Querying GC for same -identity

This topic contains 5 replies, has 4 voices, and was last updated by Profile photo of Matt Bloomfield Matt Bloomfield 1 month, 1 week ago.

  • Author
    Posts
  • #55462
    Profile photo of Jeff Taylor
    Jeff Taylor
    Participant

    I am trying to understand why when I query any given GC, I only return 1 instance of a user object for which I know there are 3 or more.

    Get-ADUser -Identity admin_User -Credential $creds -Server company.com:3268

    Depending on what -server parameter I choose (they are all Global Catalogs btw) I only retrieve that particular domains' instance of the -identity.

    How can I use PS to query for all objects in all child domains using the global catalog?

    Thanks

  • #55475
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Get-ADUser doesn't necessarily query the GC; it's designed to query the entire user object, and so it contacts a DC. Obviously, on a given DC, there can only be one instance of a given user. What's in the GC isn't technically a user object, which is what Get-ADUser wants to query.

    You might be better off shifting to an older-style ADSI query, where you can explicitly query a GC.

  • #55687
    Profile photo of Dan Potter
    Dan Potter
    Participant

    (get-adforest).domains | % { get-aduser -Server $_ -filter *}

    • This reply was modified 1 month, 2 weeks ago by Profile photo of Dan Potter Dan Potter.
    • #55843
      Profile photo of Jeff Taylor
      Jeff Taylor
      Participant

      Dan,

      I actually meant "How can I use PS to query for instances of a specific User in all child domains using the global catalog?"

      I've tried adding an -identity param in your example but not working:

      (get-adforest).domains | % { get-aduser -Identity ThisUser -Server $_ -filter *}
  • #55871
    Profile photo of Dan Potter
    Dan Potter
    Participant

    You can't use the filter when supplying identity.

  • #55882
    Profile photo of Matt Bloomfield
    Matt Bloomfield
    Participant

    Identity can be a DN, a GUID, a SID or a sAMAccountName.

    As the sAMAccountName is the only one of those that could be the same across the various domains, you're better off providing a filter based on that. This will return the correct results:

    PS C:\Users\Administrator> Get-ADUser -Filter 'sAMAccountName -eq "john.smith"' -server contoso.com:3268 -searchbase 'DC
    =Contoso,DC=com' | Select-Object sAMAccountName, UserPrincipalName
    
    sAMAccountName                                              UserPrincipalName
    --------------                                              -----------------
    John.Smith                                                  John.Smith@contoso.com
    John.Smith                                                  John.Smith@child.contoso.com
    

You must be logged in to reply to this topic.