How to Specify the Base and the Scope of your Search when using Active Directory PowerShell

As you may know, under the hood all these Active Directory PowerShell cmdlets do is perform LDAP queries against the Active Directory. If you're familiar with LDAP, then you know that there are at least two essential pieces of information that are required - the Base of the query, which is the object at which the query is rooted, and the Scope of the query, which could be either the single object (base) that is specified or just the object and its immediate children (one level) or the entire tree of objects (tree) that is rooted at the specified objects.

In the case of these Active Directory Power Shell cmdlets, this is no difference. You need to specify the base and the scope of a cmdlet query as well.

The scope of your search can be set to Base, OneLevel, or SubTree. As alluded to above, Base searches the current path/object,  OneLevel searches the specified object and its immediate children of the path/object and SubTree searches the current path/object and ALL its children (i.e. including all grand-children all the way down to each leaf object).

As for the Base itself, it refers to the specific Active Directory object at which to target the search.

So for example, the cmdlet command Get-ADUser -LDAPFilter “(name=Scotty*)” -SearchBase “OU=Executives,OU=Accounts,DC=Contoso,DC=com” -SearchScope OneLevel, the cmdlet would enumerate all user accounts directly in the Executives OU whose name begins wit h Scotty.

Note that in this example, if there were an OU within Executives called say Assistants, and it too contained a user whose name started with Scotty, that user account would not be returned as a part of the search.

No comments:

Post a Comment