Convert Distinguished Name to Username

Hi Folks,

I am looking to retrieve the ‘ManagedBy’ information from Active Directory groups. I have got the data back but I would like to be able to have username rather than the Distinguished Name. Is there any way I can convert in this command?

If this is difficult I would even like the full Distinguished Name string returned rather than it trailing off with …

Get-ADGroup -Properties name, ManagedBy -Filter {(ObjectClass -eq "group")} -SearchBase "ou=groups,DC=company,DC=net" | select name, managedby

Dept-Payroll-C		CN=Bart Simpson,OU=Admin Roles,OU=Groups,DC=company,DC...
Dept-Sales-C		CN=Maggie Simpson,OU=Contractors,OU=User Accounts,DC=company...
Dept-Finance-R		CN=Homer Simpson,OU=Admin Roles,OU=...
Dept-Technology-F	CN=Waylon Smithers,OU=Admin Roles,OU=Groups,DC=comp...

I don’t blame you for not wanting to see the full Distinguished Name. One option, which simply isn’t necessary, would be to split the DN so that it only returns the information you want. What I’d do instead is shove a Get-ADUser lookup inside a calculated property. You’ll have to work with this and your original command so that you can run it against multiple groups. I typically work with one of something, before I run it against multiple somethings.

Get-ADGroup -Identity 'Group Name' -Properties ManagedBy | Select-Object Name,@{N='Manager';E={
            (Get-ADUser ($_.ManagedBy)).SamAccountName
        }
    }
# That ^ can be all on one line!

Some notes about your example I want to address: One, you don’t need to filter on ObjectClass when you’re using an AD cmdlet such as Get-ADGroup, Get-ADUser, Get-ADComputer, etc. These AD object-specific cmdlets are written to only return a certain type of (corresponding) AD object. Now, if you used a generic AD cmdlet, such as Get-ADObject, you’d want to filter on ObjectClass.

Two, when you use -Properties with an AD cmdlet, make sure you’re only asking to include things that aren’t included by default. You get name without asking, as it’s not an extended property. ManagedBy is an extended property and so you need to include it if you want it returned.

That’s nice Tommy. The two properties, ManagedBy, do they use the same attributes? By that I mean the get user is using the $_.ManagedBy to get the full name?

I think I understand what you’re asking me… The MangedBy property, when returned by Get-ADGroup (and possibly other AD cmdlets), is returned as a Distinguished Name (DN). So yes, this DN is being used as the value supplied to Get-ADUser’s -Identity parameter, even though the -Identity parameter wasn’t actually included. That helpful?

That’s great Tommy, thank you. Just clears it up in my head.

Thanks Tommy,

That works, I had to make a small change. I get the point about not needing to filter on group when using Get-ADGroup.

However, it appears I need to have the Filter parameter included even if it just filters on *. If omitted get prompted for it
if

Get-ADGroup -Properties ManagedBy -SearchBase "ou=security groups,DC=company,DC=com" | Select-Object Name,@{N='Manager';E={
            (Get-ADUser ($_.ManagedBy)).SamAccountName
        }
    }
cmdlet Get-ADGroup at command pipeline position 1
Supply values for the following parameters:
(Type !? for Help.)
Filter: 

The only difference in our commands are I am using -Searchbase to search an OU for groups. Your example specifies a named group.

I looked through the full help for this Get-ADGroup it doesn’t say the Searchbase parameter needs to be accompanied by Filter.

The -SearchBase parameter is an optional parameter in the Filter Parameter Set. You can tell this by reading the help: Get-Help -Name Get-ADGroup -ShowWindow. Another way to see the parameters sets is to use Show-Command, as it will create one tab per parameter set: Show-Command -Name Get-ADGroup.

In my experience, when I narrow down my search using -SearchBase I’ll often want all the computers in that OU path. If that’s the case for you, then -Filter should be set to *, such as Get-ADGroup -Filter * -Properties ManagedBy -SearchBase …. Really, all you need to do to your command is add the -Filter * portion. This is mandatory; that’s why it’s prompting for it.

Somehow it is also the idea that I wanted to try, but, maybe a few changes needs to be made. My only concern is that, will they allow me to change some details that I will let the third party work for it, like this one http://eatmywords.com/.