Need to correlate Container (samAccountNames) names to actual AD Users

I have run a report against a Container (PowerBroker/Likewise) that contains other containers that are clearly based on AD samAccountNames, but since there are 24,000 of them, I want to pipe these names into a script that will find them in AD and return a select set of properties (full name, DN, whatever)

My working one-liner:

Get-ADObject -filter * -SearchBase  ‘CN=Users,CN=$LikewiseIdentityCell,OU=SERVERS,DC=domain,DC=company,DC=com’ `
-Properties * | select name | ??

Is it possible to pipe the results and “correlate” against AD user objects in this same domain?

If you do a Select -Expand Name, and the name is in fact a samAccountName, you should be able to pipe it to Get-ADUser. But that’ll just get the user objects. I’m not sure what you mean by “correlate.”

Don This totally works thanks!

I’ve worked it up this far now:

Get-ADObject -filter * -SearchBase  'CN=Users,CN=$LikewiseIdentityCell,OU=SERVERS,DC=Domain,DC=company,DC=com' `
-Properties * | select -ExpandProperty name | Get-ADUser -Properties * |
select DistinguishedName,samAccountName,memberOf |fl

…and my results:

DistinguishedName : CN=Clucker Hutch,OU=Infra,OU=Users,OU=Online,DC=Domain,DC=Company,DC=com
samAccountName    : CHutch
memberOf          : {CN=ENGRS,OU=PROD,OU=Online,DC=Domain,DC=Company,DC=com, 
                    CN=ACS_U,OU=ACS_GROUPS,OU=PRODGROUPS,OU=Online,DC=Domain,DC=Company,DC=com, CN=Inf,OU=Sec,DC=Domain,DC=Company,DC=com...}

…but would like to EXPAND the memberOf groups, while not losing the DistinguishedName,samAccountName select in the process

No need to use get-adobject if you’re just piping the results to get-aduser anyway. -filter and -searchbase are available on get-aduser as well and can be used in the same way as you’ve done. Also DN and name are included by default in the output from get-aduser so no need to use -properties *, in fact this will significantly slow down the execution of the command. Instead explicitly name properties that you want returned that aren’t already included by default.

Regarding the memberof attribute, since this is a multi-valued attribute it’s returned as a collection. How do you want it looking in your output?


let me try get-AdUser alone then (but the names came from the names of these containers that are based on usernames)

output I want DistinguishedName,samAccountName, and all the groups they are memberOf in a csv

TESTED: Need Get-ADobject first per my original one liner.

I did per your suggestion, optimize a bit here:

Get-ADObject -filter * -SearchBase  ‘CN=Users,CN=$LikewiseIdentityCell,OU=SERVERS,DC=Domain,DC=company,DC=com’ `
-Properties * | select -ExpandProperty name | Get-ADUser -Properties memberOf |
select DistinguishedName,samAccountName,memberOf |fl

…however, I still need the output of the memberOf’s

Getting reasonable output for MemberOf in a CSV is a bit of work and problematic if any of the groups are outside of the domain. If you are happy just getting the DNs, you can do this:

select DistinguishedName,samAccountName,@{name="MemberOf"; Expression={$_.MemberOf -join "|"}}

If you want names, you need to break the command up and create the MemberOf string by looking up the groups to get the groups samaccountname, and then join those into a string.

Awesome Ron thank you. I think the SOX folks will be fine with this. Couple of followup questions.

<li>Why does the memberOf property represent a bigger challenge to the select. Is it because of it being multi-valued?</li>

<li>Where can I study the theory behind this kind of named expression to pull out the DN as you did here?</li>

I have all of Dons and Manning press books (but read very slowly) :slight_smile:

The bulk of my PS knowledge came from the university of Google.

Yes, attributes with multiple values do know fit well it a flat file format.

I wanted more info from the get-ADuser portion of script and tried this:

Get-ADObject -filter * -SearchBase  'CN=Users,CN=$LikewiseIdentityCell,OU=SERVERS,DC=DOMAIN,DC=Company,DC=com' `
-Properties * | select -ExpandProperty name | Get-ADUser -Properties memberOf |
select DistinguishedName,samAccountName,displayname,cn,whencreated,whenchanged,enabled,passwordlastset,`
    passwordneverexpires,lockedout,cannotchangepassword, `
    passwordnotrequired,@{name="MemberOf"; Expression={$_.MemberOf -join "|"}} |
    Export-Csv .\AllUsers_v2 -NoTypeInformation

I get the previous (3) properties but not my added ones. How can I get all please?

thank you

CSV just isn’t designed to hold multi-valued properties like that.

You aren’t retrieving those extra properties, only memberof plus the basic properties always returned.

“Get-ADUser -Properties memberOf”

Try this:

> get-aduser “(yourID)” | fl *

You should get about 10 properties by default. If you want more, you have to add them with the -properties parameter, just as we added MemberOf above. So, change that section to be more like this:

“Get-ADUser -Properties memberOf,displayname,cn,whencreated,…”

You can specify all “-properties *”, but that will slow things down and chew up a lot of memory, bandwidth, etc in a large AD.

feeling dumb…I knew that and missed it. Sorry for the unnecessary ask. Working now and thanks again for the second set of eyeballs.