Directory Searcher not returning all the results

Question

I have created 2400 security groups and added all these security groups to the user. When I query Active Directory using a DirectorySearcher, I get only 2049 security groups. The remaining security groups are missing. I tried the pagination approach as mentioned below, it still doesn't work. What's the ideal way of getting all the security groups?

$gcName = "blahblah.com"
$dn =  "CN=blahblah,OU=Tenants,OU=INT,DC=dom,DC=abc,DC=def,DC=com"
$searchRoot = [ADSI]("LDAP://" + $gcName + "/" + $dn)
$searcher = New-Object System.DirectoryServices.DirectorySearcher($searchRoot, "(objectClass=*)", @("tokenGroups"), [System.DirectoryServices.SearchScope]::Base)
$searcher.PageSize=500
foreach ($SearchResult  in $searcher.FindAll()){$SearchResult.Properties["tokenGroups"].Count}

Edit 1: When I use the following commands, it doesn't return the complete list of security groups. Ideally, I expect all the groups here along with some other user properties.

$searchRoot = [ADSI]("LDAP://" + $gcName)
$searcher = New-Object System.DirectoryServices.DirectorySearcher($searchRoot, "(|((msOnline-WindowsLiveNetId=xxxxxx))((msOnline-AlternativeSecurityId=YYYYYYYY)))", @("name"))
$searcher.PropertiesToLoad.AddRange(@("msOnline-UserPrincipalName","objectClass","msOnline-AccountEnabled","displayName","proxyaddresses","memberOf"))
$sr = $searcher.FindOne()
$de= $sr.GetDirectoryEntry()
$de.RefreshCache(@("tokenGroups"))
$de.Properties["tokenGroups"].Count

When I use the following, it returns all the groups but I don't get the user properties.

$searchRoot = [ADSI]("LDAP://" + $gcName)
$searcher = [adsisearcher]::new($searchRoot, "(&(objectClass=group)(member=$dn))", @("name"))
$searcher.PageSize=500
$searcher.FindAll().Count

This doesn't work either.

$searchRoot = [ADSI]("LDAP://" + $gcName)
$searcher = [adsisearcher]::new($searchRoot, "((member=$dn))", @("name","msOnline-UserPrincipalName","tokenGroups"))
$searcher.PageSize=500
$searcher.FindAll().Count

All I want to achieve is get all the tokenGroups and few user properties with a single search.

Gabriel Luci · Answer 1 · 2020-05-29T17:23:18.233

1

The PageSize only affects the number of search results, but there is only one search result. You're counting the number of records in the tokenGroups attribute of that one result.

One possible issue is that tokenGroups will only show security groups, because it is designed for determining the user's permissions. If the user is in any groups where the 'Group type' is "distribution", those will not be included in tokenGroups.

If you only have one domain in your AD forest, then you can look at the memberOf attribute instead of tokenGroups. If you have more than one domain in your forest, then memberOf may not give you all the groups.

You could also change the search so that it looks for all groups that have that user as a member. That would look like this:

$gcName = "blahblah.com"
$dn =  "CN=blahblah,OU=Tenants,OU=INT,DC=dom,DC=abc,DC=def,DC=com"
$searchRoot = [ADSI]("LDAP://" + $gcName)
$searcher = [adsisearcher]::new($searchRoot, "(&(objectClass=group)(member=$dn))", @("name"))
$searcher.PageSize=500
$searcher.FindAll().Count

Notice that you can use [adsisearcher]::new as a short form for New-Object System.DirectoryServices.DirectorySearcher.

edited May 29 '20 at 17:23

answered May 29 '20 at 17:06

Gabriel Luci

38,328
4
55
84

The query with the new filter just gets the tokenGroups. What I am looking for is the query should return few other user properties along with the right list of tokenGroups. – Pradeep Anumala May 29 '20 at 19:03
The `@("tokenGroups")` is what tells it which attributes to return during the search. So just add whatever other attributes you want to get in that array. – Gabriel Luci May 29 '20 at 19:10
This doesn't return any results. If I remove the "tokenGroups", it works fine. – Pradeep Anumala May 29 '20 at 20:56
I have just updated the question. Please take a look. – Pradeep Anumala Jun 01 '20 at 16:44
*"doesn't return the complete list of security groups"* - how do you know that? – Gabriel Luci Jun 01 '20 at 17:24
I created 2200 security groups and added the user to those groups. Now the query returns only 2049 groups. – Pradeep Anumala Jun 01 '20 at 17:39
If I use the below query it returns all the groups. [adsisearcher]::new($searchRoot, "(&(objectClass=group)(member=$dn))", @("name")) – Pradeep Anumala Jun 01 '20 at 17:48
Are all of those groups on the same domain? – Gabriel Luci Jun 01 '20 at 18:09
Do you get the same number of results using this query? `[adsisearcher]::new($searchRoot, "(&(objectClass=group)(member=$dn)(groupType:1.2.840.113556.1.4.803:=2147483648))", @("name"))` – Gabriel Luci Jun 01 '20 at 18:19
Yes, I get all (2212) groups when I use the above query (groupType). – Pradeep Anumala Jun 01 '20 at 18:42
Are all the groups on the same domain? – Gabriel Luci Jun 01 '20 at 19:53
Yes they are all of the same domain. Is there any server side setting that limits the no. of groups when user object is queried? – Pradeep Anumala Jun 01 '20 at 20:06
Then I don't know why that's happening. I guess you can't use `tokenGroups`. – Gabriel Luci Jun 01 '20 at 20:15
You talk about getting "user properties", but your question is about finding groups. Which are you trying to search for, groups or users? – Gabriel Luci Jun 01 '20 at 20:15
I want to query for a user object (one particular user) that will return the tokenGroups along with some other user properties. So, to answer your question, I want to search for both the groups and a user. – Pradeep Anumala Jun 01 '20 at 20:40
Have you tried looking at `memberOf` instead of `tokenGroups`, like I described in my answer? – Gabriel Luci Jun 02 '20 at 00:07
Yes, using the range retrieval on member of, I am able to fetch all the groups but I am interested in security groups only. I rephrased my question here. https://stackoverflow.com/questions/62142852/the-refreshcache-method-not-returning-the-complete-list-of-tokengroups – Pradeep Anumala Jun 02 '20 at 00:13

Directory Searcher not returning all the results

1 Answers1