LDAP filter for a property that isn’t set

Filtering on a particular LDAP property is straight forward

Get-ADUser -SearchBase ‘OU=Testing,DC=Manticore,DC=org’  -Properties * -Filter {Title -eq ‘Boss’}


You can also use an LDAP filter

Get-ADUser -SearchBase ‘OU=Testing,DC=Manticore,DC=org’  -Properties * -LDAPFilter ‘(Title=Boss)’


I prefer LDAP filters as I find them more powerful and the I can use them in the GUI tools.

I was recently asked how do I filter on  a property that isn’t set. That’s a bit more tricky as  AD  doesn’t store a value if the property isn’t set.

You can do this with an LDAP filter

Get-ADUser -SearchBase ‘OU=Testing,DC=Manticore,DC=org’  -LDAPFilter ‘(!(Department=*))’  -Properties *


(Department=*) searches for accounts where department is set

(!(Department=*)) searches for accounts where its not set


Note that the filter is =* 

You can’t use other characters


You can also check for multiple properties that aren’t set

Get-ADUser -SearchBase ‘OU=Testing,DC=Manticore,DC=org’  -LDAPFilter ‘(&(!(Company=*))(!(Department=*)))’  -Properties *


The & in the filter means AND.  Note how the filter is constructed though with the individual filters after the &

