Expanding the Active Directory Searcher and PowerShell

Jeff Hicks

May 24, 2017

I hope by now that you are comfortable using the Active Directory Searcher object. If you have no idea what I am talking about, take a few minutes to get caught up on the previous articles, Discovering the Active Directory Searcher with PowerShell and Finding Groups with the Active Directory Searcher and PowerShell.

Let’s expand the scope and find multiple objects with user accounts.

$searcher = New-Object system.DirectoryServices.DirectorySearcher
$searcher.SearchRoot = "LDAP://ou=employees,dc=globomantics,dc=local"
$searcher.filter = "(objectclass=user)"
$props = "distinguishedname","name","samaccountname","title","department","directreports",
"whencreated","whenchanged","givenname","sn","userprincipalname","adspath"
foreach ($item in $props) {
    $searcher.PropertiesToLoad.Add($item) | out-null
}

I have limited my search to an OU that contains my active user accounts. I have also specified the properties I want to retrieve. Once the searcher is configured, I can find all matching objects.

Finding All User Objects (Image Credit: Jeff Hicks)

advertisment

Let’s look at a representative sample.

A Search Result (Image Credit: Jeff Hicks)

As we looked at before, it might be nice to clean this up and create an object to write to the pipeline.

foreach ($user in $all[4]) {
$h = @{}
foreach ($p in $props) {
 $value =  $user.Properties.item($p)
 if ($value.count -eq 1) {
    $value = $value[0]
 }
 $h.add($p,$value)
}
new-object psobject -property $h
}

Creating a Better Result Object (Image Credit: Jeff Hicks)

Because the result properties are treated as collection objects, I needed to expand them. I still wanted to keep properties that were actual collections, like directreports. I tested with a single object and I could modify the loop to go through everything in $all. It makes more sense to create a function.

advertisment

Function Convert-ADSearchResult {
[cmdletbinding()]
Param(
[Parameter(Position = 0,Mandatory,ValueFromPipeline)]
[ValidateNotNullorEmpty()]
[System.DirectoryServices.SearchResult]$SearchResult
)
Begin {
    Write-Verbose "Starting $($MyInvocation.MyCommand)"
}
Process {
    Write-Verbose "Processing result for $($searchResult.Path)"
    #create an ordered hashtable with property names alphabetized
    $props = $SearchResult.Properties.PropertyNames | Sort-Object
    $objHash = [ordered]@{}
    foreach ($p in $props) {
     $value =  $searchresult.Properties.item($p)
     if ($value.count -eq 1) {
        $value = $value[0]
     }
     $objHash.add($p,$value)
    }
new-object psobject -property $objHash
}
End {
    Write-Verbose "Ending $($MyInvocation.MyCommand)"
}
}

The function is designed to take pipelined input from any search result.

Converted Search Result (Image Credit: Jeff Hicks)

Now I can process everything and work with the results as necessary.

$all | Convert-ADSearchResult | Select Name,UserPrincipalName,Department,Title,When* | Out-GridView

Gridview Results (Image Credit: Jeff Hicks)

Here is another way to do this.

Grouping Search Results (Image Credit: Jeff Hicks)

advertisment

But let’s say I wanted to find all users in the Finance department. That requires some special formatting in my LDAP filter.

$searcher.filter = "(&(objectclass=user)(department=finance))"

You need to enclose each filter part inside the (&) construct, which tells PowerShell to search for both of these things.

Filtering by Department (Image Credit: Jeff Hicks)

You can keep adding filter components inside the (&).

Multiple Filters (Image Credit: Jeff Hicks)

You can also use wildcards.

Filtering with Wildcards (Image Credit: Jeff Hicks)

Once you have objects in PowerShell, you can work with them any way you want. I hope you will take some time to try these things out in your own test environment. Next time, we will look at searching for groups. We also still need to address handling very large number of search results and filtering tips. I hope you will keep checking back.