Query for list of objectClasses a user has

Welcome Forums General PowerShell Q&A Query for list of objectClasses a user has

Viewing 6 reply threads
  • Author
    Posts
    • #235417
      Participant
      Topics: 2
      Replies: 4
      Points: 12
      Rank: Member

      I want to retrieve a list of the objectclasses a user has been assigned. In an LDAP server like  ODSEE a query for “uid=username  objectclass” returns a list of the objectclasses assigned to the user.

      With AD and powershell I am finding that I can only get one objectclass result returned and so far it’s always the “user” objectclass. I’ve tried a couple different methods with no success. Google is coming up emtpy for powershell returning multi-valued attribute values.

      I’ve tried these:

      get-aduser -Identity “username” -properties objectclass

      ObjectClass : user

      Gets just one objectclass, the user actually has seven assigned.

      Another multi-valued attributes, proxyaddresses, behaves as expected. If I query for it I get a list of all the values;

      get-adobject -LDAPFilter “(uid=username)” -properties proxyaddresses

      proxyaddresses : {[email protected], [email protected], [email protected]}

      The same results are achieved with get-aduser.

      Tye

       

      • This topic was modified 3 weeks, 5 days ago by thammer13.
    • #235465
      Participant
      Topics: 3
      Replies: 421
      Points: 1,479
      Helping Hand
      Rank: Community Hero

      Hi Tye,

      I’m not sure, I see the additional objectclass properties in AD as well and it says “Multi-valued String.” I haven’t yet found a way to do it in powershell but I would definitely expect to be able to. Hopefully someone knows and can help us both out. 🙂

      Doug

    • #235513
      Participant
      Topics: 3
      Replies: 421
      Points: 1,479
      Helping Hand
      Rank: Community Hero

      Here’s one way you can get the values. I just had it output the values with nothing else, assuming you can just tack this on to your object.

      https://github.com/krzydoug/Tools/blob/master/Get-ObjectClass.ps1

       

    • #235468
      Participant
      Topics: 3
      Replies: 421
      Points: 1,479
      Helping Hand
      Rank: Community Hero

      Well based on the information I am reading, a user’s class will always be the same and have the same inherited superclasses.

      Each instance of an object class has a multi-valued objectClass property that identifies the class of which the object is an instance, as well as all structural or abstract superclasses from which that class is derived. Thus, the objectClass property of a user object would identify the toppersonorganizationalPerson, and user classes. The objectClass property does not include auxiliary classes in the list. The system sets the objectClass value when the object instance is created and it cannot be changed.

      <caption class=”visually-hidden”>TABLE 1</caption>

      CN Object-Class
      Ldap-Display-Name objectClass
      Size About 20 bytes on average.
      Update Privilege The designer of the object would set this value.
      Update Frequency This value should never change.
      Attribute-Id 2.5.4.0
      System-Id-Guid bf9679e5-0de6-11d0-a285-00aa003049e2
      Syntax String(Object-Identifier)

      There is an example of pulling all of them with C++ though!

      https://docs.microsoft.com/en-us/windows/win32/ad/object-class-and-object-category

      https://docs.microsoft.com/en-us/windows/win32/adschema/a-objectclass

      https://docs.microsoft.com/en-us/windows/win32/ad/retrieving-the-objectclass-property

       

       

       

    • #236236
      Participant
      Topics: 2
      Replies: 4
      Points: 12
      Rank: Member

      I’m used to working with Oracle ODSEE LDAP, (iPlanet, Sun Directory) where it a query for  “uid=user objectclass” returns all of the assigned objectclasses, not just the top one.

      What is interesting is that an LDAP query of AD will return all of the objectclasses. I’ll have to see if there is a powershell equivalent of an LDAP query that might do it. It seems like this is more of a powershell limitation than something inherent to AD.

    • #236239
      Participant
      Topics: 2
      Replies: 4
      Points: 12
      Rank: Member

      It seems strange that that quote states objectclass is multi-valued but that it won’t show any but structural objectclasses.

      I may have to look at changing our objectclasses to structural and see how AD likes that if that is what it takes to solve this.

    • #236413
      Participant
      Topics: 3
      Replies: 421
      Points: 1,479
      Helping Hand
      Rank: Community Hero

      Did this not give you the info you wanted?

      https://github.com/krzydoug/Tools/blob/master/Get-ObjectClass.ps1

      If you want it to be an actual property of an object, just use this to populate that object. You shouldn’t call it objectclass because it already exists. I agree this seems like a limitation in powershell. At least in the way it outputs it. I was unable to do it in powershell, which is why I wrapped dsquery and parsed the output. I am also looking for a way to do this with an LDAP filter.

Viewing 6 reply threads
  • You must be logged in to reply to this topic.