posts - 598 , comments - 849 , trackbacks - 247

My Links



Lance Robinson

Create Your Badge

Lance Robinson is a software engineer in Durham, Chapel Hill, Raleigh, and surrounding areas. More about Lance.


Tag Cloud

Article Categories


Post Categories



Noteworthy Stuff

Popular Posts

LDAP - Search for Active Directory Groups in PowerShell

NetCmdlets doesn't have a long list of Active Directory cmdlets for PowerShell.  Instead, it has 2.  And they aren't AD specific - they just implement the LDAP protocol itself so they can work with any LDAP server, Active Directory or not.


Two cmdlets are all that is needed to make common tasks simple.  One for setting values (set-ldap), and one for getting values (get-ldap).

Here's how I can retrieve a list of all the "admin" groups:

PS C:\> get-ldap -server myserver -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
-search "(&(objectclass=group)(cn=*admin*))"

Host DN
---- --
testboy CN=Administrators,CN=Builtin,DC=JUNGLE
testboy CN=Schema Admins,CN=Users,DC=JUNGLE
testboy CN=Enterprise Admins,CN=Users,DC=JUNGLE
testboy CN=Domain Admins,CN=Users,DC=JUNGLE
testboy CN=DnsAdmins,CN=Users,DC=JUNGLE

PS C:\>

As you can tell, the get-ldap cmdlet is very flexible.  I can specify any custom search scope and perform a search for any filter I like.  This particular search filter searches for any groups that contain "admin" anywhere in the cn. 

A more complete group search might have a search filter like so:  "(|(|(|(objectClass=posixGroup)(objectClass=groupOfUniqueNames))(objectClass=groupOfNames))(objectClass=group))"

The cmdlet can also return all the attributes of each DN returned if I just specify the -attr flag in the get-ldap command.


Print | posted on Wednesday, August 1, 2007 10:28 AM | Filed Under [ PowerShell ]


No comments posted yet.
Post A Comment

Powered by: