<< How RSSBus is useful in PowerShell | Home | Automatically Email SharePoint List and Library Items >>

Get-Ldap NetCmdlet in PowerShell

I saw Jeff Hicks’ great Get-LocalMember post this morning, in which he has extensive demonstration of retrieving information about AD group members.  I thought it might be a good time to show some of the power of the get-ldap cmdlet.

Yes, using the get-ldap cmdlet does require familiarity with the LDAP protocol itself, so in this way it is for more advanced users who just need to do quick LDAP operations without a lot of required coding and with just one universal cmdlet.

So, how do I list the group membership from Active Directory (AD) or any other LDAP server?

 

PS C:\> (get-ldap -server testman -cred $mycred -dn $groupdn -search "objectClass=*").member | 
>>%{get-ldap -server testman -cred $mycred -dn $_ | 
>>select sAMAccountName,name,description,cn,objectClass,memberOf}                                                                                                                          
>>
                                                                                                                        
sAMAccountName : {Domain Admins}                                                                                        
name           : {Domain Admins}                                                                                        
description    : {Designated administrators of the domain}                                                              
cn             : {Domain Admins}                                                                                        
objectClass    : {top, group}                                                                                           
memberOf       : {CN=Administrators,CN=Builtin,DC=NS2}                                                                  
                                                                                                                        
sAMAccountName : {Enterprise Admins}                                                                                    
name           : {Enterprise Admins}                                                                                    
description    : {Designated administrators of the enterprise}                                                          
cn             : {Enterprise Admins}                                                                                    
objectClass    : {top, group}                                                                                           
memberOf       : {CN=Administrators,CN=Builtin,DC=NS2}                                                                  
                                                                                                                        
sAMAccountName : {test}                                                                                                 
name           : {test}                                                                                                 
description    :                                                                                                        
cn             : {test}                                                                                                 
objectClass    : {top, person, organizationalPerson, user}                                                              
memberOf       : {CN=Administrators,CN=Builtin,DC=NS2}                                                                  
                                                                                                                        
sAMAccountName : {Administrator}                                                                                        
name           : {Administrator}                                                                                        
description    : {Built-in account for administering the computer/domain}                                               
cn             : {Administrator}                                                                                        
objectClass    : {top, person, organizationalPerson, user}                                                              
memberOf       : {CN=Group Policy Creator Owners,CN=Users,DC=NS2, CN=Domain Admins, 
                  CN=Users,DC=NS2, CN=Enterprise Admins,CN=Users,DC=NS2,
                  CN=Schema Admins,CN=Users,DC=NS2...}                                                                                                                                                                                                                                                                                               
                                                                                                                       
PS C:\>

 

The command above first does a search for attributes of the target group (Administrators).  If you don’t know the DN of the group, but you do know its name, use the one-liner below to get it.  Next in the command, it gets the member attribute of the group, which is an array of group member DNs.  These member DNs get piped into a foreach-object statement that then does another ldap search for attributes of that particular member.  Those attributes get piped to select-object, which gets the specific pieces of information that I’m interested in.  Note that the output fields are arrays in order to accommodate multi-valued attributes.  Also note that some of the “members” of the group are other groups.  I could alter the –search parameter to only return objectClass=person or use a where-object, whichever.

Here’s a few useful get-ldap one-liners:

#get a list of all groups: 

get-ldap -server $server -cred $mycred -dn $basedn 
>> -search "(&(objectclass=group)(cn=*admin*))"

#get a list of all the members of a group: 

get-ldap -server $server -cred $mycred -dn $groupdn 
>> -search "objectClass=*"

#to get the group DN if you know the name of the group, ie “Administrators”: 
$dn = get-ldap -server testman -cred $mycred -dn $basedn 
>> -search "(&(objectclass=group)(cn=*admin*))" | 
>> ?{$_.name -eq "Administrators"} | select distinguishedName

#get attributes of all the members of a particular group, as shown in action above: 

(get-ldap -server testman -cred $mycred -dn $groupdn 
>> -search "objectClass=*").member | 
>> %{get-ldap -server testman -cred $mycred -dn $_ 
>> | select sAMAccountName,name,description,cn,objectClass,memberOf}

Lots more get-ldap goodies.

 

Technorati Tags: , ,

Print | posted on Thursday, April 09, 2009 11:29 AM

Feedback

# re: Get-Ldap NetCmdlet in PowerShell

Left by Tim Neto at 1/27/2011 2:01 PM
Gravatar Hi.
How do I install this "get-ldap" commandlet?
Where may I download it from?
Tim

# re: Get-Ldap NetCmdlet in PowerShell

Left by Ramon at 1/28/2011 7:59 AM
Gravatar Hi,
same question here! Where to get the get-ldap Cmdlet? I am using PS 1.0...
TY

Your comment:





 
 

Copyright © Lance Robinson

Design by Bartosz Brzezinski

Design by Phil Haack Based On A Design By Bartosz Brzezinski