Get-ADuser -server xxyy -filter {} doesn't work in a For loop

0
votes

Been a while since I posted, but i've hit a road-block which an annoying issue

I have a need to scan all of the companies domains for user accounts based on full name, as is FIRST LAST

The same code works fine when running a get-aduser -identity -server domain.name, but using

Get-aduser -filter -server doesn't work inside a For loop, and I'm not sure why!

Here's the code:

$AllDomains = (Get-ADForest).domains

Function Check-ADUser {
    Param(
    $FullName,    
    $ADList
    )

    $ADUserArray = @()

    ForEach ($SubDomain in $ADList) {

        write-host "Checking for $FullName on $SubDomain ..."

        $UserADDomain = Get-ADUser -Server $SubDomain -Filter {(Name -eq $Fullname)} -properties *  -ErrorAction SilentlyContinue | Select @{n="DomainName"; e={($_.CanonicalName -split '/')[0]}} `
        | Select-Object DomainName -ExpandProperty DomainName        

    } #ForEach $Domain

The results return black

Here's the code that work fine:

$AllDomains = (Get-ADForest).domains

Function Check-ADUser {
    Param(
    $FullName,    
    $ADList
    )

    $ADUserArray = @()

    ForEach ($SubDomain in $ADList) {

        write-host "Checking for $FullName on $SubDomain ..."

        $UserADDomain = Get-ADUser -Server $SubDomain -Identity $userName -properties *  -ErrorAction SilentlyContinue | Select @{n="DomainName"; e={($_.CanonicalName -split '/')[0]}} `
        | Select-Object DomainName -ExpandProperty DomainName        

    } #ForEach $Domain

The function is called via a for loop against each user as such

$Users = @"
Rocky Balboa
Bruce Willis
Gene Simmons
Liz Phair
Steven Segal
"@ | ForEach {$_.Split([String[]]"`r`n",[StringSplitOPtions]::None)}

$outarray = @()

ForEach ($user in $Users) {        

    $aa = Check-ADUser -FullName $User -ADList $AllDomains

}

The only real difference in the code within the function, is the use the -filter instead of -identity on the get-aduser cmdlet

What's odd, is that if I run the code outside of the for loop, it works! I'm thinking it's a Powershell gotcha! any help appreciated :-)

Owen

1
powershellfor-loopactive-directory
While seductively convenient, it's best to avoid the use of script blocks ({ ... }) as -Filter arguments. - mklement0
Please show us what is in $FullName, because you don't use that in the second example. Trying to identify a user by the Name property is asking for trouble. Better filter on SamAccountName, EmailAddress, UserPrincipalName, DistinguishedName or even SID, because these properties are/should be unique within the domain. As aside, it is bad practice to use Properties *. This pulls out ALL properties, where in your code you don't even need any user properties at all, except the one you are filtering on plus the CanonicalName - Theo
Hi Theo I've updated my original post - Kenny

1 Answers

1
votes

Use the filter statement like this,

If you are interested in performance, limit the properties to canonicalName instead of *.

After reading the last part of the docs, I think removing the ( ) within curly braces should resolve your issue as well.

$UserADDomain = Get-ADUser -Server $SubDomain -Filter "Name -eq '$Fullname'" -properties *  -ErrorAction SilentlyContinue | Select @{n="DomainName"; e={($_.CanonicalName -split '/')[0]}}

if ($null -ne $UserADDomain) {
  return $UserADDomain
}

See Microsoft docs on Filter

Excerpt:

Note: For String parameter type, PowerShell will cast the filter query to a string while processing the command. When using a string variable as a value in the filter component, make sure that it complies with the PowerShell Quoting Rules. For example, if the filter expression is double-quoted, the variable should be enclosed using single quotation marks: Get-ADUser -Filter "Name -like '$UserName'". On the contrary, if curly braces are used to enclose the filter, the variable should not be quoted at all: Get-ADUser -Filter "Name -like '$UserName'".