Get-LDAP Cmdlet in PowerShell



This article explores using the cmdlets in NetCmdlets to work with LDAP objects and groups. Using the Get-LDAP Cmdlet requires familiarity with the LDAP protocol itself, so it is geared toward advanced users who need to do quick LDAP operations without a lot of required coding.
The following shows how to list group membership from Active Directory (AD) or any other LDAP server:

PS>(Get-LDAP -Server testman -Credential $mycred -DN $groupdn 
-Search "objectClass=*").Member | % { 
  Get-LDAP -Server testman -Credential $mycred -DN $_ | 
  Select-Object sAMAccountName,name,description,cn,objectClass,memberOf 
}

sAMAccountName : {Domain Admins}
name           : {Domain Admins}
description    : {Designated administrators of the domain}
cn             : {Domain Admins}
objectClass    : {top, group}
memberOf       : {CN=Administrators,CN=Builtin,DC=NS2}

sAMAccountName : {Enterprise Admins}
name           : {Enterprise Admins}
description    : {Designated administrators of the enterprise}
cn             : {Enterprise Admins}
objectClass    : {top, group}
memberOf       : {CN=Administrators,CN=Builtin,DC=NS2}

sAMAccountName : {test}
name           : {test}
description    :
cn             : {test}
objectClass    : {top, person, organizationalPerson, user}
memberOf       : {CN=Administrators,CN=Builtin,DC=NS2}

sAMAccountName : {Administrator}
name           : {Administrator}
description    : {Built-in account for administering the computer/domain}
cn             : {Administrator}
objectClass    : {top, person, organizationalPerson, user}
memberOf       : {CN=Group Policy Creator Owners,CN=Users,DC=NS2, CN=Domain Admins, 
                  CN=Users,DC=NS2, CN=Enterprise Admins,CN=Users,DC=NS2,
                  CN=Schema Admins,CN=Users,DC=NS2...}

PS>

First, the command above executes a search for attributes of the target group (Administrators). If you do not know the DN of the group, but you do know its name, use the single line below to get it. Next, the command gets the member attribute of the group, which is an array of group member DNs. These member DNs get piped into a ForEach-Object (%) statement which then does another LDAP search for attributes of that particular member. Those attributes get piped to Select-Object, which gets the specific pieces of information you are interested in. Note: the output fields are arrays in order to accommodate multi-valued attributes. Also, some of the "members" of the group are other groups. You could alter the search parameter to only return objectClass=person or use Where-Object to filter the results.

Here are a few useful Get-LDAP one-liners:

Get a list of all groups:

Get-LDAP -Server $server -Credential $mycred -DN $basedn 
-Search "(&(objectclass=group)(cn=*admin*))"

Get a list of all the members of a group:

Get-LDAP -Server $server -Credential $mycred -DN $groupdn -Search "objectClass=*"

Get the group DN if you know the name of the group, ie "Administrators":

$dn = Get-LDAP -Server testman -Credential $mycred -DN $basedn 
-Search "(&(objectclass=group)(cn=*admin*))" | Where-Object { 
  $_.name -eq "Administrators"
} | Select-Object distinguishedName

Get attributes of all the members of a particular group, as shown in action above:

(Get-LDAP -Server testman -Credential $mycred -DN $groupdn 
-Search "objectClass=*").member | % { 
  Get-LDAP -Server testman -Credential $mycred -DN $_ 
} | Select-Object sAMAccountName,name,description,cn,objectClass,memberOf}