Skip to content

LDAP Searches

Jump to bottom
Jiri Formacek edited this page Nov 22, 2024 · 1 revision

Simple object lookup

#gets connection to domain controller of your own domain on port 389 with your current credentials
$Ldap = Get-LdapConnection
#gets RootDSE object
$Dse = $Ldap | Get-RootDSE
#perform the search
#Binary properties must be explicitly flagged, otherwise we try to load them as string
Find-LdapObject -LdapConnection $Ldap `
  -SearchFilter:"(&(cn=jsmith)(objectClass=user)(objectCategory=organizationalPerson))" `
  -SearchBase:"ou=Users,$($Dse.defaultNamingContext)" `
  -PropertiesToLoad:@("sAMAccountName","objectSid") `
  -BinaryProps:@("objectSid")

Searching for deleted objects in AD

Sample below shows how to search for deleted objects in AD domain and lists deleted computer objects in the domain.

$Ldap = Get-LdapConnection
$Dse = $Ldap | Get-RootDSE
#create necessary directory control
$ctrl = new-object System.DirectoryServices.Protocols.ShowDeletedControl
#use the control when searching
#Note: TRUE in isDeleted condition is case sensitive!
Find-LdapObject `
    -LdapConnection $conn `
    -searchFilter '(&(objectClass=computer)(isDeleted=TRUE))' `
    -searchBase $dse.defaultNamingContext `
    -AdditionalControls $ctrl

Important: Make sure you have appropriate permissions on cn=Deleted Objects container. By default, permissions on this container are restricted. Typically, you need Read property and List permissions to be able to search for deleted objects.

Ranged attribute retrieval

By default, since module version 2.1.1, objects are loaded from LDAP store via single search request (RangeSize default value is -1; see below for details). This may be impractical for certain scenarios (e.g. some properties are returned only when searchBase is object itself, or nultivalued properties have more values than allowed to retrieve in single search request by query policy. For such cases, there is RangeSize parameter that allows to specify search behavior.

Prior module version 2.1.1, default for RangeSize was 1000.

RangeSize = -1 performs fast search returning requested attributes via single search
RangeSize = 0 performs search for objects and then loads properties of returned objects via dedicated search with searchBase set to object's distinguishedName
RangeSize > 0 performs search for objects and then loads each property of each object via dedicated search with searchBase set to object's distinguishedName and for multivalued properties loads [RangeSize] values, allowing to overcome query policy and load complete list of values.

RangeSizes > -1 increase # of requests sent to LDAP server and decrease the performance, but can help when you have specific needs

Note: Some properties are not returned unless you explicitly ask for them, so don't be surprised...

#gets connection to domain controller of your own domain
#on port 389 with your current credentials
$Ldap = Get-LdapConnection
#gets RootDSE object
$Dse = $Ldap | Get-RootDSE
#perform the search
#Note: Binary properties must be explicitly flagged,
#  otherwise we try to load them as string
Find-LdapObject -LdapConnection $Ldap `
  -SearchFilter:"(&(cn=a*)(objectClass=user)(objectCategory=organizationalPerson))" `
  -SearchBase:"ou=Users,$($Dse.defaultNamingContext)" `
  -RangeSize -1 `
  -PropertiesToLoad '*'

Lookup in Global catalog

#gets connection to domain controller of your own domain
#on port 3268 (Global Catalog) with your current credentials
$Ldap = Get-LdapConnection -Port 3268
#perform the search in GC
# for GC searches, you don't have to specify search base if you want to search entire forest
Find-LdapObject -LdapConnection $Ldap `
  -SearchFilter:"(&(cn=jsmith)(objectClass=user)(objectCategory=organizationalPerson))" `
  -PropertiesToLoad:@("sAMAccountName","objectSid") `
  -BinaryProps:@("objectSid")

Processing incremental changes via dirsync

Module supports incremental processing of changed objects via dirsync. Pattern is as follows:

  • perform initial sync
  • store dirsync cookie for next run
  • at the beginning of next run, retrieve stored cookie
  • use the cookie to tell the server about last checkpoint and perform the search
  • server returns changes since cookie
  • retrieve updated cookie and store it for next run

Note: More about dirsync: MD_ADTS - LDAP_SERVER_DIRSYNC_OID

Get-LdapConnection -LdapServer "mydc.mydomain.com"
$cookieFile = ".\storedCookieFromPreviousIteration.txt"
$dse = Get-RootDse
#get cookie from previous run, if there's any
if(Test-Path -Path $cookieFile)
{
    $cookie = Get-Content $cookieFile -Raw
    $cookie | Set-LdapDirSyncCookie
}

#get updates from since last cookie
$dirUpdates=Find-LdapObject `
    -SearchBase $dse.defaultNamingContext `
    -searchFilter '(objectClass=group)' `
    -PropertiesToLoad 'member' `
    -DirSync StandardIncremental
#process updates
foreach($record in $dirUpdates)
{
    #...
}
#get updated cookie and store it for next run
$cookie = Get-LdapDirSyncCookie
$cookie | Set-Content  $cookieFile

Clone this wiki locally