Categories

AD Search Scopes

In AD we can define a scope for our search. In most of the examples we have seen we are starting at the root of the domain and searching every OU. This is the default – also known as a SubTree search i.e. it searches all children of the defined container.

 

This examples use Get-ADUser but we could use the Quest cmdlets or a script. But the provider is limited to the defined container or all child containers of the root.

 

$ou = "OU=BlogTests,DC=Manticore,DC=org"           
$user = "cn=usera,OU=BlogTests,DC=Manticore,DC=org"           
           
"`Default Scope"           
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -Filter * |           
Format-Table Name, DistinguishedName           
           
"'nBase"           
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -SearchScope Base -Filter * |           
Format-Table Name, DistinguishedName           
           
"'nOneLevel"           
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -SearchScope OneLevel -Filter * |           
Format-Table Name, DistinguishedName           
           
"'nSubTree"           
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -SearchScope SubTree -Filter * |           
Format-Table Name, DistinguishedName           
           
"'nBase Examples"           
"single user"           
Get-ADUser -ResultSetSize 3000 -SearchBase $user -SearchScope Base -Filter * |           
Format-Table Name, DistinguishedName           
           
"single object"           
Get-ADObject -ResultSetSize 3000 -SearchBase $ou -SearchScope Base -Filter * |           
Format-Table Name, DistinguishedName

 

The scope options are:

  • Base
  • OneLevel
  • SubTree

SubTree is the defined container and all child containers – including their children etc

OneLevel is the defined container

Base is an oddity – it returns the object that is defined! So when we ask for all users in an OU using a base scope we get nothing back. If we give a specific user, or we use Get-ADObject we get that individual user or object returned!

Leave a Reply