Lead, Follow, or Move » Active Directory

Dynamically populating user properties in Active Directory

Adam Bell — Thu, 04 Oct 2007 11:19:51 +0000

Recently I was asked to help out with a small issue pertaining to rolling out MS Live Communications Server. Two SIP properties (msRTCSIP-LineServer & msRTCSIP-Line) on the user object in AD were set dependent on which office the user was located in, and their Direct Dial (DDI) number. These properties needed to be set on the users on 3 sites, and I was asked if PowerShell could assist.

Seeing as I don’t have the schema extensions in my test lab, we will step through a similar scenario, but we’ll update the users description property instead.

In this example we have two test users:

We’re interested in the two User properties: Office and Telephone number. These would make up part of the SIP information for LCS, but in our example we just want to add them to the description property for easier viewing in AD User’s and Computers.

Presuming, that we want to update the description field against a large selection of users we will take advantage of how PowerShell handles CSV’s:

set-usrdesc.ps1



# 

# NAME:     Set-UsrDesc.ps1

# 

# AUTHOR:   Adam Bell, http://www.leadfollowmove.com

# RELEASE:  Contractors Creed - All care taken, no responsibility admitted. Use at your own risk.

# VERSION:

# 1.0.1    25/09/2007  Adam Bell  Initial.

# 1.0.2    26/09/2007  Adam Bell  refined for live.

# 

# COMMENT: Best viewed using Notepad2

#   

# -----------------------------------------------------------

# Check command-line arguments

# -----------------------------------------------------------

  if ($args.count -ne 1)

  {

    write-host "Usage: "

    write-host "CSV requires a header line."

    write-host " UserName,OU is the only data needed. No DomainDN in the OU DN."

    write-host ""

    exit

  }

  $InFile = $args[0]

  If (-not(test-path $InFile))

  {

    write-host "Unable to locate" $InFile

    exit

  }

# -----------------------------------------------------------

# Globals

# -----------------------------------------------------------

# If there are any errors,we'll handle them in code.

$erroractionpreference = "SilentlyContinue" $root = [adsi]"" # ----------------------------------------------------------- function set-Desc # ----------------------------------------------------------- { # Inputs: 1) The CN UserName of the Account object # 2) The OU DN without the Domain DN portion included. # Objective: 1) Process each user, and update the description property based on Office and DDI info. # Returns: 1) Nothing. Updates the users props. Param ( $UserName, $OUname ) $error.clear() $user = [adsi]("LDAP://cn="+$UserName ` +","+$OUname+","+$root.distinguishedName) if (!$?) { write-warning "Unable to bind to $UserName" write-host "" continue } $office = $user.get("physicalDeliveryOfficeName") if (!$?) { write-warning "Unable to retrieve Office Location for $UserName" write-host "" continue } $ddi = $user.get("telephoneNumber") if (!$?) { write-warning "Unable to retrieve DDI number for $UserName" write-host "" continue } $user.put("description", "($office) $ddi") $user.setinfo() If (!$error[0]) { write-host "$username updated." -foregroundcolor "green" } else { write-warning "Updating $UserName failed!" } write-host "" } # ----------------------------------------------------------- function get-userlist # ----------------------------------------------------------- { # Inputs: 1) Path to CSV file containing Users to process. Needs a header line: UserName, OU # Objective: 1) Get the data from the CSV file and pass it to Set-Desc # Returns: 1) Nothing. # Depends: 1) Set-Desc Param ( $PathToCSV ) $accounts = Import-Csv $PathToCSV foreach ($account in $accounts) { $UserName = $account.UserCN If ($UserName.StartsWith("#") -eq $true) { } Else { "Processing ... "+$UserName set-Desc $UserName $account.OU } } } # ----------------------------------------------------------- # Main # ----------------------------------------------------------- get-userlist $InFile # -----------------------------------------------------------

A couple of points of interest, from the script above:
The Username is the CN (usually the displayName property), and is added with the ouName provided in the CSV, and the distinguishedName of the domain to build the ADSI binding to the user object.

