-SearchScope Base broken?

[blockquote]Get-ADUser -SearchScope Base -SearchBase “OU=Test,DC=TestDomain,DC=com” -filter *[/blockquote]

This returns no results at all, even though there are users in the Test OU.
Is that a bug, or designed behavior? The helpfile seems to intimate that this should work. OneLevel should look in the Sub-OUs of Test, SubTree digs all the way down. But Base is supposed to interrogate the top-level item. It seems broken to me. True?

The base value for -SearchScope is used to verify if the base exists, not to report on any of the child objects, such as is done with onelevel and subtree. Try your command above two different ways: one with a valid -SearchBase value and one without. The one without will error (the base doesn’t exist), and the one with a valid DN will not error, since the value for -SearchBase was accurate. I get it’s odd when working with Get-ADUser, but it’s there to validate the base, that’s it. Honestly, I’ve never seen it used, while seen the other two values used quite often.

Okay, so let me ask a more useful question.

Is there a right way to use Get-ADUser to retrieve the list of users found in one specific OU, but not in that OU’s child OUs?

The help for get-aduser shows that the searchacope parameter accepts 3 values: Base, onelevel and subtree. Therefor to answer your question, instead of base, use onelevel for the searchscope parameter in your command to get the desired results.



Specifies the scope of an Active Directory search. Possible values for this parameter are:
Base or 0
OneLevel or 1
Subtree or 2

A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object.

Okay - the light bulb is finally going on for me.

I read “A OneLevel query searches the immediate children of that path or object.” and assumed that meant it was searching only the direct Child OUs of the searchbase OU. Given a set of three OUs, with OU1 having OU2 and OU3 as direct children, I mistakenly assumed a OneLevel search was scanning one level below OU1 - in other words, inventorying the contents of OU2 and OU3, but not OU1 itself.

I’m finally seeing that OneLevel means to search the contents of the base, while Base means to search for the base object itself. It’s weird, but it’s got a beat, and I can dance to it.

Thanks for helping me see the light!

Base = Singleobject

Get-ADUser -SearchBase $userdn -SearchScope Base -Filter *

Alternatively. Get-ADobject -SearchBase $ou -SearchScope Base -Filter *