Piping output of get-ADUser to Get-ADGroup with an LDAP filter

Question

I'm trying to stitch together two lines of PowerShell, but I just can't figure the syntax. There is a post that sounds like it might be what I need, but it isn't using -LDAPFilter.

To generate a list of AD users created in the last 100 days, I use

$now = ((Get-Date).AddDays(-100)).Date
$users = Get-ADUser -Filter {whenCreated -ge $now} -Searchbase "OU=staff,OU=SMUC_Users,DC=stmarys,DC=ac,DC=ie" |
         Where-Object { $_.Enabled -eq 'True' }

And this code from "How to get ALL AD user groups (recursively) with Powershell or other tools?" does the next step, which is to find all the groups that a user is a member of:

$username = 'd.trump'
$dn = (Get-ADUser $username).DistinguishedName
Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $dn) |
    select -Expand Name

but I can't pipe the output of the first into the second to get an overall list.

Get-ADUser -Filter {whenCreated -ge $now} -Searchbase "OU=staff,OU=SMUC_Users,DC=stmarys,DC=ac,DC=ie" |
    Where-Object { $_.Enabled -eq 'True' } |
    Select-Object DistinguishedName |
    Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $_) |
    select -expand Name

The error message is:

Get-ADGroup : The search filter cannot be recognized

I thought the second code snippet extracted the distingushed name and supplied it to the filter, and that is what I have tried to do in the pipeline.

Untested: `Get-ADGroup -LDAPFilter ("..." -f $_)` -> `Get-ADGroup -LDAPFilter {"..." -f $_}`. Otherwise: `Get-ADGroup -LDAPFilter ("..." -f $_)` -> `%{ Get-ADGroup -LDAPFilter ("..." -f $_) }` — Ansgar Wiechers, Dec 13 '17 at 10:27
Addendum: you also need `Select-Object DistinguishedName` -> `Select-Object -Expand DistinguishedName`, otherwise you'll have to use `$_.DistinguishedName` later on. — Ansgar Wiechers, Dec 13 '17 at 11:20

Chris · Accepted Answer · 2017-12-13T14:13:12.943

2

You are missing ForEach-Object (alias %).

The following code should work:

Get-ADUser -Filter {whenCreated -ge $now} -SearchBase "OU=staff,OU=SMUC_Users,DC=stmarys,DC=ac,DC=ie" `
| Where-Object { $_.Enabled -eq 'True' } `
| %{Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $_.DistinguishedName)} `
| Select-Object -ExpandProperty Name

If you want to output both user and group information you can expand the code like this:

Get-ADUser -Filter {whenCreated -ge $now} -SearchBase "OU=staff,OU=SMUC_Users,DC=stmarys,DC=ac,DC=ie" `
| Where-Object { $_.Enabled -eq 'True' } `
| %{$group = Get-ADGroup -LDAPFilter ("(member:1.2.840.113556.1.4.1941:={0})" -f $_.DistinguishedName);Write-Output $_.UserPrincipalName $group.Name}

edited Dec 13 '17 at 14:13

answered Dec 13 '17 at 13:20

Chris

935
3
10
21

How can I get the username alongside the group name in the output?! I've just realised that using a loop isn't much use if it only lists groups and not the associated username – DJDave Dec 13 '17 at 13:54
1

See my edit. Also it's possible to format the output differently of course. – Chris Dec 13 '17 at 14:14

Piping output of get-ADUser to Get-ADGroup with an LDAP filter

1 Answers1