none
LDAP Filter by Distinguishedname not working RRS feed

  • Question

  • Hi Team:

    I am working on a script that retrieves the Membership information of the users. As the MemberOf property returns the DistinguishedName value of the group that the user/group belongs to, I am trying to use it on a subquery to retrieve more information about it. However when the subquery runs it returns the following issue related to the LDAP query:

    An error occurred while enumerating through a collection: The (distinguishedname=..... search filter is invalid

    The LDAP Filter that I am using is (distinguishedname=CN=......) I am not using wildcards on it, just and exact match

    Do you have any idea how to face it?

    Best Regards,

    Tuesday, November 15, 2016 10:41 PM

Answers

  • Hi Guys:

    I finally solved it. It looks like there was an issue with the calculated field on the AD. Once it was solved the queries by Distinguished Name start to work.

    Monday, November 21, 2016 7:16 PM

All replies

  • We cannot see your code.  Your question is odd.  You are asking about a group? A user?

    What are you trying to do?


    \_(ツ)_/

    Tuesday, November 15, 2016 10:44 PM
  • Get-AdGroupMember somegroup | Get-AdObject


    \_(ツ)_/

    Tuesday, November 15, 2016 10:47 PM
  • Get-AdUser jsmith-properties memberof| select -expand memberof|Get-AdGroup

    \_(ツ)_/


    • Edited by jrv Tuesday, November 15, 2016 10:49 PM
    Tuesday, November 15, 2016 10:49 PM
  • The code is basically the following one:

    $objADSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objADSearcher.PageSize = 1000
    $objADSearcher.Filter = "(distinguishedname=$($strValue)"
    $objADSearcher.PropertiesToLoad.AddRange("ObjectGUID")
    $objADSearcher.SearchRoot = [ADSI] "LDAP://$($strGlobalCatalog)"
    $objGroup = $objADSearcher.FindAll()

    $strValue is the DistinguishedName that I provide in the function. I attempt to send it without quotes, single quotes and double quotes in case that the space could be the issue.

    $strGlobalCatalog is just the Global Catalog address from where I look for the data

    What I am looking is specifically for a group, I am planning to add a sAMAccountType Filter with the DistinguishesName one just to short the search, but I want it to work first with the DistinguishedName filter only

    • Proposed as answer by Todd Heron Thursday, November 17, 2016 2:37 AM
    • Unproposed as answer by Todd Heron Thursday, November 17, 2016 2:37 AM
    Tuesday, November 15, 2016 10:50 PM
  • Get-AdUser -Filter "DistinguishedName -eq 'CN=John Smith,OU=Admins,DC=TESTNET,DC=local'"

    \_(ツ)_/

    Tuesday, November 15, 2016 10:51 PM
  • Same issue when I am using the Get-ADGroup cmdlet it does not retrieve the group information
    Tuesday, November 15, 2016 10:53 PM
  • $dn = 'CN=John Smith,OU=Admins,DC=TESTNET,DC=local'
    $searcher = [adsisearcher]"(distinguishedname=$dn)"
    $searcher.PropertiesToLoad.Add('ObjectGUID')
    $searcher.SearchRoot = [ADSI] "LDAP://$strGlobalCatalog"
    $group = $searcher.FindOne()


    \_(ツ)_/

    Tuesday, November 15, 2016 10:56 PM
  • Here is a more complete example:

    $dn = 'CN=John Smith,OU=Admins,DC=TESTNET,DC=local'
    $searcher = [adsisearcher]"(distinguishedname=$dn)"
    $searcher.PropertiesToLoad.Add('ObjectGUID')
    $searcher.SearchRoot = [adsi]'LDAP://gcserver:3268/dc=testnet,dc=local'
    $group = $searcher.FindOne()


    \_(ツ)_/

    Tuesday, November 15, 2016 11:00 PM
  • Same issue when I am using the Get-ADGroup cmdlet it does not retrieve the group information

    Then your DN is wrong.  Does it have odd characters?

