Why Active Directory Home Directory query returns different in Get-ADuser than in AD admin panel?

1
votes

I wanted to ask as I'm querying all users from AD whose Home Directory is in a certain directory from Powershell using Get-ADuser , and for most cases it retrieves null result.

The query I run is this:

$DirectoryInfo = Get-Item \\Fileserver\Users

$strFilter = $DirectoryInfo.FullName.Replace('\','\5c')

$AdUser = Get-AdUser -Filter {homeDirectory -like $strFilter}

echo $AdUser

If I look from AD admin center panel for a specific user, I can see it has set Home Directory inside path i've queried before in Powershell indeed.

Another thing that seems to me strange is that there are some users that appear in the query, so the previous case doesn't apply for all users.

Is it that AD admin center panel shows Home Directory of Group where this user belongs for example, or is just that I'm running a wrong query from Powershell?

Thanks in advance,

Juan Pablo.

2
windowspowershellactive-directory

2 Answers

1
votes

I think because the HomeDirectory attribute is not in the default output set from Get-ADUser, you need to add it to the required Properties aswell.
This may be part of a larger script, but from the question I fail to see why you would need this:

$DirectoryInfo = Get-Item \\Fileserver\Users
$strFilter = $DirectoryInfo.FullName + '\*'

since you already have the UNC path for the users home directories.

I cannot test this right now, but you could try like this:

$strFilter = '\\Fileserver\Users\*'
$AdUser = Get-AdUser -Filter "HomeDirectory -like $strFilter" -Properties HomeDirectory
$AdUser

or use a Where-Object to get what you want:

$strFilter = '\\Fileserver\Users\*'
$AdUser = Get-AdUser -Filter * -Properties HomeDirectory | Where-Object { $_.HomeDirectory -like $strFilter }
$AdUser

-LDAPFilter-Filterescape
*         \2A
(         \28
)         \29
\         \5C
NUL       \00

You do this by prepending a backslash \ to each of these characters and replacing the characters themselves by their ASCII code in hex. The ( becomes \28, the backslash \ becomes \5c etc.

This uses a small function to escape these characters for a LDAP search filter:

function Escape-LdapSearchFilter([string] $Filter) {
    return $Filter -creplace '\*', '\2a' `
                   -creplace '\(', '\28' `
                   -creplace '\)', '\29' `
                   -creplace '/' , '\2f' `
                   -creplace '`0', '\00' `
                   -creplace '\\(?![0-9A-Fa-f]{2})', '\5c'
}

$strFilter = Escape-LdapSearchFilter "\\Fileserver\Users\"
# for LDAP you must use the correct attribute name, so `homeDirectory` with a lower-case `h`
$AdUser = Get-AdUser -LDAPFilter "(homeDirectory=$strFilter*)" -Properties HomeDirectory
$AdUser
0
votes

I don't know what \5c is doing in that code, so please forgive my ignorance.

if \Fileserver\Users is the root directory that contains home directories, then the following code should work:

$DirectoryInfo = Get-Item \\Fileserver\Users
$strFilter = $DirectoryInfo.FullName + '\*'
$AdUser = Get-AdUser -Filter {homeDirectory -like $strFilter}
$AdUser

The -like operator needs asterisks if your string is not an exact match.