Nael_Shahid
asked on
Powershell ADSI Subtree Search
How can I set the search scope to the entire subtree in this powershell script.
========================== ========== ========== ========== ==========
$domain = [ADSI]"LDAP://dc=domain_na me,dc=com"
$users = $domain.psbase.children | where-object {$_.objectClass -match "user"}
========================== ========== ========== ========== ==========
I know there will be many ways to do this but I want to know the basic way as I am trying to understand and learn powershell.
Thanks
==========================
$domain = [ADSI]"LDAP://dc=domain_na
$users = $domain.psbase.children | where-object {$_.objectClass -match "user"}
==========================
I know there will be many ways to do this but I want to know the basic way as I am trying to understand and learn powershell.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for this.
Do you mind giving me a brief explanation of what is going on in this code?
Do you mind giving me a brief explanation of what is going on in this code?
no problem. You can check my blog for more examples I deal with ADSI alot.
# This gets a directory entry for the domain
$dom = [ADSI]"LDAP://dc=corp,dc=b b,dc=lab"
# This is a string the represents the LDAP filter you want to pass
$filter = "(&(objectcategory=user))"
# This is creating a new directorySearcher object with the domain and filter to search
$ds = new-object System.DirectoryServices.D irectorySe archer($do m,$filter)
# This is executing the Searcher and putting results in $users
$users = $ds.Findall()
# this is outputing the users
$users
side note... if you have more than a 1000 users you need to add a pagesize value on the searcher like this
$ds.pagesize = 1000
This will go before the .findall()
Is this clear? Please let me know.
# This gets a directory entry for the domain
$dom = [ADSI]"LDAP://dc=corp,dc=b
# This is a string the represents the LDAP filter you want to pass
$filter = "(&(objectcategory=user))"
# This is creating a new directorySearcher object with the domain and filter to search
$ds = new-object System.DirectoryServices.D
# This is executing the Searcher and putting results in $users
$users = $ds.Findall()
# this is outputing the users
$users
side note... if you have more than a 1000 users you need to add a pagesize value on the searcher like this
$ds.pagesize = 1000
This will go before the .findall()
Is this clear? Please let me know.
ASKER
Yes this is a lot clearer thanks.
One question; in $filter where you use an ldap query, could you have used something like the Where-object {$_.objectClass -match "user"}?
The reason I ask is because I think I understand this way of doing things. I dont know how to write an LDAP query. Basically I want to learn how to use Powershell with AD by doing simple tasks first and building from there, but the introduction of LDAP queries seems to make it harder to learn?..
One question; in $filter where you use an ldap query, could you have used something like the Where-object {$_.objectClass -match "user"}?
The reason I ask is because I think I understand this way of doing things. I dont know how to write an LDAP query. Basically I want to learn how to use Powershell with AD by doing simple tasks first and building from there, but the introduction of LDAP queries seems to make it harder to learn?..
"One question; in $filter where you use an ldap query, could you have used something like the Where-object {$_.objectClass -match "user"}?"
Quick Answers: No
Slightly Longer Answer:
Where-object is a cmdlet that allows you to filter the results you get back, but it still parses the info.
and Ldap filter is parsed on the server side so you only get back the objects that match your filter (WAY FASTER.)
In this case you would have to dump all of AD just to find users... much better to have AD only return the user objects.
Quick Answers: No
Slightly Longer Answer:
Where-object is a cmdlet that allows you to filter the results you get back, but it still parses the info.
and Ldap filter is parsed on the server side so you only get back the objects that match your filter (WAY FASTER.)
In this case you would have to dump all of AD just to find users... much better to have AD only return the user objects.
ASKER
Hi - For some reason I can not get the script to work. When creating a script file with the above code I do not get any results.
ASKER
Managed to get this working.
I was running the script then once it was finished I was then trying to list the objects by typing the variable but the variable didn't exist. Can you confirm the variable does not remain in the console once the script has executed?
I was running the script then once it was finished I was then trying to list the objects by typing the variable but the variable didn't exist. Can you confirm the variable does not remain in the console once the script has executed?
That is correct.. unless you capture the scripts output like
$results = c:\myscript.ps1
$results = c:\myscript.ps1
May I suggest some reading... Keith Hill has a awesome series on his blog one of which explains how powershell deals with output.
http://keithhill.spaces.live.com
http://keithhill.spaces.live.com
What you want to use is DirectorySearcher. I assume your wanting all users.. try this
$dom = [ADSI]"LDAP://dc=corp,dc=b
$filter = "(&(objectcategory=user))"
$ds = new-object System.DirectoryServices.D
$users = $ds.Findall()
$users
here is this in one line
$users = (new-object System.DirectoryServices.D