Welcome Forums General PowerShell Q&A Requesting help in nesting LDAPFilter

Viewing 0 reply threads
  • Author
    • #172621
      Topics: 1
      Replies: 0
      Points: -1
      Rank: Member

      Hello everyone, total newbie here!

      I need a little help making a nested LDAPfilter work in PS. I took this script from

      Recursive list of group members in AD

      It works, but I need to modify it to find out only active user accounts. So I added a nested filter to it and have since been trying to make it work. Not being a PS guru, I am sure I am doing something totally wrong here.

      Can someone please help?

      Original script, which works:

      param([Parameter(Mandatory = $true)][String]$groupName)
      $groupsHT = @{} # This is our group cache 
      $membersHT = @{} # These are our members
      function groupShouldNotBeResolved { 
      $groupsToNotResolve = @( # These are CNs! Make sure that your sAMAccountNames and CNs match! 
      "Domain Users" # Feel free to edit these! 
      foreach($group in $groupsToNotResolve) { # We iterate through our list of groups... 
      if($member.StartsWith(("CN=" + $group + ","), "CurrentCultureIgnoreCase") -eq $true) { # ...and check if our member matches 
      $groupToNotResolveAD = Get-ADObject -Identity $member # If we find a match, we get it from AD 
      $groupsHT.Add($member, $groupToNotResolveAD) # And add it to our list of groups, so we know it next time 
      return $true # Let caller know this group should not be resolved 
      return $false # This group should be resolved! 
      function resolve-members-recursive { 
      param($members) # The input is a list of members (distinguishedNames) 
      foreach($member in $members) { # We look at each member / distinguishedName 
      if($membersHT.Contains($member) -eq $true) { # If the distinguishedName is already in our list of members, we skip it 
      elseif((groupShouldNotBeResolved $member) -eq $true) { # If the member is a group that should not be resolved.... 
      $membersHT.Add($member, $groupsHT.$member) # We add it to our members list 
      elseif($groupsHT.Contains($member) -eq $true) { # If the distinguishedName is already in our group cache... 
      resolve-members-recursive $groupsHT.$member # Resolve its members recursively! 
      else { # If the distinguishedName is in neither cache, we find out what it is... 
      $memberAD = Get-ADObject -Identity $member -Properties member # ... from AD! 
      if($memberAD.objectClass -eq "group") { # If it's a group... 
      $groupsHT.Add($memberAD.distinguishedName, $memberAD.member) # We add it to our group cache 
      resolve-members-recursive $groupsHT.$member # And resolve its members recursively 
      else { # If it's not a group, it must be a user... 
      $membersHT.Add($member, $memberAD) # So we add it to our members list 
      $groupToResolve = Get-ADObject -LDAPFilter ("(&(objectClass=group)(objectCategory=group)(sAMAccountName=" + $groupName + "))") -Properties member 
      if($groupToResolve -eq $null) { 
      Write-Host ($groupName + " could not be found in AD!") 
      return $null 
      else { 
      resolve-members-recursive $groupToResolve.member 
      return $membersHT 


      Then I added a nested filter to the line like this:

      $groupToResolve = Get-ADObject -LDAPFilter ("(&(objectClass=group)(objectCategory=group)(sAMAccountName=" + $groupName + ")(&(objectClass=User)(userAccountControl=514)") -Properties member


      But I keep getting errors. What am I doing wrong?

      Thanks for your help!




Viewing 0 reply threads
  • The topic ‘Requesting help in nesting LDAPFilter’ is closed to new replies.