LDAP - Search for Group Members

More with the ldap cmdlets in NetCmdlets, here's how to list the members of a particular group.

I used the get-ldap command shown in the last post to get a list of all my admin groups, and save it in a $groups collection:

PS C:\> $groups = get-ldap -server myserver -cred $mycred -dn dc=JUNGLE -searchscope wholesubtree 
  -search "(&(objectclass=group)(cn=*admin*))"

PS C:\> $groups

Host                                                        DN
----                                                        --
testboy                                                     CN=Administrators,CN=Builtin,DC=JUNGLE
testboy                                                     CN=Schema Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=Enterprise Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=Domain Admins,CN=Users,DC=JUNGLE
testboy                                                     CN=DnsAdmins,CN=Users,DC=JUNGLE

PS C:\>

Of course if you already know exactly what group you want, you can just hard code that group DN and call the cmdlet. But I can get all of the members of all of the admin groups by looping through this $groups collection. Here's how to get all the members of the first group (CN=Administrators):

PS C:\> get-ldap -server testboy -cred $mycred -dn $groups[0].DN -searchscope baseobject -search "objectClass=*" 
 -attr

objectClass            : {top, group}
cn                     : {Administrators}
description            : {Administrators have complete and unrestricted access to the computer/domain}
member                 : {CN=Domain Admins,CN=Users,DC=JUNGLE, CN=Enterprise Admins,CN=Users,DC=JUNGLE, CN=Administrato
                         r,CN=Users,DC=JUNGLE}
distinguishedName      : {CN=Administrators,CN=Builtin,DC=JUNGLE}
instanceType           : {4}
whenCreated            : {20070227205517.0Z}
whenChanged            : {20070730142747.0Z}
uSNCreated             : {8213}
uSNChanged             : {46068}
name                   : {Administrators}
adminCount             : {1}
sAMAccountName         : {Administrators}
sAMAccountType         : {536870912}
systemFlags            : {-1946157056}
groupType              : {-2147483643}
objectCategory         : {CN=Group,CN=Schema,CN=Configuration,DC=JUNGLE}
isCriticalSystemObject : {TRUE, }
Host                   : testboy
DN                     : CN=Administrators,CN=Builtin,DC=JUNGLE

PS C:\>

Note the use of the -attr flag in the cmdlet - this is to tell the cmdlet to return all the attributes resulting from the search. The reason I need to do this here is because all the members of the group will be contained inside the member attribute (or the memberUid or uniqueMember attribute depending on your server).

If I were to set a $result variable to the result of the command above, I could then examine $result.member to see all the members of the "CN=Administrators" group:

PS C:\> $result.member

CN=Domain Admins,CN=Users,DC=JUNGLE
CN=Enterprise Admins,CN=Users,DC=JUNGLE
CN=Administrator,CN=Users,DC=JUNGLE

PS C:\>

Technorati Tags: PowerShell, NetCmdlets, ldap, active directory

Posted on Thursday, August 2, 2007 9:31 AM PowerShell | Back to top

Comments on this post: LDAP - Search for Group Members

# re: LDAP - Search for Group Members

Hi all-

I am looking for LDAP engineer, with SUN One LDAP 6.x for a position in The San Francsico Bay Area.

Please contact me at 800.285.5627

Scott
stomtania@theplusgroup.com

Left by Scott on Feb 16, 2009 12:02 PM

Hi,

I am looking for an LDAP engineer with Exchange Server 2003/2007 troubleshooting experience in the DC Metro area.
Please contact me at 202.887.4747 ASAP.

Sincerely,

Jay Dunn
jdunn@midtownpersonnel.com

Left by Jay Dunn on Jun 11, 2009 12:08 PM