Query for list of objectClasses a user has

I want to retrieve a list of the objectclasses a user has been assigned. In an LDAP server like ODSEE a query for “uid=username objectclass” returns a list of the objectclasses assigned to the user.

With AD and powershell I am finding that I can only get one objectclass result returned and so far it’s always the “user” objectclass. I’ve tried a couple different methods with no success. Google is coming up emtpy for powershell returning multi-valued attribute values.

I’ve tried these:

get-aduser -Identity “username” -properties objectclass

ObjectClass : user

Gets just one objectclass, the user actually has seven assigned.

Another multi-valued attributes, proxyaddresses, behaves as expected. If I query for it I get a list of all the values;

get-adobject -LDAPFilter “(uid=username)” -properties proxyaddresses

proxyaddresses : {username@path.org, username@path.net, username@path.com}

The same results are achieved with get-aduser.

Tye

 

Hi Tye,

I’m not sure, I see the additional objectclass properties in AD as well and it says “Multi-valued String.” I haven’t yet found a way to do it in powershell but I would definitely expect to be able to. Hopefully someone knows and can help us both out.

Doug

Well based on the information I am reading, a user’s class will always be the same and have the same inherited superclasses.

Each instance of an object class has a multi-valued objectClass property that identifies the class of which the object is an instance, as well as all structural or abstract superclasses from which that class is derived. Thus, the objectClass property of a user object would identify the top, person, organizationalPerson, and user classes. The objectClass property does not include auxiliary classes in the list. The system sets the objectClass value when the object instance is created and it cannot be changed.

<caption class="visually-hidden">TABLE 1</caption>

CN	Object-Class
Ldap-Display-Name	objectClass
Size	About 20 bytes on average.
Update Privilege	The designer of the object would set this value.
Update Frequency	This value should never change.
Attribute-Id	2.5.4.0
System-Id-Guid	bf9679e5-0de6-11d0-a285-00aa003049e2
Syntax	String(Object-Identifier)

There is an example of pulling all of them with C++ though!

https://docs.microsoft.com/en-us/windows/win32/ad/object-class-and-object-category

https://docs.microsoft.com/en-us/windows/win32/adschema/a-objectclass

https://docs.microsoft.com/en-us/windows/win32/ad/retrieving-the-objectclass-property

 

 

 

Here’s one way you can get the values. I just had it output the values with nothing else, assuming you can just tack this on to your object.

 

I’m used to working with Oracle ODSEE LDAP, (iPlanet, Sun Directory) where it a query for “uid=user objectclass” returns all of the assigned objectclasses, not just the top one.

What is interesting is that an LDAP query of AD will return all of the objectclasses. I’ll have to see if there is a powershell equivalent of an LDAP query that might do it. It seems like this is more of a powershell limitation than something inherent to AD.

It seems strange that that quote states objectclass is multi-valued but that it won’t show any but structural objectclasses.

I may have to look at changing our objectclasses to structural and see how AD likes that if that is what it takes to solve this.

Did this not give you the info you wanted?

https://github.com/krzydoug/Tools/blob/master/Get-ObjectClass.ps1

If you want it to be an actual property of an object, just use this to populate that object. You shouldn’t call it objectclass because it already exists. I agree this seems like a limitation in powershell. At least in the way it outputs it. I was unable to do it in powershell, which is why I wrapped dsquery and parsed the output. I am also looking for a way to do this with an LDAP filter.