The get(),put() and setinfo() methods are pretty self explanatory, especially if you’ve done any ADSI scripting before.

What’s nice about PowerShell is that you can user variables “inline”. It doesn’t work when constructing the ADSI binding, but it does when constructing strings (in this case for out put() method).

The (!$?) if block is a nice error checking step that check’s if the the last command wasn’t successful.

The !error[0] if block tests if we have had any errors in our process, and provides feedback to the console accordingly.

Running the script gives us the following output:

And if we check the user account, we can see that the description field has been updated for easy viewing , if we had a lot of users.

Control Access Rights in Active Directory

Adam Bell — Tue, 03 Apr 2007 20:41:55 +0000

Recently we looked at Extended-Rights in Active directory, and today we’ll complete our series of posts on permissions in AD with a post on Control Access Rights, also known as Specific Rights.

Control Access Rights are similar to Standard Rights in the permissions applied, however it is applied to a specific object, or property set. This property is also represented by a system.guid like we have previously seen with Extended Rights.

In this case however the GUID is the schemaIDGUID attribute on the object located in the Schema partition. Provided the Common Name (cn) is known of the object needed the function below will retrieve the GUID in question:
Get-SchemaGUID.ps1



$dse = [adsi]("LDAP://RootDSE")

 

#----------------------------------------------------------------------------------------------------------

function get-SchemaGUID

#----------------------------------------------------------------------------------------------------------

{

Param (

  $DSobject

  )

  $guid = $null

  $obj = [adsi]("LDAP://cn="+$DSobject+","+$dse.schemaNamingContext)

  [system.guid]$guid = $obj.schemaIDGUID[0]

  return $guid.ToString()

}

#----------------------------------------------------------------------------------------------------------

get-schemaguid "computer"

Once we have the GUID for the object or Property Set, we can then start thinking about our ACE. For Control Access Rights there are two types of scenarios, and hence two constructors available. We would use the following constructor when delegating the ability to create and delete computer objects in the computers container, for example.



Void .ctor(

Void .ctor(

  System.Security.Principal.IdentityReference, 

  System.DirectoryServices.ActiveDirectoryRights, 

  System.Security.AccessControl.AccessControlType, 

  System.Guid,

  System.DirectoryServices.ActiveDirectorySecurityInheritance)

The ACE can be further controlled by specificing the type of object that may inherit the ACE. In that scenario you would use the following constructor:



Void .ctor(

  System.Security.Principal.IdentityReference, 

  System.DirectoryServices.ActiveDirectoryRights, 

  System.Security.AccessControl.AccessControlType, 

  System.Guid, 

  System.DirectoryServices.ActiveDirectorySecurityInheritance, 

  System.Guid)

As you can see with two GUID’s in the syntax it becomes much easier to get things in the wrong order and in turn get an unexpected result.

MSDN has a clearer description of the constructors, and you can see that the GUID’s are for different objects.

So, armed with the GUID of the object, and the rest of the of our information we can go about setting the Control Access Right.
Set-CAR.ps1



$root    = [adsi]""

$test    = [adsi]("LDAP://ou=Test OU,"+$root.distinguishedName)

 

$account  = New-Object System.Security.Principal.NTAccount("bella")

$inherit  = [System.DirectoryServices.ActiveDirectorySecurityInheritance]"All"

 

$rights    = "CreateChild, DeleteChild"

$gplink    = "f30e3bbe-9ff0-11d1-b603-0000f80367c1"

$ace    = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($acc, $rights, "Allow", $gplink, $Inherit)

 

$test.psbase.get_objectSecurity().AddAccessRule($ace)

$test.psbase.CommitChanges()

The above example gives the Bella account the rights to link Group Policy objects in the Test OU, and any sub OU’s (due to the inheritances flag).

