Lance's TextBox

LDAP - Search for Active Directory Groups in PowerShell

NetCmdlets doesn't have a long list of Active Directory cmdlets for PowerShell.  Instead, it has 2.  And they aren't AD specific - they just implement the LDAP protocol itself so they can work with any LDAP server, Active Directory or not.

Two cmdlets are all that is needed to make common tasks simple.  One for setting values (set-ldap), and one for getting values (get-ldap).

Here's how I can retrieve a list of all the "admin" groups:

PS C:\> get-ldap -server myserver -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
 -search "(&(objectclass=group)(cn=*admin*))"


Host                                                        DN
----                                                        --
testboy                                                     CN=Administrators,CN=Builtin,DC=JUNGLE
testboy                                                     CN=Schema Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=Enterprise Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=Domain Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=DnsAdmins,CN=Users,DC=JUNGLE

PS C:\>

As you can tell, the get-ldap cmdlet is very flexible.  I can specify any custom search scope and perform a search for any filter I like.  This particular search filter searches for any groups that contain "admin" anywhere in the cn. 

A more complete group search might have a search filter like so:  "(|(|(|(objectClass=posixGroup)(objectClass=groupOfUniqueNames))(objectClass=groupOfNames))(objectClass=group))"

The cmdlet can also return all the attributes of each DN returned if I just specify the -attr flag in the get-ldap command.

Print | posted on Wednesday, August 01, 2007 10:28 AM

Copyright © Lance Robinson

Design by Bartosz Brzezinski

Design by Phil Haack Based On A Design By Bartosz Brzezinski