AD uses 2 types of data to represent time in attributes:
Type 1: stored as long integer, LastLogonTimeStamp, pwdLastSet falls under this category
To use LDAPFilter, convert the value you want to use to long integer.
$longIntTimeValue=(Get-Date).AddDays(-60).ToFileTimeUtc()
$ldapfilter="(lastLogonTimeStamp<=$longIntTimeValue)"
get-aduser -LDAPFilter $ldapfilter
To use native filter:
$longIntTimeValue=(Get-Date).AddDays(-60).ToFileTimeUtc()
$filter="(lastLogonTimeStamp -lt $longIntTimeValue)"
get-aduser -Filter $filter
Type 2: store as LDAP date type. For example, whenCreated/whenChanged. Use below filter to query
YYYY MM DD HH mm ss.s Z
Where Z signals end of the value and is mandatory
example
(whenCreated>=20221130000000.0Z)
To make a ldap filter in powershell from datetime object
$dateStr = $date.ToString("yyyyMMddHHmmss") + ".0Z" $ldapFilter = "(whenCreated>=$dateStr)"
get-aduser -LDAPfilter $ldapfilter
To use native AD module filter. Please note that $filter uses single quote
$date = (get-date).addMonths(-2) $filter = 'whenCreated -lt $date'
get-aduser -filter $filter