June 12, 2020 at 3:24 pm #235417
I want to retrieve a list of the objectclasses a user has been assigned. In an LDAP server like ODSEE a query for “uid=username objectclass” returns a list of the objectclasses assigned to the user.
With AD and powershell I am finding that I can only get one objectclass result returned and so far it’s always the “user” objectclass. I’ve tried a couple different methods with no success. Google is coming up emtpy for powershell returning multi-valued attribute values.
I’ve tried these:
get-aduser -Identity “username” -properties objectclass
ObjectClass : user
Gets just one objectclass, the user actually has seven assigned.
Another multi-valued attributes, proxyaddresses, behaves as expected. If I query for it I get a list of all the values;
get-adobject -LDAPFilter “(uid=username)” -properties proxyaddresses
The same results are achieved with get-aduser.
- This topic was modified 3 weeks, 5 days ago by thammer13.
June 12, 2020 at 8:23 pm #235465
I’m not sure, I see the additional objectclass properties in AD as well and it says “Multi-valued String.” I haven’t yet found a way to do it in powershell but I would definitely expect to be able to. Hopefully someone knows and can help us both out. 🙂
June 13, 2020 at 5:17 am #235513
Here’s one way you can get the values. I just had it output the values with nothing else, assuming you can just tack this on to your object.
June 13, 2020 at 6:45 am #235468
Well based on the information I am reading, a user’s class will always be the same and have the same inherited superclasses.
Each instance of an object class has a multi-valued objectClass property that identifies the class of which the object is an instance, as well as all structural or abstract superclasses from which that class is derived. Thus, the objectClass property of a user object would identify the top, person, organizationalPerson, and user classes. The objectClass property does not include auxiliary classes in the list. The system sets the objectClass value when the object instance is created and it cannot be changed.
<caption class=”visually-hidden”>TABLE 1</caption>
CN Object-Class Ldap-Display-Name objectClass Size About 20 bytes on average. Update Privilege The designer of the object would set this value. Update Frequency This value should never change. Attribute-Id 22.214.171.124 System-Id-Guid bf9679e5-0de6-11d0-a285-00aa003049e2 Syntax String(Object-Identifier)
There is an example of pulling all of them with C++ though!
June 17, 2020 at 2:53 pm #236236
I’m used to working with Oracle ODSEE LDAP, (iPlanet, Sun Directory) where it a query for “uid=user objectclass” returns all of the assigned objectclasses, not just the top one.
What is interesting is that an LDAP query of AD will return all of the objectclasses. I’ll have to see if there is a powershell equivalent of an LDAP query that might do it. It seems like this is more of a powershell limitation than something inherent to AD.
June 17, 2020 at 2:59 pm #236239
It seems strange that that quote states objectclass is multi-valued but that it won’t show any but structural objectclasses.
I may have to look at changing our objectclasses to structural and see how AD likes that if that is what it takes to solve this.
June 18, 2020 at 1:19 am #236413
Did this not give you the info you wanted?
If you want it to be an actual property of an object, just use this to populate that object. You shouldn’t call it objectclass because it already exists. I agree this seems like a limitation in powershell. At least in the way it outputs it. I was unable to do it in powershell, which is why I wrapped dsquery and parsed the output. I am also looking for a way to do this with an LDAP filter.
- You must be logged in to reply to this topic.