in Active Directory, but do not wrk for AD LDS instances:

Get-ADUser -Server 'ADLDS' -SearchBase "Path" -Filter "msDS-UserAccountDisabled -eq '$true'"

Get-ADUser -Server 'ADLDS' -SearchBase "Path" -Filter "Enabled -eq '$false'"

Get-ADUser -Server 'ADLDS' -SearchBase "Path" -LDAPFilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"

Get-ADUser -Server 'ADLDS' -SearchBase "Path" -LDAPFilter "(&(objectCategory=person)(objectClass=user)(msDS-UserAccountDisabled=true))"

The only queries that worked are as follows:

Get-ADUser -Server 'ADLDS' -SearchBase "Path" -Filter * -Properties * | Where-Object "msDS-UserAccountDisabled" -EQ $true

Get-ADUser -Server 'ADLDS' -SearchBase "Path" -Filter * -Properties * | Where-Object Enabled -EQ $false

Is there a reason the filters on the query side aren't working and why can I only filter on the data after retrieving it? This is a much slower method to get the desired information. Is this a limitation of AD LDS or am I making a mistake with the query?

I am aware of the Search-ADAccount CMDLET. This add further into the confusion as it states it looks at the Enabled property for a false value. But as seen in the queries above, using the Get-ADUser with the filter of Enabled equal false doesn't work. In fact, the error message that it throws is either syntax error, or system.string not supported for extended attribute Enabled.

Improve this question
7
  • I'd recommend using Search-ADAccount -AccountDisabled -UsersOnly Commented May 7, 2024 at 20:11
  • 1
    $true and $false should not be quoted. Commented May 7, 2024 at 20:11
  • Tried it both with and without the quotes. No change in behavior. For Active Directory, it works exactly as typed above. It is only AD LDS that is an issue. Commented May 7, 2024 at 20:40
  • regarding Search-ADAccount, how does it perform the search under the hood? Is it looking at a specific property? If so, which one is it. If it's one of the ones in my queries, then why does the above query not work? The documentation states Specifies a search for accounts that are disabled. An account is disabled when the ADAccount Enabled property is set to false. Yet searching for that with Get-ADUser doesn't work. Commented May 7, 2024 at 20:41
  • 1
    All your queries are fine here, I'm assuming this is something related to how ADLDS works. Commented May 7, 2024 at 21:04
Related questions
3009
PowerShell says "execution of scripts is disabled on this system."
1067
Setting Windows PowerShell environment variables
559
ps1 cannot be loaded because running scripts is disabled on this system
Load 6 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.