Now we’ve covered the three types of permissions within the Active Directory, you should be able to apply any combination of permissions you need to organise the delegation model within your environment.

It makes me smile when I think back to the old NT4 days! ;)

[Updated:] The paragraph describing InheritedObjectTypes was rewritten to try and clarify the difference between the constructors.

Extended Rights in Active Directory

Adam Bell — Wed, 28 Mar 2007 20:16:42 +0000

Extended Rights are one of the mechanisms behind Active Directory permissions that allow for such granular control over the delegation of tasks in your environment. There’s a Technet article that explains delegation and touches on Extended Rights (near the bottom).

Extended Rights exists in AD as objects stored within the Extended-Rights container, which is located in the Configuration partition.

If you’re not sure about the different partitions within AD there is an excellent primer on TechNet about AD Architecture.

So how do we set an Extended Right permission? It’s actually very similiar to applying a Standard Rights ACE. The difference comes in the parameters we pass, and hence the constructor we use in the ActiveDirectoryAccessRule method.



Void .ctor(

  System.Security.Principal.IdentityReference, 

  System.DirectoryServices.ActiveDirectoryRights, 

  System.Security.AccessControl.AccessControlType, 

  System.Guid, 

  System.DirectoryServices.ActiveDirectorySecurityInheritance)

In this case the ActiveDirectoryRights value is the keyword “ExtendedRight“, and the system.Guid refers to an attribute of the Extended Rights object called the rightsGUID.

I’ve got a function that takes the CN of the right as input and returns the GUID.

Lookup Extended-Right GUID:
get-erGUID.ps1



$dse = [adsi]("LDAP://Rootdse")

 

#----------------------------------------------------------------------------------------------------------

function Get-RightsGUID

{

Param (

  $ExtendedRight

  )

  $ER = [adsi]("LDAP://cn=Extended-Rights,"+$dse.configurationNamingContext)

  $DSobject = [adsi]("LDAP://cn="+$ExtendedRight+","+$ER.distinguishedName)

  $ERguid = $DSobject.rightsGUID

  return $ERguid

}

#----------------------------------------------------------------------------------------------------------

Get-RightsGUID "Change-PDC"

If you don’t know the right you’re looking for you have a couple of options. TechNet have a reference that lists them, but we can also look them up.
RightsTbl.ps1



$dse  = [adsi]("LDAP://Rootdse")

 

# Build a Hashtable to translate the displayName (used by DSACL) to the objects CN.

$ERtbl  = @{}

$ext  = [adsi]("LDAP://cn=Extended-rights,"+$dse.configurationNamingContext)

$ext.psbase.children |% { $ERtbl.Add($_.displayName.toString(), $_.cn.toString()) }

The function above enumerates through the Extended-Rights container and loads the values for the displayName and cn into an associative array (hash table). Now we can look them up by either typing



$ERtbl

Which will list our complete hash table, or we can lookup specific translations



$ERtbl["Change PDC"]

So far so good. So putting it all together then. A code block to add the Change PDC right on the domain:
ChangeFSMORight.ps1



$root    = [adsi]""

 

$account  = New-Object System.Security.Principal.NTAccount("bella")

$inherit  = [System.DirectoryServices.ActiveDirectorySecurityInheritance]"All"

$rights    = "ExtendedRight"

 

$changepdc  = "bae50096-4752-11d1-9052-00c04fc2d4cf"

$ace    = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($account, $rights, "Allow", $changpdc, $Inherit)

 

$root.psbase.get_objectSecurity().AddAccessRule($ace)

$root.psbase.CommitChanges()

Next time we’ll look at our last post in on the topic of Active Directory permissions when we look at Control Access Rights.

