Solved

selecting attributes from AD

Posted on 2010-11-18
8
1,152 Views
Last Modified: 2012-08-14
I was able to modify this a bit but just wondering if someone could show me how to get certain attributes and how out of AD. For example if I wanted to get the lastlogon date, or the phone number, department, zip code. I know this might be trivial but not to me at least. Any help would be greatly appreciated. I know of course I would modify the LDAP line in order to point this to the OU or have it to start at the root.


$strFilter = "(objectCategory=User)"  
$objOU = New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC=somedomain,DC=com")  
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.SearchScope = "Subtree"
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
 
$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()
 
foreach ($objResult in $colResults)    
{$objItem = $objResult.Properties; $objItem.name}
0
Comment
Question by:tdodd72
  • 4
  • 4
8 Comments
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 34163457

It's not exactly trivial with that interface.
$Filter = "(&(objectClass=user)(objectCategory=person))"
$Properties = "name", "lastlogon", "telephonenumber", "department", "postalcode"

$Searcher = New-Object DirectoryServices.DirectorySearcher($Filter)
$Searcher.PageSize = 1000
$Searcher.PropertiesToLoad.AddRange($Properties)

$Searcher.FindAll() | Select-Object `
  @{n='Name';e={ $_.Properties["name"][0] }},
  @{n='LastLogon';e={ [DateTime]::FromFileTime($_.Properties["lastlogon"][0]) }},
  @{n='TelephoneNumber';e={ $_.Properties["telephonenumber"][0] }},
  @{n='Department';e={ $_.Properties["department"][0] }},
  @{n='ZipCode';e={ $_.Properties["postalcode"][0] }}

Open in new window

I dropped the following:

SearchRoot - Default value
SearchScope - Default value
Filter - Moved to the Constructor
PropertiesToLoad - Replaced with AddRange, neater

And I killed off the ForEach loop, this way is neater if you intend to drop the results to a file (can be done by adding " | Export-Csv somefile.csv" onto the end).

LastLogon also needs a note. Are you aware that this value is not replicated? If you have more than one DC the results you get here may be misleading.

HTH

Chris
0
 

Author Comment

by:tdodd72
ID: 34164614

So basically I can state the attribute in AD I am looking for and prepend this in front of this value below.

e={ $_.Properties["postalcode"][0] }}

How do you deal with the fact you have a bunch of DC’s in an environment. I have noticed that I get inaccurate logon times. Last question is what if I wanted to start doing this script in a child OU and not at the root. Can I just add the ADSI LDAP command back in.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34164655

> So basically I can state the attribute in AD I am looking for and prepend this in front of this value below.

Yep.

At the moment you must declare the attributes you want on the $Properties line. However, the Searcher returns almost everything by default so you may simply do away with $Properties and the PropertiesToLoad.AddRange line.

> How do you deal with the fact you have a bunch of DC’s in an environment

You can either query every DC, or you can pull lastLogonTimeStamp. lastLogonTimeStamp is replicated, but it may be up to 14 days out of date. How accurate do you need the times to be?

This version has the search root back in.
$SearchRoot = [ADSI]"LDAP://OU=somewhere,DC=domain,DC=com"
$Filter = "(&(objectClass=user)(objectCategory=person))"
$Properties = "name", "lastlogon", "telephonenumber", "department", "postalcode"

$Searcher = New-Object DirectoryServices.DirectorySearcher($SearchRoot, $Filter)
$Searcher.PageSize = 1000
$Searcher.PropertiesToLoad.AddRange($Properties)

$Searcher.FindAll() | Select-Object `
  @{n='Name';e={ $_.Properties["name"][0] }},
  @{n='LastLogon';e={ [DateTime]::FromFileTime($_.Properties["lastlogon"][0]) }},
  @{n='TelephoneNumber';e={ $_.Properties["telephonenumber"][0] }},
  @{n='Department';e={ $_.Properties["department"][0] }},
  @{n='ZipCode';e={ $_.Properties["postalcode"][0] }}

Open in new window

Note that we added the SearchRoot to the constructor (via New-Object) for the DirectorySearcher.

