Tuesday, August 12, 2014

Get-ADUser -Filter crashes suddenly after 256 objects when filtering by Created (or other DateTime fields)

Today, I wanted to find newly created accounts in an OU. So I decided to run a simple Get-ADUser command:

$cutoff = [DateTime]"12-Aug-2014"
# Make sure we get the TimeZone correct. This is one of the reason I prefer to use the PowerShell Filter rather than the LDAPFilter
$cutoff = [DateTime]::SpecifyKind($cutoff, [DateTimeKind]::Local)
Get-ADUser -Filter {Created -gt $cutoff} -SearchBase "OU=Department,DC=contoso,DC=com"

Simple as that right? well, no!

It returned up to 256 accounts, and then generated an exception:
Category Info: Not Specified: (:) [Get-ADUser], ADException
FullyQualifiedErrorId: ActiveDirectoryServer:8256,Microsoft.ActiveDirectory.Managment.Commands.GetADUser

This is obviously a bug, and until MS fixes it, we have to use the workaround instead:

Get-ADUser -Filter {whenCreated -gt $cutoff} -SearchBase "OU=Department,DC=contoso,DC=com"

Both "Created" and "whenCreated" are supposed to point to the same AD attribute, why one works and the other crashes is beyond me...