Active Directory - Search for a particular value in name of MEMBER OF

PowerShell Help
1

In Active Directory, Would like to look at all users in one particular OU,

Look at value in: MEMBER OF,

Get all members that contain “Something” in value in name of MEMBER OF

then show user’s name and the value in name of MEMBER OF.

I know I would use like this:

-searchbase “OU=Somethingx,OU=Something,OU=Something,DC=Something,DC=Something,DC=net”

I am pretty green at this, I am studying several books.

Then, later I want to search several OU 's and the output would show OU, Name of user, Name & whole value in name of MEMBER OF which contains “Something”

I think I would use this? Get-ADGroupMember

Thanks, This would be useful for us here at work.

2

MemberOf is a property of a user, so you need to specify that you want that when performing the query. Once you have the user information including MemberOf, then you can just filter the array:

$users = Get-ADUser -Filter * -searchbase "OU=Somethingx,OU=Something,OU=Something,DC=Something,DC=Something,DC=net" -Properties MemberOf |
Where-Object -FilterScript {$_.MemberOf -like '*Something*'}

Ideally, you want to filter left meaning rather than returning all users with Filter * and then filtering, it’s better to Filter to only get what you want from Get-ADUser. Per Richard Meuller on this forum:

You cannot use a wildcard in a filter with any DN syntax attribute, like memberOf, member, or distinguishedName. You can only use the -eq and -ne operators with DN syntax attributes. The only workaround is to pipe to a Where clause.

But that is only the -Filter param with that limitation, I think that you can also use the LDAP filter to only return what you want like so:

$params = @{
    LDAPFilter = (&(objectClass=user)(memberOf='cn=Something,ou=Groups,o=<org>,DC=Something,DC=Something,DC=net')) 
    SearchBase = "OU=Somethingx,OU=Something,OU=Something,DC=Something,DC=Something,DC=net"
    Properties = 'MemberOf'
}

$users = Get-ADUser @params

Do not have AD in front of me at the moment, but should be close.

3

Rob Simmers,

In the book I am studying very hard, Learn PowerShell In a Month of Lunches, Don Jones says to Filter Left, yes. And I know enough from page 114 in his book to recognize a hash table and script block. But I had to go to his PowerShell in Depth book to really understand a hash table and script block.

I am not sure how all the above fits together but I will work with it . This looks good, I am encouraged. I will try this tonight and let you know how it is going.

Many Thanks,

4

The second example is splatting:

5

Rob Simmers,

I have tried it. And I am studying Where-Object -FilterScript. Where-Object help says: Selects objects from a collection based on their property values.

Is this what allows more than one object in MEMBEROF to be examined by Powershell? Is this the proper terminology: All the objects’ property values of MEMBEROF ??

The commands result is that MemberOf is added to the usual Properties shown. And it shows the values on -some of them. For Some of the values, it only shows a location! Don’t know why yet. It may be that the value for the Group is not in the OU specified in the filtering.

I have only studied splatting a little, I must go study it thoroughly. And LDAP is a mystery to me but I will study it.

It does select only the users that have that value in MEMBEROF. I have compared the results by looking at the GUI in Active Directory. This is great.

I will show you as soon as I learn how to past code in here properly.

6

Rob Simmers,

I have tried it. And I am studying Where-Object -FilterScript. Where-Object help says: Selects objects from a collection based on their property values.

Is this what allows more than one object in MEMBEROF to be examined by Powershell? Is this the proper terminology: All the objects’ property values of MEMBEROF ??

The commands result is that MemberOf is added to the usual Properties shown. And it shows the values on -some of them. For Some of the values, it only shows a location! Don’t know why yet. It may be that the value for the Group is not in the OU specified in the filtering.

I have only studied splatting a little, I must go study it thoroughly. And LDAP is a mystery to me but I will study it.

It does select only the users that have that value in MEMBEROF. I have compared the results by looking at the GUI in Active Directory. This is great.

I will show you as soon as I learn how to paste code in here properly.

7

There is a lot to learn. Think of a basic object as an array of hashtables (it is more complex than this, but for simplistic visuals):

#Create Array
$object = @()
#Add to hashtable to array
$object += [PSCustomObject]@{
    Name  = 'Sam'
    Hobby = 'Swimming'
}
$object += [PSCustomObject]@{
    Name  = 'Alice'
    Hobby = 'Volleyball'
}

There is an array called object, we are adding a hash table. A hash table has unique keys, so for instance you cannot have two Name keys in the same hashtable. We want to collect information on multiple things usually, users, computers, etc., so we have a PSObject that allows us to have an array of hashtables. The above example is flat, one key with one value. There are two keys to filter on, Name and Hobby and then there are comparison operators (-eq, -like, -ne, etc.) and logical operators (-and, -or, etc.). This allows you to search with Where-Object to find exactly what you are looking for:

#Find an hashtable in the array that has a key hobby that equals Volleyball
$object | Where-Object -FilterScript {$_.Hobby -eq 'VolleyBall'}
#Find an hashtable in the array that has a key hobby that equals Swimming and Name is like <anything>a<anything>
$object | Where-Object -FilterScript {$_.Hobby -eq 'Swimming' -and $_.Name -like '*a*'}

When you get into things like MemberOf, that is a multi-value attribute (there are several AD Properties like otherMail that are multi-value), which is an array typically. So, our folks above have more than one hobby just like someone has more that one AD Group:

#Create Array
$object = @()
#Add to hashtable to array
$object += [PSCustomObject]@{
    Name  = 'Sam'
    Hobby = 'Swimming', 'BasketBall','Dancing'
}
$object += [PSCustomObject]@{
    Name  = 'Alice'
    Hobby = 'Volleyball', 'Coding','Chess'
}

This allows you to use the same operators as above to filter result. This of course can get more complicated with object nested in objects, but it’s important to understand the basic structure of data to ensure you are filtering correctly. The Hobby values are now surrounded by curly brackets to indicate an array:

Name  Hobby
----  -----
Sam   {Swimming, BasketBall, Dancing}
Alice {Volleyball, Coding, Chess}

But Powershell makes it easy to use the same filters:

$object | Where-Object -FilterScript {$_.Hobby -eq 'VolleyBall'}
$object | Where-Object -FilterScript {$_.Hobby -like '*c*'}
8

Rob Simmers,

Yes, indeed, there is a lot to learn. I am busy today at work. I will reply more later. Many thanks, Rob.

9

Rob Simmers,

Suddenly, I am working 12 hour days at work. I will have to go over your replies at a later time. You got me started. I appreciate it. I have been experimenting and learning from what you showed me. I need to study more so I can be fluent. I know the syntax and how to use help. But lots of the help and other explanatory texts from books are difficult because it is so foreign to me. Hash Tables were a big mystery, I studied hash tables for several days and it was very rewarding when the light bulb finally came on. The light bulb still hasn’t come on about Objects. Don Jones says it is a Row. I have read from many sources and I know I will get it. I will keep after it. I will follow up later.