Requesting help in nesting LDAPFilter

Welcome Forums General PowerShell Q&A Requesting help in nesting LDAPFilter

This topic contains 0 replies, has 1 voice, and was last updated by  rajdude91 3 weeks, 5 days ago.

  • Author
  • #172621

    Topics: 1
    Replies: 0
    Points: -1
    Rank: Member

    Hello everyone, total newbie here!

    I need a little help making a nested LDAPfilter work in PS. I took this script from

    Recursive list of group members in AD

    It works, but I need to modify it to find out only active user accounts. So I added a nested filter to it and have since been trying to make it work. Not being a PS guru, I am sure I am doing something totally wrong here.

    Can someone please help?

    Original script, which works:

    param([Parameter(Mandatory = $true)][String]$groupName)
    $groupsHT = @{} # This is our group cache 
    $membersHT = @{} # These are our members
    function groupShouldNotBeResolved { 
    $groupsToNotResolve = @( # These are CNs! Make sure that your sAMAccountNames and CNs match! 
    "Domain Users" # Feel free to edit these! 
    foreach($group in $groupsToNotResolve) { # We iterate through our list of groups... 
    if($member.StartsWith(("CN=" + $group + ","), "CurrentCultureIgnoreCase") -eq $true) { # ...and check if our member matches 
    $groupToNotResolveAD = Get-ADObject -Identity $member # If we find a match, we get it from AD 
    $groupsHT.Add($member, $groupToNotResolveAD) # And add it to our list of groups, so we know it next time 
    return $true # Let caller know this group should not be resolved 
    return $false # This group should be resolved! 
    function resolve-members-recursive { 
    param($members) # The input is a list of members (distinguishedNames) 
    foreach($member in $members) { # We look at each member / distinguishedName 
    if($membersHT.Contains($member) -eq $true) { # If the distinguishedName is already in our list of members, we skip it 
    elseif((groupShouldNotBeResolved $member) -eq $true) { # If the member is a group that should not be resolved.... 
    $membersHT.Add($member, $groupsHT.$member) # We add it to our members list 
    elseif($groupsHT.Contains($member) -eq $true) { # If the distinguishedName is already in our group cache... 
    resolve-members-recursive $groupsHT.$member # Resolve its members recursively! 
    else { # If the distinguishedName is in neither cache, we find out what it is... 
    $memberAD = Get-ADObject -Identity $member -Properties member # ... from AD! 
    if($memberAD.objectClass -eq "group") { # If it's a group... 
    $groupsHT.Add($memberAD.distinguishedName, $memberAD.member) # We add it to our group cache 
    resolve-members-recursive $groupsHT.$member # And resolve its members recursively 
    else { # If it's not a group, it must be a user... 
    $membersHT.Add($member, $memberAD) # So we add it to our members list 
    $groupToResolve = Get-ADObject -LDAPFilter ("(&(objectClass=group)(objectCategory=group)(sAMAccountName=" + $groupName + "))") -Properties member 
    if($groupToResolve -eq $null) { 
    Write-Host ($groupName + " could not be found in AD!") 
    return $null 
    else { 
    resolve-members-recursive $groupToResolve.member 
    return $membersHT 


    Then I added a nested filter to the line like this:

    $groupToResolve = Get-ADObject -LDAPFilter ("(&(objectClass=group)(objectCategory=group)(sAMAccountName=" + $groupName + ")(&(objectClass=User)(userAccountControl=514)") -Properties member


    But I keep getting errors. What am I doing wrong?

    Thanks for your help!




You must be logged in to reply to this topic.