Link to home
Start Free TrialLog in
Avatar of Nael_Shahid
Nael_Shahid

asked on

Powershell ADSI Subtree Search

How can I set the search scope to the entire subtree in this powershell script.

==================================================================
$domain = [ADSI]"LDAP://dc=domain_name,dc=com"
$users = $domain.psbase.children | where-object {$_.objectClass -match "user"}
==================================================================

I know there will be many ways to do this but I want to know the basic way as I am trying to understand and learn powershell.

Thanks
Avatar of BSonPosh
BSonPosh
Flag of United States of America image


What you want to use is DirectorySearcher. I assume your wanting all users.. try this

$dom = [ADSI]"LDAP://dc=corp,dc=bb,dc=lab"
$filter = "(&(objectcategory=user))"
$ds = new-object System.DirectoryServices.DirectorySearcher($dom,$filter)
$users = $ds.Findall()
$users

here is this in one line
$users = (new-object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://10.254.254.1/dc=corp,dc=bb,dc=lab","(&(objectcategory=user))")).findall()
ASKER CERTIFIED SOLUTION
Avatar of BSonPosh
BSonPosh
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Nael_Shahid
Nael_Shahid

ASKER

Thanks for this.

Do you mind giving me a brief explanation of what is going on in this code?
no problem. You can check my blog for more examples I deal with ADSI alot.

# This gets a directory entry for the domain
$dom = [ADSI]"LDAP://dc=corp,dc=bb,dc=lab"

# This is a string the represents the LDAP filter you want to pass
$filter = "(&(objectcategory=user))"

# This is creating a new directorySearcher object with the domain and filter to search
$ds = new-object System.DirectoryServices.DirectorySearcher($dom,$filter)

# This is executing the Searcher and putting results in $users
$users = $ds.Findall()

# this is outputing the users
$users


side note... if you have more than a 1000 users you need to add a pagesize value on the searcher like this
$ds.pagesize = 1000

This will go before the .findall()

Is this clear? Please let me know.
Yes this is a lot clearer thanks.

One question; in $filter where you use an ldap query, could you have used something like the Where-object {$_.objectClass -match "user"}?

The reason I ask is because I think I understand this way of doing things. I dont know how to write an LDAP query. Basically I want to learn how to use Powershell with AD by doing simple tasks first and building from there, but the introduction of LDAP queries seems to make it harder to learn?..    
"One question; in $filter where you use an ldap query, could you have used something like the Where-object {$_.objectClass -match "user"}?"
Quick Answers: No

Slightly Longer Answer:
Where-object is a cmdlet that allows you to filter the results you get back, but it still parses the info.
and Ldap filter is parsed on the server side so you only get back the objects that match your filter (WAY FASTER.)

In this case you would have to dump all of AD just to find users... much better to have AD only return the user objects.
Hi - For some reason I can not get the script to work. When creating a script file with the above code I do not get any results.
Managed to get this working.

I was running the script then once it was finished I was then trying to list the objects by typing the variable but the variable didn't exist. Can you confirm the variable does not remain in the console once the script has executed?
That is correct.. unless you capture the scripts output like

$results = c:\myscript.ps1
May I suggest some reading... Keith Hill has a awesome series on his blog one of which explains how powershell deals with output.

http://keithhill.spaces.live.com