Inheritance and Propagation in Active Directory permissions

Adam Bell — Thu, 22 Mar 2007 17:58:10 +0000

Disclaimer:
As mentioned before I’m not a programmer, so the information in the next few posts may not be 100%. What I will pass on is what I have found in my experience, and any external links to valid sources that may help provide more detail. With this in mind if you find any inaccuracies, or just have more information to add please feel free to let me know …. :)

There are three types of permissions in regards to Active Directory security: Standard Rights, Extended Rights, and Control Access Rights. We’ve covered Standard Rights in a recent post, and in building up to the remaining two we’ll take a look at Inheritance and Propagation.

Now if we’re dealing with NTFs permissions, we use the System.Security.AccessControl namespace and the Inheritance and Propagation flags.

In AD we use a different method, but the concept is the same. There is only one flag used, and this is ActiveDirectorySecurityInheritance.

For example in NTFS you may have used:



$inherit = [system.security.accesscontrol.InheritanceFlags]"ContainerInherit"

$propagation = [system.security.accesscontrol.PropagationFlags]"InheritOnly"

In Active Directory the same result would be achieved by:



$inherit = [System.DirectoryServices.ActiveDirectorySecurityInheritance]"descendents"

An article that explains this subject well can be found on MSDN here. In particular the paragraph on inheritance and figure 5.

If we want to stop permissions being inherited from the parent Organizational Unit or container, you can use the SetAccessRuleprotection method. The syntax for which is available here
And a simple example:
BlockInheritance.ps1



$root = [adsi]""

$test = [adsi]("LDAP://ou=Test ou,"+$root.distinguishedName)

 

# [bool]IsProtected, [bool]PreserveInheritance

# The second option decides whether the inherited ACE's are copied, or dropped.

$test.psbase.get_objectsecurity().SetAccessRuleProtection($true, $false)

 

$test.psbase.CommitChanges()

In the next post we’ll build a couple of useful functions for retrieving data needed for Extended and Access Control Rights.

Removing ACE’s from Active Directory with PowerShell

Adam Bell — Tue, 20 Mar 2007 22:14:24 +0000

Soon we’ll be looking into some pretty low level permission schemes that can be applied to Active Directory. For now however, following on from yesterdays post, we’ll take a look at how to remove Acccess Control Entries from the Security Descriptor in AD.

Below is our function:
remove-DSace.ps1



$root = [adsi]""

 

#----------------------------------------------------------------------------------------------------------

function remove-DSace

#----------------------------------------------------------------------------------------------------------

{

Param (

  $DSobject,

  $DSidentity

  )

  $sd = $DSobject.psbase.get_objectSecurity().getAccessRules($true, $false, [System.Security.Principal.NTAccount])

  $rar = $sd |? {$_.IdentityReference -eq $DSidentity}

  if ($rar -is [array])

  {

    foreach ($ace in $rar)

    {

      $DSobject.psbase.get_ObjectSecurity().RemoveAccessRule($ace)

      $DSobject.psbase.commitchanges()

    }

  }

  else

  {

    $DSobject.psbase.get_ObjectSecurity().RemoveAccessRule($rar)

    $DSobject.psbase.commitchanges()

  }

}

#----------------------------------------------------------------------------------------------------------

$ou = [adsi]("LDAP://ou="+$ARGS[0]+","+$root.distinguishedName)

remove-DSace $ou $ARGS[1]

Points of interest then:
Details on the parameters for GetAccessRules are here. We then filter our rules to those that match our Group/Account as defined by the IdentityReference attribute on the object, and store these in the $rar variable. By testing if this variable is an array or not we can determine if we have one ACE or several that need removing.

Using an If..Else code block we remove the ACE or ACEs as applicable and commit our changes back to the directory. If the ACE was configured to propagate down the directory this will have the effect of completely removing that permission from everywhere.

Tomorrow we really will look into Propagation and Inheritence ;)

Active Directory Permissions – Standard Rights

Adam Bell — Mon, 19 Mar 2007 20:46:21 +0000

We’ve previously covered manipulating NTFS permissions, and in this post we’ll take that basis and apply it to Active Directory.

