-SearchScope Base broken?

michael-hammond · June 3, 2015, 4:17pm

[blockquote]Get-ADUser -SearchScope Base -SearchBase “OU=Test,DC=TestDomain,DC=com” -filter *[/blockquote]

This returns no results at all, even though there are users in the Test OU.
Is that a bug, or designed behavior? The helpfile seems to intimate that this should work. OneLevel should look in the Sub-OUs of Test, SubTree digs all the way down. But Base is supposed to interrogate the top-level item. It seems broken to me. True?

system · June 3, 2015, 4:48pm

The base value for -SearchScope is used to verify if the base exists, not to report on any of the child objects, such as is done with onelevel and subtree. Try your command above two different ways: one with a valid -SearchBase value and one without. The one without will error (the base doesn’t exist), and the one with a valid DN will not error, since the value for -SearchBase was accurate. I get it’s odd when working with Get-ADUser, but it’s there to validate the base, that’s it. Honestly, I’ve never seen it used, while seen the other two values used quite often.

michael-hammond · June 3, 2015, 10:54pm

Okay, so let me ask a more useful question.

Is there a right way to use Get-ADUser to retrieve the list of users found in one specific OU, but not in that OU’s child OUs?

peter-jurgens-2 · June 3, 2015, 11:24pm

The help for get-aduser shows that the searchacope parameter accepts 3 values: Base, onelevel and subtree. Therefor to answer your question, instead of base, use onelevel for the searchscope parameter in your command to get the desired results.

https://technet.microsoft.com/en-us/library/ee617241.aspx

SearchScope

Specifies the scope of an Active Directory search. Possible values for this parameter are:
Base or 0
OneLevel or 1
Subtree or 2

A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object.

michael-hammond · June 3, 2015, 11:36pm

Okay - the light bulb is finally going on for me.

I read “A OneLevel query searches the immediate children of that path or object.” and assumed that meant it was searching only the direct Child OUs of the searchbase OU. Given a set of three OUs, with OU1 having OU2 and OU3 as direct children, I mistakenly assumed a OneLevel search was scanning one level below OU1 - in other words, inventorying the contents of OU2 and OU3, but not OU1 itself.

I’m finally seeing that OneLevel means to search the contents of the base, while Base means to search for the base object itself. It’s weird, but it’s got a beat, and I can dance to it.

Thanks for helping me see the light!

dan-potter1 · June 4, 2015, 12:42am

Base = Singleobject

Get-ADUser -SearchBase $userdn -SearchScope Base -Filter *

dan-potter1 · June 4, 2015, 12:45am

Alternatively. Get-ADobject -SearchBase $ou -SearchScope Base -Filter *

Topic		Replies	Views
Powershell - Get-ADUser -Searchbase - Filtering by OU not working HELP! PowerShell Help	7	815	March 25, 2022
Get-ADOrganizationalUnit Subtree PowerShell Help	8	168	April 28, 2020
Why does this produce results? PowerShell Help	4	174	May 17, 2018
Searching through AD OU Units PowerShell Help	1	164	February 26, 2017
Getting AD output that shows a users first and last name and department :) PowerShell Help	5	175	December 17, 2014

-SearchScope Base broken?

Related Topics