{"id":54163,"date":"2009-03-18T21:24:00","date_gmt":"2009-03-18T21:24:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2009\/03\/18\/hey-scripting-guy-how-can-i-search-active-directory-with-windows-powershell-to-return-a-list-of-missing-groups\/"},"modified":"2009-03-18T21:24:00","modified_gmt":"2009-03-18T21:24:00","slug":"hey-scripting-guy-how-can-i-search-active-directory-with-windows-powershell-to-return-a-list-of-missing-groups","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-search-active-directory-with-windows-powershell-to-return-a-list-of-missing-groups\/","title":{"rendered":"Hey, Scripting Guy! How Can I Search Active Directory with Windows PowerShell to Return a List of Missing Groups?"},"content":{"rendered":"

\"Hey, <\/H2>\n

Hey, Scripting Guy! We created some groups that were used by our student interns. The student interns have now returned to college (yeah, it was a while ago). To be honest, I had actually forgotten about these groups, but the other day I was doing some work in Active Directory Users and Computers and I happened across one of these student intern groups. That reminded me that I had actually created several different groups for the students. Luckily, I had placed the word intern in the groups’ description property. Is there a way I can easily find all of the intern groups, so I can look at them and make a decision as to their final disposition?

– RH<\/P>\"Spacer\"\"Hey, \n

Hi RH,<\/P>\n

I am listening to “Lost Someone” by James Brown<\/A> on my Zune. It\u2019s the recording that was made live from the Apollo Theatre<\/A> back in 1963. Man, what a voice. It is easy to see why he was called the hardest working man in show business. Anyway, it seems that the song is apropos because it seems you have lost several groups. Luckily, we can use Windows PowerShell to search Active Directory and return a listing of the missing groups. <\/P>\n\n<\/THEAD>\n\n\n
\n

This week we are talking about searching Active Directory. The Active Directory Script Center Hub<\/A> has links to a number of resources related to working with Active Directory. You will also find in this section<\/A> of the Script Center Script Repository a good collection of scripts that illustrate searching Active Directory. There are several scripts in the Community-Submitted Scripts Center<\/A> that also illustrate searching Active Directory. The \u201cHey, Scripting Guy!\u201d Active Directory Archive<\/A> is also an excellent source of information for searching Active Directory. Not to be outdone, the Scripting Guide has an ADSI Scripting Primer<\/A>.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n

<\/DIV>\n

We decided to write a script named SearchGroupDescriptions.ps1<\/B>. This script connects to the default domain and finds all the groups that have a description that contains the word \u201cintern\u201d in it. A similar script written in VBScript is available in the Script Center Script Repository<\/A>. The SearchGroupDescriptions.ps1<\/B> script is seen here:<\/P>

$Filter = “(&(ObjectCategory=group)(Description=*intern *))”\n$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Filter)\n$Searcher.Findall() | \nForEach-Object `\n  -Begin { “Results of $Filter query: ” } `\n  -Process { \n                    $_.properties.item(“DistinguishedName”)\n                    $_.properties.item(“Description”)\n                    “`r”\n                   } `\n  -End { [string]$Searcher.FindAll().Count + ” $Filter results were found” }\n<\/PRE>\n
If we look in Active Directory Users and Computers, we find we have an organizational unit named Students<\/B>. In there, we find a group that has a description that contains the word \u201cintern\u201d in it. This is seen here:<\/P>\"Image \n
 <\/P>\n
Perhaps the hardest thing about searching Active Directory is configuring the appropriate search filter. If you would like some refresher information about the LDAP dialect search filter syntax, refer to yesterday\u2019s \u201cHey, Scripting Guy!\u201d article<\/A>.<\/P>\n
In our search filter, we are using two Active Directory attributes: the ObjectCategory<\/B> and the Description<\/B>. If we were to use a search filter that returned all groups, it would look like the following:<\/P>
“ObjectCategory=group”<\/PRE>\n
Of course there are lots of groups in Active Directory\u2014both those we created and those created by the system. On the other hand, if we were to look for objects that had a description that contained the word \u201cintern\u201d in them, the query would look like this one:<\/P>
“Description=*intern*”<\/PRE>\n
When we put the two together, we need to add some parentheses and an ampersand. The query now looks like the one seen here:<\/P>
“(&(ObjectCategory=group)(Description=*intern*))”<\/PRE>\n
On our computer, when we run the script with the above query, our results are not exactly what we were expecting. This is because an additional group is returned. This is one that we do not use, but it was created by the system for use by the Internet Information Services. D’oh! This is seen here:<\/P>\"Image \n
 <\/P>\n
No problem. From looking at the results seen in that image, it seems the match was the word \u201cInternet\u201d; all we need to do is to include a space after the letter “n” in the word \u201cintern\u201d. The quickly revised query is seen here:<\/P>
$Filter = “(&(ObjectCategory=group)(Description=*intern *))”<\/PRE>\n
The easiest way to search Active Directory when using Windows PowerShell 1.0 is to create an instance of the System.DirectoryServices.DirectorySearcher<\/B>. To do this we use the New-Object<\/B> cmdlet and tell it we want to create the System.DirectoryServices.DirectorySearcher<\/B> class, and we feed it the filter we arrived at from our earlier experimentation. We store the returned DirectorySearcher<\/B> object in the $Searcher<\/B> variable as seen here:<\/P>
$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Filter)<\/PRE>\n
We use the FindAll<\/B> method from the DirectorySearcher<\/B> object to find everything that matches our query. We pipeline the resulting object as seen here:<\/P>
$Searcher.Findall() |<\/PRE>\n
Next we use the ForEach-Object<\/B> cmdlet to allow us to work our way through objects as they come across the pipeline. The ForEach-Object<\/B> cmdlet is documented on the Script Center. We use the back-tick line continuation character (`) because we want to line up the -Begin<\/B>, -Process<\/B>, and -End<\/B> parameters. This is seen here:<\/P>
ForEach-Object `<\/PRE>\n
The -Begin<\/B> parameter contains information that will run once for all the stuff that comes across the pipeline. We use it here to provide a bit of feedback to the user running the script. Because we display the query that is contained in the $Filter<\/B> variable, this can actually provide a bit of troubleshooting information in the case that the script returns unexpected results. This is shown here: <\/P>
-Begin { “Results of $Filter query: ” } `<\/PRE>\n
The -Process<\/B> block is executed once for each object that comes across the pipeline. In this script, it is executed once for each group that was identified as a match for our query. The -Process<\/B> block opens a set of curly brackets as seen here:<\/P>
-Process {<\/PRE>\n
Now we decide which information we want our script to return. In this script, we are interested in the DistinguishedName<\/B> attribute because it will tell us exactly where the group was found. We also want the group description so that we can ensure the match was legitimate. We also decide it would be nice to include a carriage return to separate the groups from each other. The code that prints out the two attributes is seen here:<\/P>
$_.properties.item(“DistinguishedName”)\n                    $_.properties.item(“Description”)\n                    “`r”\n                   } `\n<\/PRE>\n
Now we need to print out confirmation that the script has completed running. To do this, we use the -End<\/B> parameter of the ForEach-Object<\/B> cmdlet. We convert the number that represents the count of the items returned by the query into a string so that we can concatenate it with another string that tells us how the results were found. This is seen here:<\/P>
-End { [string]$Searcher.FindAll().Count + ” $Filter results were found” }<\/PRE>\n
The display of the matching groups is seen here:<\/P>\"Image \n
 <\/P>\n
Well, SL, this concludes our discussion about searching Active Directory for a listing of all computers in the domain. Join us tomorrow as Searching Active Directory Week continues. Until then, peace.<\/P>\n
 <\/P>\n
Ed Wilson and Craig Liebendorfer, Scripting Guys<\/B><\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! We created some groups that were used by our student interns. The student interns have now returned to college (yeah, it was a while ago). To be honest, I had actually forgotten about these groups, but the other day I was doing some work in Active Directory Users and Computers and I […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,8,45],"class_list":["post-54163","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-searching-active-directory","tag-windows-powershell"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! We created some groups that were used by our student interns. The student interns have now returned to college (yeah, it was a while ago). To be honest, I had actually forgotten about these groups, but the other day I was doing some work in Active Directory Users and Computers and I […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/54163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=54163"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/54163\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=54163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=54163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=54163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}