posts - 598 , comments - 849 , trackbacks - 247

My Links

News

qrcode

Lance Robinson

Create Your Badge

Lance Robinson is a software engineer in Durham, Chapel Hill, Raleigh, and surrounding areas. More about Lance.

 Subscribe

Tag Cloud

Archives

Post Categories

Image Galleries

Blogs

Miscellanous

Noteworthy Stuff

Popular Posts

LDAP - Search for Group Members

More with the ldap cmdlets in NetCmdlets, here's how to list the members of a particular group.

I used the get-ldap command shown in the last post to get a list of all my admin groups, and save it in a $groups collection:

 

PS C:\> $groups = get-ldap -server myserver -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
  -search "(&(objectclass=group)(cn=*admin*))"

PS C:\> $groups

Host                                                        DN
----                                                        --
testboy                                                     CN=Administrators,CN=Builtin,DC=JUNGLE
testboy                                                     CN=Schema Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=Enterprise Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=Domain Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=DnsAdmins,CN=Users,DC=JUNGLE

PS C:\>

 

Of course if you already know exactly what group you want, you can just hard code that group DN and call the cmdlet.  But I can get all of the members of all of the admin groups by looping through this $groups collection.  Here's how to get all the members of the first group (CN=Administrators):

 

PS C:\> get-ldap -server testboy -cred $mycred -dn $groups[0].DN -searchscope baseobject -search "objectClass=*" 
 -attr

objectClass            : {top, group}
cn                     : {Administrators}
description            : {Administrators have complete and unrestricted access to the computer/domain}
member                 : {CN=Domain Admins,CN=Users,DC=JUNGLE, CN=Enterprise Admins,CN=Users,DC=JUNGLE, CN=Administrato
                         r,CN=Users,DC=JUNGLE}
distinguishedName      : {CN=Administrators,CN=Builtin,DC=JUNGLE}
instanceType           : {4}
whenCreated            : {20070227205517.0Z}
whenChanged            : {20070730142747.0Z}
uSNCreated             : {8213}
uSNChanged             : {46068}
name                   : {Administrators}
adminCount             : {1}
sAMAccountName         : {Administrators}
sAMAccountType         : {536870912}
systemFlags            : {-1946157056}
groupType              : {-2147483643}
objectCategory         : {CN=Group,CN=Schema,CN=Configuration,DC=JUNGLE}
isCriticalSystemObject : {TRUE, }
Host                   : testboy
DN                     : CN=Administrators,CN=Builtin,DC=JUNGLE

PS C:\>

 

 Note the use of the -attr flag in the cmdlet - this is to tell the cmdlet to return all the attributes resulting from the search.  The reason I need to do this here is because all the members of the group will be contained inside the member attribute (or the memberUid or uniqueMember attribute depending on your server). 

If I were to set a $result variable to the result of the command above, I could then examine $result.member to see all the members of the "CN=Administrators" group:

 

PS C:\> $result.member

CN=Domain Admins,CN=Users,DC=JUNGLE
CN=Enterprise Admins,CN=Users,DC=JUNGLE
CN=Administrator,CN=Users,DC=JUNGLE

PS C:\>

Technorati Tags: , , ,

Print | posted on Thursday, August 2, 2007 9:31 AM | Filed Under [ PowerShell ]

Feedback

Gravatar

# re: LDAP - Search for Group Members

Hi all-

I am looking for LDAP engineer, with SUN One LDAP 6.x for a position in The San Francsico Bay Area.

Please contact me at 800.285.5627

Scott
stomtania@theplusgroup.com
2/16/2009 12:02 PM | Scott
Gravatar

# re: LDAP - Search for Group Members

Hi all-

I am looking for LDAP engineer, with SUN One LDAP 6.x for a position in The San Francsico Bay Area.

Please contact me at 800.285.5627

Scott
stomtania@theplusgroup.com
2/16/2009 12:02 PM | Scott
Gravatar

# re: LDAP - Search for Group Members

Hi,


I am looking for an LDAP engineer with Exchange Server 2003/2007 troubleshooting experience in the DC Metro area.
Please contact me at 202.887.4747 ASAP.

Sincerely,

Jay Dunn
jdunn@midtownpersonnel.com
6/11/2009 12:08 PM | Jay Dunn
Post A Comment
Title:
Name:
Email:
Comment:
Verification:
 

Powered by: