1

I cannot use the Active Directory Module to get the SamAccountName of the users in a specific AD-group. How can I do this with ADSI?

I've tried:

$Group = [ADSI]"LDAP://DN of the AD group" $Group.Member | ForEach-Object { $Searcher = [adsisearcher]"(samAccountName=$_)" $searcher.FindOne().Properties }

But I see this message:

The samAccountName search filter is invalid.

How can I do this?

Improve this question
3
  • Read the error again - there's an o missing from samAccuntName Commented Apr 26, 2022 at 15:26
  • Same error message Commented Apr 26, 2022 at 15:29
  • That error message doesn't look like any error message that would be generated by the code you show. Commented Apr 26, 2022 at 15:38

3 Answers 3

Reset to default
1

There are 2 ways around this as I see it, there might be an easier way of doing it though.

One is to search for all users which's memberOf attribute has the DistinguishedName of the group (this might be the less cumbersome approach):

$group = 'CN=myGroup, OU=myOU, DC=myDomain' $searcher = [adsisearcher]"(&(objectclass=user)(objectcategory=person)(memberof=$group))" $members = foreach($member in $searcher.FindAll()) { $member.Properties.samaccountname }

The other way around is using the same approach as you're using in your question:

$group = 'CN=myGroup, OU=myOU, DC=myDomain' $adsi = [adsi]"LDAP://$group" $members = foreach($member in $adsi.member) { $isUser = [adsi]"LDAP://$member" if('person' -in $isUser.objectclass) { $isUser.samaccountname } }

Similar as the one above, but using adsisearcher, not sure which one would be more efficient in this case:

$members = foreach($member in $adsi.member) { $check = [adsisearcher]"(&(distinguishedname=$member)(objectclass=user)(objectcategory=person))" if($isUser = $check.FindOne()) { $isUser.Properties.samaccountname } }
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Thanks for your answer! I tried both codeblocks but I do not get any return. I also get no error message. I copied your code and just changed de DN...
@user18209625 did you check the $members variable after running? Neither code block actually returns anything to the console
@Cpt.Whale thanks, I assumed that would be self-explanatory (I was wrong clearly)
Yes, I checked it
0

I ran this modified version of your code on my own system, so I could see what the search string actually looked like:

$Group = [ADSI]"LDAP://DN of the AD group" $Group.Member | ForEach-Object { $searchKey = "(samAccountName=$_)" $searchKey $Searcher = [adsisearcher]$searchKey # $searcher.FindOne().Properties }

Note the point where I let $searchKey come to the console. When I do this, I see values with the full distinguished name instead of just samAccountName. Based on this result I changed the code to look for that value instead of samAccountName, and then I saw (presumably) expected results:

$Group = [ADSI]"LDAP://DN of the AD group" $Group.Member | ForEach-Object { $Searcher = [adsisearcher]"(distinguishedName=$_)" $searcher.FindOne().Properties }
Improve this answer

Comments

0

This worked for me:

$group = 'CN=myGroup, OU=myOU, DC=myDomain' $adsi = [adsi]"LDAP://$group" $members = foreach($member in $adsi.member) { $isUser = [adsi]"LDAP://$member" if('person' -in $isUser.objectclass) { $isUser.samaccountname } } $members
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.