Skip to main content

Searching AD using .net and a GC

Searching AD using .net and a Global Catalog (GC) Server

Although I have been recently been exploring the world of R2 and AD-cmdlts, I have re-visited .net to search a the whole forest in one quick step.  As A GC holds a subset of information on all objects in the forest, we can query any GC in the forest to return these values.  Here, I am doing a search for a specific UPN, but the filter can inculde any attribute stored on the GC.

$upn= "first.last@domain.name"
$Forest = [System.DirectoryServices.ActiveDirectory.forest]::getcurrentforest()
$GC = $forest.FindGlobalCatalog()
$searcher = $gc.GetDirectorySearcher()
$searcher.filter = "(userprincipalname=$upn)"
$Results = $Searcher.FindAll()


The rest of the script is the same as how we ended up in my AD Searcher

You might not want to find any GC in the forest, you might want to only choose one from a particular site. As $forest.FindGlobalCatalog() has an option for this, the command simply becomes

$GC = $forest.FindGlobalCatalog("Sitename")
I'm a big fan of keeping things concise, and powershell allows you to do this quite easily.  We can take lines 2, 3 and 4 from the above script and do it all in one go ...


$searcher = [System.DirectoryServices.ActiveDirectory.forest]::getcurrentforest().FindGlobalCatalog().GetDirectorySearcher()


As before, you have the other search options you can configure, below is an output of the $searcher object ...


PS U:\> $searcher

CacheResults : True
ClientTimeout : -00:00:01
PropertyNamesOnly : False
Filter : (objectClass=*)
PageSize : 0
PropertiesToLoad : {}
ReferralChasing : External
SearchScope : Subtree
ServerPageTimeLimit : -00:00:01
ServerTimeLimit : -00:00:01
SizeLimit : 0
SearchRoot : System.DirectoryServices.DirectoryEntry
Sort : System.DirectoryServices.SortOption
Asynchronous : False
Tombstone : False
AttributeScopeQuery :
DerefAlias : Never
SecurityMasks : None
ExtendedDN : None
DirectorySynchronization :
VirtualListView :
Site :
Container :
You can set these the same way we set the filter.

NOTE : I have found that PropertiesToLoad is a read only value. The searcher returns all GC attributes. Also SearchRoot is set to the GC server selected.

So, to query the whole forest in one go : (with the rest of the AD searcher script)
$Collection = @()
$upn = "first.last@domain.name"
$ObjectCategory = "user"
$ObjectProplist = "samaccountname","userprincipalname","mail","whencreated","whenchanged","memberof"

$searcher = [System.DirectoryServices.ActiveDirectory.forest]::getcurrentforest().FindGlobalCatalog().GetDirectorySearcher()
$searcher.filter = "(&(objectCategory=user)(userprincipalname=$upn))"
$Searcher.pagesize = 1000
$Results = $Searcher.FindAll()
foreach ($Object in $Results){
   $Store = "" | select $ObjectProplist
   foreach ($prop in $ObjectProplist){
      switch ($prop){
         lastlogon {trap { $Store.lastlogon = "Last Logon value not valid";continue}&{$lastlogon =[DateTime]::FromFileTime($Object.Properties.lastlogon[0]);$Store.lastlogon = $lastlogon}}
         lastlogontimestamp {trap { $Store.lastlogontimestamp = "Last Logon value not valid";continue}&{$Store.lastlogontimestamp = [DateTime]::FromFileTimeUTC($Object.Properties.lastlogontimestamp[0])}}
         useraccountcontrol {$Store.$prop = $Object.Properties.$prop[0]}
         memberof {trap { $Store.$prop = "null";continue}&{$Store.$prop = [string]::join(",",$($Object.Properties.$prop))}}
         proxyaddresses {trap { $Store.$prop = "null";continue}&{$Store.$prop = [string]::join(",",$($Object.Properties.$prop))}}
         Default {trap { $Store.$prop = $Object.Properties.$prop;continue}&$Store.$prop = $($Object.Properties.$prop).tostring()}}
      }
   }
   $Collection += $Store
}
$Collection | export-csv "upn.csv" -NoTypeInformation

Labels:

Comments

Post a Comment

Popular posts from this blog

Enable Powershell Remoting (WinRM) via Group Policy

I have been doing some testing on enabling WinRM via group policy, being that WinRM is the service that Powershell v2 sets up it remoting capabilities. Here are the GPO settings that you need to configure WinRM .... set the winrm service to auto start Computer Configuration \ Policies \ Windows Settings \ Security Settings \ System Services Windows Remote Management (WS-Management)  set Startup Mode to Automatic start the service incorporated in to the above - you may need a restart. create a winrm listener Computer Configuration / Policies / Administrative Templates / Windows Components / Windows Remote Management (WinRM) / WinRM Service / Allow automatic configuration of listeners IPv4 filter: * * is listen on all addresses, or if you only want a particular IP address to respond use an iprange eg 10.1.1.1-10.1.1.254 - don't forget that this IP range has to be valid for all hosts that fall in the scope of the GPO you are creating.  You can use 10.1.1.1 -
2 comments
Read more

Assigning Permissions - AGDLP

AGDLP It seems I have been mildly distracted away from the title of this blog site.   It does say AD Admin, but I seem to have been taken away by file system stuff.   I have to say, it has all been worthwhile, but it’s probably time I got back to the real heart of what I do. There are probably a million permission assigning advice pages, but I thought I would put another one out there after referring to AGDLP in my last post. So, what is this all about – AGDLP.   Well, it is something I learned in my MCSE 2003 studies and has become ingrained into my ideals since.   As a contractor, I get to move job often.   This enables me to forge opinions on how to configure things in a domain, and more importantly how NOT to configure things. AGDLP is definitely on the to do list…for anyone in any size domain or forest, as it follows some very basic principals.   I will explain these whilst I go through what AGDPL stands for. A A is for account.   It is the securit
2 comments
Read more

PowerShell 3 behavioural change

It's taken me way too long to get into PowerShell 3, I guess opportunity hasn't shown it's self until now and so, here, my V3 journey begins. I was asked to debug a script that would run fine in PS v2 and not in v3.  The issue was a that a variable length was being checked and was failing in v3.  This is why... In v2 if a variable is undefined , this test returns false PS C:\windows\system32> $var.length -eq 0 False In v3 the same test returns true.... PS C:\windows\system32> $var.length -eq 0 True Not a biggie, but as in this case, a script has broken so something to consider! cheers Adam
Post a Comment
Read more