Marc covered this topic on his old blog, while PowerShell was still in beta (Pre RC2). The approach is basically the same, but you need to utilise psbase in PowerShell 1.0.

So, we want to give our test user bella full control over the Test OU. I would suggest not making permission changes to your AD if you don’t know what you’re doing because things can get nasty very quickly. A bit of useful reading on the subject can be found here and here.

Below is our basic function:
function add-DSace.ps1



#----------------------------------------------------------------------------------------------------------

function Add-DSace

#----------------------------------------------------------------------------------------------------------

{

Param (

  $DSobject,

  $Identifier,

  $DSrights,

  $AccessType = "Allow"

  )

  # GetAccessRules: Explicit ACE's, Inherited ACE's, TargetType

  $account = New-Object system.security.principal.ntaccount($Identifier)

 

  # Retrieve the SID - as a manual step you can check it's not empty :)

  $sid = $acc.translate([system.security.principal.securityidentifier])

  #$sid.ToString()

 

  $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($account, $DSrights, $AccessType)

  $DSobject.psbase.get_objectsecurity().AddAccessRule($ace)

  $DSobject.psbase.CommitChanges()

}

#----------------------------------------------------------------------------------------------------------

$root = [adsi]""

$test = [adsi]("LDAP://ou=Test OU,"+$root.distinguishedName)

 

Add-DSace $Test "bella" "GenericAll"

Okay, so points of interest then:

Once we’ve created a variable for the OU we want to add an ACE to, we then define our Security Principal. This can be either a user or a group, and we can present this in either SID format or as the account name.

In this example we’re targeting a user. We could have validated the account by retrieving it’s SID, but for this we’re presuming that everything exists and no checking is performed.

There are several constructors available for the ActiveDirectoryAccessRule. You can see what’s available, by looking at the constructors:



# List the constuctors available to this method:

[System.DirectoryServices.ActiveDirectoryAccessRule].GetConstructors() |% {"$_"}

I’ve found this to be a really useful way of discovering the specific requirements for a method. Once you know what types the method is expecting you can then investigate what each element is. In this instance we are utilising the following constructor:



Void .ctor(

  System.Security.Principal.IdentityReference, 

  System.DirectoryServices.ActiveDirectoryRights, 

  System.Security.AccessControl.AccessControlType)

You can then either look them up on MSDN or feed in some false data, and see if the constructor will provide you with details on what it needs.

Once we have the ACE, the last two lines are where we add the ACE to the Security Descriptor and then commit our changes back to the directory.

As you can see we need to use psbase. This gives us the “raw” view of the object. I find using psbase very difficult. It’s almost a fall back, for when you can’t seem to make it work any other way. At the moment I just put it down as one of PowerShell’s little quirks ;)

Over the next few days we’ll take a closer look at Propagation, Inheritance and Active Directory Extended Rights.

Code Samples

Adam Bell — Mon, 12 Mar 2007 14:13:27 +0000

When I first started posting examples of administering Active Directory with PowerShell Richard requested if I would put my examples on the UK PowerShell Users Group site.

I’m in the process of sorting them out, and will be posting them up there in the next 24 hours or so. For those that aren’t a member, I’ve created a Code Sample page in the sidebar where I’ll post them also.

They come with the usual all care, no responsibility tag line. I hope you find them of some use!

Two day seminar on Active Directory – 14th & 15th March 2007 (London)

Adam Bell — Tue, 06 Mar 2007 11:58:56 +0000

A couple of years ago I attended a 5 day seminar on Active Directory at the NEC in Birmingham. It was a TechNet sponsored event presented by John Craddock and Sally Storey. Now John is regarded as one of the top AD guys in the UK, and with good reason.

Next week John and Sally have a two day seminar on in London. Here is the link on the UK TechNet Events website. I know it’s a little late, and there may not be any places left, but I can tell you without doubt it will be a great two days.

