Exclude OU but maintain nested OU with same name

I have an ou structure with multiple nested ou’s and a lot of ou’s with the same name.

example - cn=abc1234,ou=MAG,ou=ABC1234,dc=magglab,dc=com
cn=bcd1234,ou=MAG,ou=bcd1234,dc=magglab,dc=com
CN=maggtest,ou=MAG,dc=magglab,dc=com

I ahve not been able to exclude the MAG ou in line 3 without excluding it throughout the domain. I have 1000’s of OU’s called MAG nested under 1000’s of OUs. (BTW this was inherited :frowning: )

PS C:\Comps> get-adcomputer -resultsetsize 5000 -filter * -properties distinguishedname,Operatingsystem | select name,op
eratingsystem,distinguishedname | where-object { $_.distinguishedName -notlike “ou=MAG” }

This shows everything except any OU labeled MAG which i undertsand is by design. What i do not understand is how can i run this to show me everything except this OU level
“OU=MAG,dc=magglab,dc=com” but still show me all nested OU’s with the name MAG?

You’re not going to be able to do it without expanding your -notlike operand to include the additional bit of information, i.e., if it immediately precedes the dc portion of the DN.

$list = @"
cn=abc1234,ou=MAG,ou=ABC1234,dc=magglab,dc=com
cn=bcd1234,ou=MAG,ou=bcd1234,dc=magglab,dc=com
CN=maggtest,ou=MAG,dc=magglab,dc=com
"@ -split "`r`n"
$list | where {$_ -notlike "*ou=mag,dc*"} | foreach {
    "... $_"
}

Alternatively you could have done it with a RegEx as well.

$list | where {$_ -notmatch "ou=mag,dc"} | foreach {

Bob

Are you saying i would need to run get-adorganizationalunit to capture all my OU’s, then create the $variable to add all of the OU’s together?

Also in my example i would need to adjust the last line where i am trying to omit this OU and all sub OU’s beneath it.

Would be like this – CN=maggtest,ou=MAG,OU=ONEMORE,dc=magglab,dc=com
Do I need to add 1 additional level to the example

$list | where {$_ -notlike “ou=mag,ou=onemore,dc”} | foreach {

Hi Mike,

Are you just trying to get all AD computers except the ones found within magglab.com\MAG and its respective Sub OUs? If so, expanding the where-object expression to “ou=mag,dc”, as Bob mentioned, should work. The distinguished name of all computers in that Mag OU and its sub OUs will end in ou=MAG,dc=magglab,dc=com.

Get-ADComputer -ResultSetSize 5000 -Filter * -Properties DistinguishedName,OperatingSystem | Select-Object Name,OperatingSystem,DistinguishedName | Where-Object { $_.DistinguishedName -notlike "*OU=MAG,DC=magglab,DC=com" }

No, my use of the $last variable was just to hold your sample data so I could show that the expanded -like operand worked. And your clarification above only left me more confused as to what you are trying to accomplish.

Are there multiple OUs off the root of the domain you want to exclude? If so, that’s relatively easy with a -notmatch Regex.

$list | where {$_ -notmatch "ou=(mag|onemore|yetanother),dc"} | foreach {

Bob YES I am trying to see if there are any computers remaining in any of the MAG OUs but i need to exclude – CN=maggtest,ou=MAG,OU=ONEMORE,dc=magglab,dc=com

As i mentioned there are about 1000 OUs and each OU has a subtree of OUs of which each one includes an OU named MAG.

Once i determine there are no objects inside these OUs I will then need to delete them as well… Does this help at all?

I guess what is throwing me is that I only want to look in the MAG OU of the Subtree and not this one… MAG,OU=ONEMORE,dc=magglab,dc=com

I will look into the -notmatch REGEX options. Thanks for the direction.

Mike, as Bob has said, you only need to add more data to your where filter.

Example
cn=abc1234,ou=MAG,ou=ABC1234,dc=magglab,dc=com
cn=bcd1234,ou=MAG,ou=bcd1234,dc=magglab,dc=com
CN=maggtest,ou=MAG,dc=magglab,dc=com

In your current where-object filter, you are finding anything with “ou=MAG”. As you can see that matches all three lines above.

However, if you add more data to your filter “OU=MAG,dc=magglab,dc=com”, it only matches the third line in the sample data.

get-adcomputer -resultsetsize 5000 -filter * -properties distinguishedname,Operatingsystem | select name,operatingsystem,distinguishedname | where-object { $_.distinguishedName -notlike "*OU=MAG,dc=magglab,dc=com" }
</pre

Re-reading your last post, you added an additional criteria. You only want to the computer objects if they are in a MAG OU, as long at that MAG OU is not the OU=MAG,dc=magglab,dc=com MAG OU.

For that you will need to define the additional condition.

get-adcomputer -resultsetsize 5000 -filter * -properties distinguishedname,Operatingsystem | select name,operatingsystem,distinguishedname | where-object {$_.distinguishedName -like "*ou=MAG*" -AND $_.distinguishedName -notlike "*OU=MAG,dc=magglab,dc=com" }

The first part of the criteria says only show Object that have ou=MAG in the distinguishedname, and the second part says don’t so the ones that have OU=MAG,dc=magglab,dc=com in the distinguishedname.

Bob / Curtis

Thank you very much that did it for me. Now i have to figure out how to capture all these nested OUs so i can delete them in one shot. Going to see what i can put together from what you both have provided.

Thanks for sharing

Regards,

Mike