Search Active Directory with PowerShell (LDAP)
If you’re like me and you find yourself in a PowerShell session pretty much all day, then it is nice to have all of the tools you need most at the tip of your fingers. For me, I often have to search for a user, and my tool of choice for many years has been ADUC. That all changed with PowerShell! As I became more involved with the automation of tasks, I increasingly needed a function that would search for objects in AD and return the result.
What it does
Allows you to search for a users Full Name (first last), UPN, or SAMAccountName.
Learn It
As with nearly everything I write, we will be using functions. This function has one parameter, which is $search_user. To start, if $search_user is blank, then we have nothing to search for, and the result is false (no matches found). If $search_user is not $null, then continue on.
|
1 2 |
function SearchAD($search_user) { if($search_user) { |
Once we know $search_user is not $null, then we will add wildcards to the variable.
|
1 |
$search_user = "*$search_user*" |
Now we are ready to search Active Directory. For this function, we will use LDAP. Using -ldapfilter is much faster than the default method (get-aduser | where {$_.Name -eq “$search_user”).
Let’s say we searched for the user John Doe. John Doe would be found by the first LDAP query. Now lets say we searched for the user JDoe. Since this is not a firstname / lastname search, the first LDAP query will return no results, at which point we will move on to the SAMAccountName. JDoe’s account has now been located! This would continue through Name, SAMAccountName, then UPN.
|
1 2 3 |
$users = get-aduser -ldapfilter "(name=$search_user)" if(!$users) { $users = get-aduser -ldapfilter "(samaccountname=$search_user)" } if(!$users) { $users = get-aduser -ldapfilter "(userPrincipalName=$search_user)" } |
If none of the LDAP query’s return a result, then our output is going to be $null.
|
1 2 3 |
if(!$users) { write-output $null } |
If we do have results, then we’ll need to output those. At this point, you could pass the $users array back to whatever called the function, but in our case we are just going to write-output the information. I’ll only be displaying the UPN, but you could pass back the users Name, SAMAccountName, DN, or just about any other piece of information.
|
1 2 3 4 5 |
else { foreach($user in $users) { $user.UserPrincipalName } } |
Wrap up the original if statement, and the function, and you’re all done.
|
1 2 3 4 |
} else { write-output $null } } |
Example Usage
Now that we have our function created, we can test it out! The query:
|
1 |
SearchAD "John Doe" |
The result:
|
1 |
jdoe@domain.local |
This is just a small sample usage. You could modify this to be part of your automation script, or a number of other uses.
I hope this is useful to you, and thank you for reading.
Script
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
############################### # LDAP Search Active Directory # Created by Troy Ward ############################### #Search Active Directory function SearchAD($search_user) { if($search_user) { $search_user = "*$search_user*" $users = get-aduser -ldapfilter "(name=$search_user)" if(!$users) { $users = get-aduser -ldapfilter "(samaccountname=$search_user)" } if(!$users) { $users = get-aduser -ldapfilter "(userPrincipalName=$search_user)" } if(!$users) { write-output $null } else { foreach($user in $users) { $user.UserPrincipalName } } } else { write-output $null } } |
