Geeks With Blogs

Lance's TextBox

NetCmdlets doesn't have a long list of Active Directory cmdlets for PowerShell.  Instead, it has 2.  And they aren't AD specific - they just implement the LDAP protocol itself so they can work with any LDAP server, Active Directory or not.


Two cmdlets are all that is needed to make common tasks simple.  One for setting values (set-ldap), and one for getting values (get-ldap).

Here's how I can retrieve a list of all the "admin" groups:

PS C:\> get-ldap -server myserver -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
-search "(&(objectclass=group)(cn=*admin*))"

Host DN
---- --
testboy CN=Administrators,CN=Builtin,DC=JUNGLE
testboy CN=Schema Admins,CN=Users,DC=JUNGLE
testboy CN=Enterprise Admins,CN=Users,DC=JUNGLE
testboy CN=Domain Admins,CN=Users,DC=JUNGLE
testboy CN=DnsAdmins,CN=Users,DC=JUNGLE

PS C:\>

As you can tell, the get-ldap cmdlet is very flexible.  I can specify any custom search scope and perform a search for any filter I like.  This particular search filter searches for any groups that contain "admin" anywhere in the cn. 

A more complete group search might have a search filter like so:  "(|(|(|(objectClass=posixGroup)(objectClass=groupOfUniqueNames))(objectClass=groupOfNames))(objectClass=group))"

The cmdlet can also return all the attributes of each DN returned if I just specify the -attr flag in the get-ldap command.


Posted on Wednesday, August 1, 2007 10:28 AM PowerShell | Back to top

Comments on this post: LDAP - Search for Active Directory Groups in PowerShell

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Lance Robinson | Powered by: