Jere's Techblog

Query big ADObject / Containers

The Powershell AD-Modules have certain restrictions when it comes to querying large objects, this can be bypassed by ADSI Query.

Here an example how to read them and how to iterate on users of a group:

#by J.Kühnis 13.03.2019
#example ADSI Query Powershell
$BigGroup = "someADGroupName"
$ADGroup1 = "someADGroup1"
$ADGroup2 = "someADGroup2"


$groupname = $BigGroup
$groupdsn = (Get-ADGroup $groupname).DistinguishedName
$group =[adsi]”LDAP://$groupdsn” 
$groupmemebrs = $group.psbase.invoke("Members") | % {$_.GetType().InvokeMember("SamAccountName",'GetProperty',$null,$_,$null)}

$groupmemebrs | foreach {
    
    $usradgroups = GET-ADUser -Identity $_ –Properties MemberOf | Select-Object -ExpandProperty MemberOf | Get-ADGroup -Properties name | Select-Object name
    IF ($usradgroups.name -notContains $ADGroup1 -and $usradgroups.name -notContains $ADGroup2) {

        #User is not a Member of ADGroup1 & ADGroup2

        }
        Else{
          #User is MemberOf ADGroup1 & ADGroup2
        }
}

Here also an example using a Class to just specify the object the way you like:

#by J.Kühnis 09.10.2019
#Set variables
$ADGROUP = "someAdGrp"

# Load AD-Module
IF (!(Get-Module -Name ActiveDirectory)) {
    Import-Module -Name ActiveDirectory
    IF (!(Get-Module -Name ActiveDirectory)) {
    start-sleep 10
    Write-Warning "No AD-Module Found"

        Exit
    }
}
$groupname = $ADGROUP
$groupdsn = (Get-ADGroup $groupname).DistinguishedName
$group =[adsi]”LDAP://$groupdsn” 
$groupmemebrs = $group.psbase.invoke("Members") | % {$_.GetType().InvokeMember("SamAccountName",'GetProperty',$null,$_,$null)}

class User{
[string]$Name
[string]$SamAccountName
[string]$UserPrincipalName
[string]$Mail
[string]$extensionAttribute7
[string]$extensionAttribute9
}


$Userlist = @()
$groupmemebrs | ForEach-Object {
    $usrATTR = GET-ADUser -Identity $_ –Properties Name,SamAccountName,UserPrincipalName,mail,extensionAttribute9, extensionAttribute7
    
    $User = [User]::new()
    $User.Name = $usrATTR.Name
    $User.SamAccountName = $usrATTR.SamAccountName
    $User.UserPrincipalName = $usrATTR.UserPrincipalName
    $User.Mail = $usrATTR.Mail
    $User.extensionAttribute1 = $usrATTR.extensionAttribute1
    $User.extensionAttribute2 = $usrATTR.extensionAttribute2

    $Userlist += $User
}
$Userlist | format-table

Leave a Reply