Reputation: 41
Directory Searcher not returning all the results
I have created 2400 security groups and added all these security groups to the user. When I query Active Directory using a DirectorySearcher, I get only 2049 security groups. The remaining security groups are missing. I tried the pagination approach as mentioned below, it still doesn't work. What's the ideal way of getting all the security groups?
$gcName = "blahblah.com"
$dn = "CN=blahblah,OU=Tenants,OU=INT,DC=dom,DC=abc,DC=def,DC=com"
$searchRoot = [ADSI]("LDAP://" + $gcName + "/" + $dn)
$searcher = New-Object System.DirectoryServices.DirectorySearcher($searchRoot, "(objectClass=*)", @("tokenGroups"), [System.DirectoryServices.SearchScope]::Base)
$searcher.PageSize=500
foreach ($SearchResult in $searcher.FindAll()){$SearchResult.Properties["tokenGroups"].Count}
Edit 1: When I use the following commands, it doesn't return the complete list of security groups. Ideally, I expect all the groups here along with some other user properties.
$searchRoot = [ADSI]("LDAP://" + $gcName)
$searcher = New-Object System.DirectoryServices.DirectorySearcher($searchRoot, "(|((msOnline-WindowsLiveNetId=xxxxxx))((msOnline-AlternativeSecurityId=YYYYYYYY)))", @("name"))
$searcher.PropertiesToLoad.AddRange(@("msOnline-UserPrincipalName","objectClass","msOnline-AccountEnabled","displayName","proxyaddresses","memberOf"))
$sr = $searcher.FindOne()
$de= $sr.GetDirectoryEntry()
$de.RefreshCache(@("tokenGroups"))
$de.Properties["tokenGroups"].Count
When I use the following, it returns all the groups but I don't get the user properties.
$searchRoot = [ADSI]("LDAP://" + $gcName)
$searcher = [adsisearcher]::new($searchRoot, "(&(objectClass=group)(member=$dn))", @("name"))
$searcher.PageSize=500
$searcher.FindAll().Count
This doesn't work either.
$searchRoot = [ADSI]("LDAP://" + $gcName)
$searcher = [adsisearcher]::new($searchRoot, "((member=$dn))", @("name","msOnline-UserPrincipalName","tokenGroups"))
$searcher.PageSize=500
$searcher.FindAll().Count
All I want to achieve is get all the tokenGroups and few user properties with a single search.
Upvotes: 1
Views: 1435
Answers (1)
Reputation: 41008
The PageSize only affects the number of search results, but there is only one search result. You're counting the number of records in the tokenGroups attribute of that one result.
One possible issue is that tokenGroups will only show security groups, because it is designed for determining the user's permissions. If the user is in any groups where the 'Group type' is "distribution", those will not be included in tokenGroups.
If you only have one domain in your AD forest, then you can look at the memberOf attribute instead of tokenGroups. If you have more than one domain in your forest, then memberOf may not give you all the groups.
You could also change the search so that it looks for all groups that have that user as a member. That would look like this:
$gcName = "blahblah.com"
$dn = "CN=blahblah,OU=Tenants,OU=INT,DC=dom,DC=abc,DC=def,DC=com"
$searchRoot = [ADSI]("LDAP://" + $gcName)
$searcher = [adsisearcher]::new($searchRoot, "(&(objectClass=group)(member=$dn))", @("name"))
$searcher.PageSize=500
$searcher.FindAll().Count
Notice that you can use [adsisearcher]::new as a short form for New-Object System.DirectoryServices.DirectorySearcher.
Upvotes: 1
Related Questions
- Searching for multiple strings in Azure AD groups
- Can't get multiple results
- Powershell DirectorySearcher Null Output
- C# Active Directory Search
- not getting expected results in a powershell search
- Powershell Search for AD Users
- System.DirectoryServices.DirectorySearcher not picking up all the users
- Get-ADuser Search Issues
- Issue with search result
- System.DirectoryServices.DirectorySearcher works if called from PowerShell but not if called from cmd.exe