PowerShell, Active Directory Get-object issue

Question

I have been tasked to create a list of members of a custom object/custom attribute in Active Directory. I felt the best way to do so is use PowerShell. I can list the objects in a specific OU, but I cannot drill down further to get the members/values of a specific attribute within the object. Here is what I have:

Custom Attribute: bofaAMLMember (This is a objectclass= top:attributeSchema)

If I run:

Get-ADObject –LDAPFilter "(ObjectClass=bofaAML)" –SearchBase "OU=DEVELOPMENT,OU=IIS,OU=APPHOST,OU=SERVERS AML,OU=BAND,DC=CORP,DC=someplace,DC=COM" -searchscope subtree

The output is a long list of data:

DistinguishedName                                     Name                  ObjectClass                         
--------------------------------------------------------------------------------------------------
    CN=RG-AdministratorsMembers,OU=Ld Unified      RG-AdministratorsMembers       bofaAML
    CN=RG-PowerUsersMembers,OU=Ld Unified          RG-PowerUsersMembers           bofaAML
    CN=UR-DenyLogonViaTerminalServ,OU=India        UR-DenyLogonViaTerminalServ    bofaAML
    CN=UR-LogonAsService,OU=India Remitter         UR-LogonAsService              bofaAML

I truncated the list due to width etc.

It shows me all the items that have the custom attribute bofaaml and object class of attributeSchema.

If you are in AD or ADSI and you open up any of these and go to "Attribute Editor" there you will see an attribute named: bofaAMLMember - This has a multi-value "members" The members are other AD accounts/attributes listed by CN. I need the list of the members. I have been working on this for a week and I can't seem to get it to work. I am not sure if there is a way to add in Get-Member etc...

`It shows me all the items that have the custom attribute bofaaml and object class of attributeSchema.` This is not the correct terminology. The command will retrieve all objects whose class is `bofaAML`. Since this class (based on your description) contains the attribute `bofaAMLMember`, those objects will have that attribute. — Massimo, Jul 12 '22 at 19:12

Massimo · Accepted Answer · 2022-07-12T19:49:27.970

1

Get-ADObject, just like all other Get-AD* PowerShell cmdlets, by default only queries Active Directory for a subset of the object attributes. If you want it to query non-default attributes, you need to use the -Properties parameter.

Example:
Get-ADUser doesn't by default query the mail attribute; if you want to get a user's email address, you have to run Get-ADUser -Properties mail.

This will of course be even more true for custom attributes in custom object classes, of which PowerShell cmdlets will have no knowledge at all.

Try adding -Properties bofaAMLMember to your command and it should return objects containing your non-standard attribute alongside the standard ones.

You can also use -Properties * to query Active Directory for all attributes in the objects matching the filter. Warning: this can be very slow and can create a big load both on the Domain Controller you are querying and on the computer you are running PowerShell on (if it's not the DC itself). Active Directory objects have many more attributes than the ones commonly used.

edited Jul 12 '22 at 19:49

answered Jul 12 '22 at 19:04

Massimo

70,200
57
200
323

I tried the -properties * and that brought up a lot of different things. It did show me the bofaamlmember values. Is there a way to only show those values? Not all the other stuff? – ChadKFranks Jul 12 '22 at 23:13
Sure, just pipe the output into `select`. F.E. `Get-ADObject [other options] -Properties * | select name,bofaamlmember` – Massimo Jul 12 '22 at 23:18
If the property is multi-valued, like in this case, it would also be useful to use something like `select -property name -expandproperty bofaamlmember`; this will allow you to retrieve the object name and all values for the `bofaamlmember` property. – Massimo Jul 12 '22 at 23:26
More info here: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/select-object – Massimo Jul 12 '22 at 23:28
1

Actually, *don't* pipe into a `Select` statement if you just want to retrieve a few properties beyond the default set. With `Get-ADObject ... -Properties * |select name,bofaamlmember`, you're grabbing ALL of the properties and then throwing most away in the `Select`. Do `Get-ADObject -ldapfilter $filter -Properties bofaamlmember | select name,bofaamlmember` instead. Then you can select or otherwise parse the default properties and the specific ones you retrieved. It's much more efficient, as mentioned in the OP. – LeeM Jul 13 '22 at 07:08
1

If you want to select multiple extra properties, it's a simple list: `Get-ADObject -ldapfilter $filter -Properties bofaamlmember, whenCreated`. Or you can put the additional properties for retrieval in a simple array. `$myprops = ("bofaamlmember","whencreated"); Get-ADObject -ldapfilter $filter -Properties $myProps` – LeeM Jul 13 '22 at 07:09

PowerShell, Active Directory Get-object issue

1 Answers1