The search root will also be used to target specific DCs, like this:

$SearchRoot = [ADSI]"LDAP://server/OU=somewhere,DC=domain,DC=com"

And if you wanted a list of DCs you might just look at the Domain Controllers OU (in the script). Depending on your requirements for lastLogon accuracy :)

Chris
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:tdodd72
ID: 34171813
So I tried to pull additional properties from an object and I am not getting anything. For example I tried to pull the created date of an object and received nothing.

$SearchRoot = [ADSI]"LDAP://DC=something,DC=com"
$Filter = "(&(objectClass=user)(objectCategory=person))"
$Properties = "name", "lastlogon", "telephonenumber", "department", "postalcode", "Created"



$Searcher = New-Object DirectoryServices.DirectorySearcher($SearchRoot, $Filter)
$Searcher.PageSize = 1000
$Searcher.PropertiesToLoad.AddRange($Properties)

$Searcher.FindAll() | Select-Object `
  @{n='Name';e={ $_.Properties["name"][0] }},
  @{n='LastLogon';e={ [DateTime]::FromFileTime($_.Properties["lastlogon"][0]) }},
  @{n='TelephoneNumber';e={ $_.Properties["telephonenumber"][0] }},
  @{n='Department';e={ $_.Properties["department"][0] }},
  @{n='ZipCode';e={ $_.Properties["postalcode"][0] }},
  @{n='Created';e={ $_.Properties["Created"][0] }}
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 34171869
It's whenCreated rather than created. You also have to refer to property names in lower-case in the Select-Object part. So we get:
$SearchRoot = [ADSI]"LDAP://DC=something,DC=com"
$Filter = "(&(objectClass=user)(objectCategory=person))"
$Properties = "name", "lastlogon", "telephonenumber", "department", "postalcode", "whenCreated"

$Searcher = New-Object DirectoryServices.DirectorySearcher($SearchRoot, $Filter)
$Searcher.PageSize = 1000
$Searcher.PropertiesToLoad.AddRange($Properties)

$Searcher.FindAll() | Select-Object `
  @{n='Name';e={ $_.Properties["name"][0] }},
  @{n='LastLogon';e={ [DateTime]::FromFileTime($_.Properties["lastlogon"][0]) }},
  @{n='TelephoneNumber';e={ $_.Properties["telephonenumber"][0] }},
  @{n='Department';e={ $_.Properties["department"][0] }},
  @{n='ZipCode';e={ $_.Properties["postalcode"][0] }},
  @{n='Created';e={ $_.Properties["whencreated"][0] }}

Open in new window

Note that we can request the properties (PropertiesToLoad) regardless of case, its only when we want to extract them from $_.Properties that we have to care about case.

If you're unsure about the property names there are a number of ways you can see. For instance, you might use ADSIEdit.msc, or the Attribute Editor tab in AD Users and Computers (Win Vista / Win 7 / Win 2008 versions with View / Advanced), or you can get them with PowerShell:
(New-Object DirectoryServices.DirectorySearcher("(sAMAccountName=$Env:Username)")).FindOne().Properties

Open in new window

It won't be absolutely all of them, a few have to be explicitly requested (such as canonicalName).
HTH

Chris
0
 

Author Comment

by:tdodd72
ID: 34171943
Superb OUTSTANDING "(New-Object DirectoryServices.DirectorySearcher("(sAMAccountName=$Env:Username)")).FindOne().Properties" THIS IS what I have been looking for. Man I cannot believe all the properties I can pull with this thing. Thanks for your help again Mr. Powershell expert.
0
 

Author Closing Comment

by:tdodd72
ID: 34171956
Absolutely positively GREAT
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34171966

You're welcome :)

Chris
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This script checks a path to see if a folder exists. If the folder does exist you will get output "The folder has previously been created. No action taken" If not it will create the folder. Then adds one user modify permission to the folder. It …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question