1

The company has an AD structure that I need to search for the groupnames where the user is member. I do know it should be in the "memberof" attribute for the users, let's just say that is not always correct.

I tried the below code to find the username (or objectname) within the "members" attribute for all of the groups within an OU and then bring back the name of the group. Unfortunately I think I am missing something. Reverse search (IE: listing the members of a group) is working, but in my case I do not know the name of the groups. Also I need all of the groups, not just a single.

uname ="*anyoldusername*" $Searcher = [ADSISearcher]"(member=$uname)" $Searcher.SearchRoot = [ADSI] "LDAP://mydomainsearchroot" $Searcher.PageSize = 10000 $result = $Searcher.FindAll().Properties.cn echo $result
Improve this question
4
  • Why don't you use get-adprincipalgroupmembership? Commented Apr 5, 2019 at 11:52
  • I need to use a solution where I am not allowed to use ad module. I am restricted to adsi and powershell 2.0 Commented Apr 5, 2019 at 11:53
  • 2
    If MemberOf is wrong, you have more serious problems. Commented Apr 5, 2019 at 12:35
  • Yep, that is correct. Unfortunately I cannot change that part. Commented Apr 5, 2019 at 12:54

1 Answer 1

Reset to default
2

This should do it:

$UserName ="TestUser" $Searcher = [ADSISearcher]"" $Searcher.SearchRoot = [ADSI]"LDAP://mydomainsearchroot" $Searcher.Filter = "Name=$UserName" $UserDN = $Searcher.FindOne().properties.distinguishedname $Searcher.Filter = "(member:1.2.840.113556.1.4.1941:=$UserDN)" $Searcher.PageSize = 10000 $result = $Searcher.FindAll().Properties.cn $result

The first search is to find the DN of the user, since that's required for the filter in the next search. To read more about the "1.2.840.113556.1.4.1941" filter see this documentation.

Oh, and echo is an alias for Write-Output in Powershell, better to use that directly or even omit it entirely since a string or variable on it's own will default to Write-Output anyway as you can see when $result is run at the end.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Thanks! I’ll give it a shot! Echo was there to show if I got anything in the variable or not. The main script outputs the results into a textbox in a gui.
Cool, let me know if you have any questions. Also to clarify, the variable on its own will have the exact same output as echo.
Got a strange error: `````````` An error occurred while enumerating through a collection: More data is available. . At line:8 char:1 + $result = $Searcher.FindAll().Properties.cn + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Director...sultsEnumerator:ResultsEnumerator) [], RuntimeException + FullyQualifiedErrorId : BadEnumeration ````````` Am I hitting a timeout here?
Awesome, strange though that the domain root didn't work for the groups, it should cover all OUs underneath.
Like stated before, the AD here has bigger problems. :D Anyway, appreciate the help! Thanks again!
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.