A few years ago I was working on an AD project for a large environment and at the time I was struggling to achieve some of the automation mile stones. After several weeks of scouring the web and news groups I completed all my tasks. Just after this I got a copy of John and Sally’s book. The pound to page ratio on this is quite high, but what I found within was all the obscure answers for the problems I’d spent weeks searching for.

Now before you ask, I’m not affiliated with these guys in any way, and am not being paid for this. These guys are just good, and well worth a look if AD is in any way your thing ;)

Searching Active Directory for Windows 2000 and Windows NT4 Domain Controllers with PowerShell

Adam Bell — Tue, 20 Feb 2007 13:45:46 +0000

When I posted the article on raising AD functionality levels recently David Saxon pointed out that more could be done in regards to confirming the Domain Controllers are at the required level, i.e. they are Windows 2003 Domain Controllers.

Since we’ve looked at searching the Directory yesterday, this seems like a good time to take a closer look into this.
Microsoft have a good article here on what features are available depending on you functionality level.

So we’d start with:



$query = new-object system.directoryservices.directorysearcher

$root = [adsi]""

And presuming our DC’s are located in the default location, we can narrow our search down:



$ou = [adsi]("LDAP://ou=Domain Controllers,"+$root.distinguishedName)

$query.SearchRoot = $ou

$query.SearchScope = "OneLevel"

The key to our search is going to be the filter() that we use. If you look around there’s a few different ways of identifying what we might want to search on.

In KB article 322692 there is a good filter for finding NT4 Domain Controllers:



$query.filter = "(&(objectCategory=computer)(operatingSystem Version=4*)(userAccountControl:1.2.840.113556.1.4.803:=8192))"

Here we’re filtering on the computer object, the OS version, and the UAC value. Let’s break this down a bit more. The first one is pretty obvious, the OS version is easy enough too. Anything with a 4 in the version relates to NT4. Windows 2000 is 5.0, and Windows 2003 is 5.2. So what’s with the UAC filter? The bitwise filter is an Object ID (OID) that means all the flags have to be set for a match. The value of 8192 specifies that the account is a Domain Controller.

We can search for Windows 2000 Domain Controllers using the following filter, as described in KB article 325379



$query.filter = "(&(objectCategory=computer)(primaryGroupID=516)(operatingSystemVersion=5.0*))"

Similar to the above example, we’re filtering on the computer object again. This time rather than use the UAC approach though we’ve used the PrimaryGroupID which we’ve touched on previously. The OS version corresponds to the versions discussed above.

It seems to me that our best approach would be to filter on any computer account, that’s not Windows 2003. As we’re only searching in the Domain Controllers OU we shouldn’t need to try and check the UAC or Primary Group information, but you could just to be sure if you felt that way inclined.



$query.filter = "(&(objectCategory=computer)(!operatingSystem Version=5.2*)(userAccountControl:1.2.840.113556.1.4.803:=8192))"

There’s a subtle difference between this filter and the first example. Basically we’re looking for OS version that’s not (!) equal to Windows 2003. In theory this should give us all the other Domain Controllers ;)

So to finish off then:



$result = $query.FindAll()

if ($result -eq $null)

{ 

  return $null

}

else

{

  foreach ($machine in $result)

  {

    $ADobject = $machine.GetDirectoryEntry()

    write-host $ADobject.distinguishedName

  }

}

Of course just because we have accounts in AD doesn’t actually mean that there are machines still out there. You could tie this into a function that then calls a ping test against the names that are retrieved. That’s still not gospel, but if it’s a DC, it’s more likely to be up if it’s still out there!

If you’re new to LDAP queries and would like more information Microsoft have a good primer here.

Searching Active Directory with PowerShell

Adam Bell — Mon, 19 Feb 2007 12:45:41 +0000

Being quite the lazy admin that I am, whenever I’m scripting for AD I like to use short names when referring to objects. As an example, if I want to add the user BellA into the Domain Admins group I don’t want to provide the distinguishedName for both objects .

