Active Directory UDF - GetObjectsInOU
This page is still a work in progress.
The function _AD_GetObjectsInOU is the swiss army knife of the Active Directory UDF.
It allows to search for whatever criteria you specify and returns whatever properties you want.
Parameters
The following parameters define what is searched for and what properties are returned by the function:
- $sAD_OU
- The Active Directory container where to begin the search.
- $sAD_Filter
- The LDAP filter defines what to search for. More details can be found in the next section.
- $iAD_SearchScope
- Defines the search constraints. The following constraints are supported:
- Base:
- You search only the so-called “base” object (that is, the Active Directory container where you begin your search as defined by $sAD_OU); child containers are not searched. The base search is useful when you want to pull out information for a single OU (for example, a list of all the user accounts in the Finance OU).
- Set the parameter to 0 to use this contraint.
- One Level:
- A one-level search is restricted to the immediate children of a base object, but excludes the base object itself. A one-level search can be used to enumerate all children of an object.
- Set the parameter to 1 to use this contraint.
- Subtree:
- The entire subtree is searched: that includes the base container, all sub-containers and any containers contained within those sub-containers. A subtree search is normally used to search objects for a given scope. For example, search for all users with accounts that will expire in 30 days or less.
- Set the parameter to 2 to use this contraint. This is the default value.
- For more information please check this site [1].
- $sAD_DataToRetrieve
- A comma separated list of properties to be returned for each object that matches the search criteria.
- $sAD_SortBy
- A single property the resulting records will be sorted by. This has to be one of the properties specified in $sAD_DataToRetrieve.
LDAP filter
The best description how to create a LDAP filter can be found here [2].
Remarks
- Multi-value attributes are returned as a string with the pipe character (|) as separator.
- To make sure that all properties you specify in $sAD_DataToRetrieve exist in the AD you can use _AD_ObjectExistsInSchema.
- This function returns the selected properties "as is". To "decode" unreadable properties you need to use function _AD_GetObjectProperties.
- If you need a single property of a single object you can use function _AD_GetObjectAttribute.
Examples
List all Group Policies
$aObjects = _AD_GetObjectsInOU("", "(objectClass=groupPolicyContainer)", 2, "displayName,gPCFileSysPath")
Users that never logged on before
$aObjects = _AD_GetObjectsInOU("", "(&(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*))))", 2, "sAMAccountName,distinguishedName,displayname")
Users that must change their password the next time they logon
$aObjects = _AD_GetObjectsInOU("", "(&(objectCategory=person)(objectClass=user)(pwdLastSet=0))", 2, "sAMAccountName,distinguishedName,displayname")