Get-ADUser -Filter string array

Just trying to simply get the Filter param for Get-ADUser to accept an array of strings for input but having a difficult time at it. Not familiar with tackling with arrays on Powershell. I figured it’d be just as easy as this:

$userarray = @("user1","user2","user3")

Get-ADUser -Filter {name -eq $userarray}

The funny thing is, it will accept the array var without error, but no output given (as if it found nothing matching). Verbose nor Debug params show anything, so I’m not sure if it’s just parsing the array in a strange manner or not. It will take the var if it’s just a single string value.

In any case, if this isn’t the way an array should be used in this situation, than what’s best practice?

Preemptive thanks!

The -Filter param on each cmdlet uses that cmdlet’s provider to filter results vs. using something like -Include or Where-Object. You could get this done via Where-Object but I don’t recommend it since it’d be a lot slower.

You could do something like this:

$userarray = 'user1','user2',user3'
$filterstring = "samaccountname -eq '$($userarray -join "' -or samaccountname -eq '")'"
Get-AdUser -Filter $filterstring

That just creates a string from the contents of your user array.

See the help file:


-Filter doesn’t accept an array. PowerShell is turning the array into a single-string delimited list, which is why it doesn’t work. You’ve got to run the command once for each filter you intend it to process.

Since you’re querying Active Directory to return a list of users based on exact matches of what’s in each element in the array, you can simply pipe the array to Get-ADUser. This will use the Identity parameter instead of the Filter parameter:

$userarray = @('user1','user2','user3')
$userarray | Get-ADUser -ErrorAction SilentlyContinue

I added -ErrorAction SilentlyContinue to ignore the ones that don’t exist in Active Directory otherwise they’ll generate errors. If you’re using this in a script, I recommend adding error handling instead of ignoring the errors.

Each element in the array would need to contain one of these for this to work:
– A Distinguished Name
– A GUID (objectGUID)
– A Security Identifier (objectSid)
– A SAM Account Name (sAMAccountName)

What you could do if you have an array like yours is use it to construct a working filter, since what you are after here is you are trying to find an account that is either named 1 2 or 3 you could generated the following LDAP search filter. Note that this can also be done using the -Filter property, I’m using LDAP Filters because it is a personal preference of mine:

$userarray = 'user1','user2','user3'
$userarray | Foreach-Object -Begin {
    $LDAPFilter = '(|'
} -Process {
    $LDAPFilter += "(samaccountname=$_)"
} -End {
    $LDAPFilter += ')'
Get-ADUser -LDAPFilter $LDAPFilter

So yes it is possible, but you’ll have to use your array to construct the filter yourself as I am by doing using the ForEach-Object cmdlet.