The easy solution to this is to have enough information to hand, to allow a quick rummage through the Directory, and let the script
retrieve the details it needs. In fact being able to extract information from an AD search is pretty much the corner stone of any AD scripting tool box, as you’ll see over the next couple of posts.

I’ll show you a couple of ways of searching and then mention a few points to be aware of regarding performance, and your impact on the servers whose workload you’re adding to.



# ---------------------------------------------------------------------------------------------------

function Find-DN

# ---------------------------------------------------------------------------------------------------

{

Param (

  $sADobjectName,

  $sADobjectType

  )

  $query = new-object system.directoryservices.directorysearcher

  $root = [adsi]""

 

  $query.SearchRoot = $root

  $query.filter = "(&(ObjectClass=$sADobjectType)(cn=$sADobjectName))"

  $query.SearchScope = "subtree"

  $result = $query.findOne()

  

  if ($result -eq $null)

  { 

    return $null

  }

  else

  {

    $ADobject = $result.GetDirectoryEntry()

    return $ADobject.distinguishedName

  }

}

There isn’t a lot of specific PowerShell code in the function above. Its pretty LDAP orientated. We have a simple function that returns you the distinguishedName of an object when you provide the objectClass and cn.
So to find the DN of my test user account:



Find-DN "BellA" "user"

The $result variable is a System.DirectoryServices.SearchResult which we cast into System.DirectoryServices.DirectoryEntry with the GetDirectoryEntry() method. I like this as it gives us a much nicer way of retrieving the objects properties.

The other method of searching AD I have seen, is similar, but with a PS slant to it:



# ---------------------------------------------------------------------------------------------------

function Find-DN2

# ---------------------------------------------------------------------------------------------------

{

Param (

  $sADobjectName,

  $sADobjectType

  )

  $query = new-object system.directoryservices.directorysearcher

  $root = [adsi]""

  

  $query.SearchRoot = $root

  $query.SearchScope = "subtree"

 

  $ADobject = $query.findAll() | where-object {$_.properties.objectclass -eq $sADobjectType `

    -and $_.properties.cn -eq $sADobjectName}

  $props = $ADobject.Properties

  

  if ($ADobject -eq $null)

  { 

    return $null

  }

  else

  {

    foreach ($prop in $props)

    {

      return $prop.distinguishedname

    }  

  }

}

Straight away you can see some PowerShell in the function above. Rather then use the $query.filter, we pipe the results into a where-object and then filter for our search criteria. We also handle the properties returned differently.

This function would be called exactly the same as our previous example:



Find-DN2 "BellA" "user"

Now I’ve had problems with this function. I’ve found it worked fine for “some” objects, but I have had trouble retrieving others. Despite the SearchScope being set to “SubTree” I’ve had it fail to retrieve objects that are a few OU’s deep. I suspect this is a flaw with my function as apposed to anything flawed in PS ;)

Search Tips
So now we’ve seen the basics, I thought it worth mentioning a couple of ways to improve on performance, and speed:

[1] Scope: If you can, narrow your SearchScope. There’s three options: “Base”, “OneLevel”, and “SubTree”. If you’re not sure, there’s a good explanation on MSDN here.

[2] Filter: Always try and provide a filter to reduce how much data you’re trying to retrieve. There’s obviously not much point retrieving every user account in your domain and enumerating through them all just for the one you want. Think about the Filter() method, and use the relevant FindOne() FindAll() methods.

I’m not sure how our second examples works with this. My hunch is that it retrieves ALL the objects and trawls through each with the where-object. I could be wrong here of course ;)

[3] Properties: If you’re only after say, the distinguishedName it would be a good idea to reduce the properties returned by using the PropertiesToLoad method.

The Microsoft Scripting Guy’s, have an example here