Author Posts

June 3, 2015 at 9:47 pm

[blockquote]Get-ADUser -SearchScope Base -SearchBase "OU=Test,DC=TestDomain,DC=com" -filter *[/blockquote]

This returns no results at all, even though there are users in the Test OU.
Is that a bug, or designed behavior? The helpfile seems to intimate that this should work. OneLevel should look in the Sub-OUs of Test, SubTree digs all the way down. But Base is supposed to interrogate the top-level item. It seems broken to me. True?

June 3, 2015 at 10:18 pm

The base value for -SearchScope is used to verify if the base exists, not to report on any of the child objects, such as is done with onelevel and subtree. Try your command above two different ways: one with a valid -SearchBase value and one without. The one without will error (the base doesn't exist), and the one with a valid DN will not error, since the value for -SearchBase was accurate. I get it's odd when working with Get-ADUser, but it's there to validate the base, that's it. Honestly, I've never seen it used, while seen the other two values used quite often.

June 4, 2015 at 4:24 am

Okay, so let me ask a more useful question.

Is there a right way to use Get-ADUser to retrieve the list of users found in one specific OU, but not in that OU's child OUs?

June 4, 2015 at 4:54 am

The help for get-aduser shows that the searchacope parameter accepts 3 values: Base, onelevel and subtree. Therefor to answer your question, instead of base, use onelevel for the searchscope parameter in your command to get the desired results.


Specifies the scope of an Active Directory search. Possible values for this parameter are:
Base or 0
OneLevel or 1
Subtree or 2

A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object.

June 4, 2015 at 5:06 am

Okay – the light bulb is finally going on for me.

I read "A OneLevel query searches the immediate children of that path or object." and assumed that meant it was searching only the direct Child OUs of the searchbase OU. Given a set of three OUs, with OU1 having OU2 and OU3 as direct children, I mistakenly assumed a OneLevel search was scanning one level [i]below[/i] OU1 – in other words, inventorying the contents of OU2 and OU3, but not OU1 itself.

I'm finally seeing that OneLevel means to search the [i]contents[/i] of the base, while Base means to search for the base object itself. It's weird, but it's got a beat, and I can dance to it.

Thanks for helping me see the light!

June 4, 2015 at 6:12 am

Base = Singleobject

Get-ADUser -SearchBase $userdn -SearchScope Base -Filter *

June 4, 2015 at 6:15 am

Alternatively. Get-ADobject -SearchBase $ou -SearchScope Base -Filter *