    Is it in a different domain?


    \_(ツ)_/

    Tuesday, November 15, 2016 11:02 PM
  • Thanks a lot!!!!!
    Tuesday, November 15, 2016 11:05 PM
  • To get an AD group by distinguished name just ask for it:

    Get-AdGroup  'CN=TestGrp,OU=SomeOU,DC=TESTNET,DC=local'

    If you use a filter and it is in another domain you need to specify the server.


    \_(ツ)_/

    Tuesday, November 15, 2016 11:09 PM
  • I attempt the following:

    $dn = 'CN=Guests,OU=Builtin,DC=test,DC=local'
    $searcher = [adsisearcher]"(distinguishedname=$dn)"
    $searcher.PropertiesToLoad.Add('ObjectGUID')
    $searcher.SearchRoot = [ADSI] "LDAP://$strGlobalCatalog"
    $group = $searcher.FindOne()

    and

    $objADSearcher = New-Object System.DirectoryServices.DirectorySearcher
    $objADSearcher.Filter = "(distinguishedname=CN=Guests,OU=Builtin,DC=test,DC=local)"
    $objProperties = @("ObjectGUID")
    $objADSearcher.PropertiesToLoad.AddRange(@($objProperties))
    $objADSearcher.SearchRoot = New-Object DirectoryServices.DirectoryEntry("LDAP://$($strGlobalCatalog)", $user, $password)
    $objgroup = $objADSearcher.FindOne()

    both return null. I am using the Guests group for testing as it does not contains special characters, I have some groups on the domain with dash on the DN. May them affect the query?

    Wednesday, November 16, 2016 6:14 PM
  • The BUILTIN accounts are not replicated to the GC.

    \_(ツ)_/

    Wednesday, November 16, 2016 6:22 PM
  • Hi:

    I create a Testing OU with a test group in it (CN=test,OU=Testing,dc=test,dc=local) and the issue still persist. I am sure that it is an isue with the filter because if I changed it I get a result ex: If I set the filter to "(sAMAccountType=805306368)" I get the list of all the users on the domain.

    Do you know if there is any restriction with  the distinguished name when it is used on the filter? I know that wildcards are not allowed, but the search that I am performing is by exact match.

    Wednesday, November 16, 2016 6:31 PM
  • Query the target domain and not a GC as replication may be broken.

    Using the  DN in a filter works and has always worked.  It is fundamental to ADSI.


    \_(ツ)_/

    Wednesday, November 16, 2016 6:38 PM
  • Dashes in the DN are not a problem. The main character in DNs that must be escaped (with the backslash escape character) is the comma. For SearchRoot use:

    "LDAP://dc=testnet,dc=local"


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, November 16, 2016 6:57 PM
    Moderator
  • Hi:

    I also tried with the DC instead of the global catalog and also returns null.

    Wednesday, November 16, 2016 9:09 PM
  • Hi:

    I also tried with the DC instead of the global catalog and also returns null.

    It works for the rest of us so you have an issue with you DN or you are trying to access a domain that you don't have access to.  You are not having a connection error so it must be account access or an issue with the DC.

    Here is a simple test that can give you a useful error:

    [adsi]'LDAP://CN=test,OU=Testing,dc=test,dc=local'

    If it is another domain then add the server name:

    [adsi]'LDAP://remotedc/CN=test,OU=Testing,dc=test,dc=local'


    \_(ツ)_/


    • Edited by jrv Wednesday, November 16, 2016 9:17 PM
    • Proposed as answer by Todd Heron Thursday, November 17, 2016 2:37 AM
    Wednesday, November 16, 2016 9:16 PM
  • Hi Guys:

    I finally solved it. It looks like there was an issue with the calculated field on the AD. Once it was solved the queries by Distinguished Name start to work.

    Monday, November 21, 2016 7:16 PM