How to use Powershell to make ADSI queries

Question

I am currently trying to get a list of user object properties for a number of accounts in my environment. However, this requires querying some ADSI properties, and I am not entirely sure how to get this to work, even after doing some self-guided study.

What I am doing is using something like the below to create a foreach loop to get some details on these users, but I additionally need for it to iterate through LDAP queries for a bunch of separate ADSI properties (e.g. AllowLogon, MaxConnectionTime, TerminalServicesWorkDirectory) and add the outputs to my resultant CSV. I believe that this will look something like this, but I'm not sure how to make the LDAP/ADSI queries in the middle work properly:

# Choose the OU containing the accounts to be searched:
$OU = "OU=Accounts,DC=domain,DC=local"

# Set up the ADUser search base:
$Accounts = Get-ADuser -Filter * -Searchbase $OU

#Define CSV output based off of results of ForEach loop
$Output = ForEach($Account in $Accounts){
    Get-ADUser -identity $Account -Properties * |
    Select-Object Name,GivenName

#This is where I am unsure on how to get these queries to work properly
    $User = [ADSI]("LDAP://" + $account.distinguishedname)
    $user.psbase.InvokeGet("AllowLogon")
    $user.psbase.InvokeGet("MaxConnectionTime")
    $user.psbase.InvokeGet("TerminalServicesWorkDirectory")

}

#Write output to CSV
$Output | Export-CSV C:\Temp\Output.csv

Can anyone set me down the correct path to getting these to properly populate a CSV? Thanks!

The correct names for those RDS attributes are `msTSAllowLogon`, `msTSMaxConnectionTime`, and `msTSWorkDirectory`, you can use `Get-ADUser` to fetch them, no need to use the `[adsi]` class. — Mathias R. Jessen, Jun 12 '23 at 15:37
I am just curious; is there a published list of these RDS attributes anywhere? I have a huge list of these properties which I am hoping to query, and I did not think that they were all accessible with Get-ADUser. This would be my complete list, just for reference: TerminalServicesInitialProgram, ConnectClientDrivesAtLogon, ConnectClientPrintersAtLogon, DefaultToMainPrinter, MaxDisconnectionTime, MaxConnectionTime, MaxIdleTime, BrokenConnectionAction, ReconnectionAction, TerminalServicesHomeDirectory, TerminalServicesHomeDrive, AllowLogon, EnableRemoteControl — closedcasketfuneral, Jun 12 '23 at 16:29
Sure, I found them by just browsing Microsoft's listing of official AD attribute schemas: https://learn.microsoft.com/en-us/windows/win32/adschema/a-mstsallowlogon - you'll notice that all the RDS-related once are named `ms-TS-` (beware the LDAP Display Names, which is what you need here, don't have the `-`'s. Both are documented for each) — Mathias R. Jessen, Jun 12 '23 at 18:32
Thank you for the reply! I had been looking for documentation of the commands such as the one that you shared in your other comment. However, whether I run a script with my formatting or with the formatting which you shared, all of these RDS attribute values seem to output as null except for "msDS-AllowedToDelegateTo." I changed one account's "Active Session Limit" setting to "15 minutes" via the AD GUI, but msTSMaxConnectionTime is still showing a null result for that setting. Do you have any suggestions or insights that might ensure that these values are accurate in the output? — closedcasketfuneral, Jun 14 '23 at 15:35

score 3 · Answer 1 · answered Jun 12 '23 at 16:07

[...] but I additionally need for it to iterate through LDAP queries for a bunch of ...

You really don't - Get-ADUser can fetch the desired attribute values up front - you just have to use the correct names for the attributes:

# Fetch all user accounts with the required attributes
$Accounts = Get-ADuser -Filter * -Searchbase $OU -Properties Name,GivenName,msTSAllowLogon,msTSMaxConnectionTime,msTSWorkDirectory

# Rename the RDS attributes to something slight more easily-readable
$Output = $Accounts |Select Name,GivenName,@{Name='AllowLogon';Expression='msTSAllowLogon'},@{Name='MaxConntectionTime';Expression='msTSMaxConnectionTime'},@{Name='TerminalServicesWorkDirectory';Expression='msTSWorkDirectory'}

# Write output to CSV
$Output | Export-CSV C:\Temp\Output.csv

Thank you for the reply! I had been looking for documentation of the commands such as the one that you shared in your other comment. However, whether I run a script with my formatting or with the formatting which you shared, all of these RDS attribute values seem to output as null except for "msDS-AllowedToDelegateTo." I changed one account's "Active Session Limit" setting to "15 minutes" via the AD GUI, but msTSMaxConnectionTime is still showing a null result for that setting. Do you have any suggestions or insights that might ensure that these values are accurate in the output? — closedcasketfuneral, Jun 13 '23 at 16:21

How to use Powershell to make ADSI queries

1 Answers1