PowerShell Script: Finding A Distinguished Name of a Group/User: Function Find-DN

Posted on March 8, 2010. Filed under: Powershell Tangents |

Thank you for visiting my blog. I’ve moved this article to my new book’s website at: http://masteringposh.com/powershell-script-finding-a-distinguished-name-of-a-groupuser-function-find-dn

This article explains the the method by which one would be able to Search Active Directory for the distinguished name of a User or Group. This is helpful when trying to add an object to Active Directory or adding Users to Groups.

See the full article at MasteringPOSH.com

Make a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

8 Responses to “PowerShell Script: Finding A Distinguished Name of a Group/User: Function Find-DN”

RSS Feed for Business and Information Technology Tangents Comments RSS Feed

Dude, there are many Free Active Directory reporting tools that you can use to find the DN of objects.

You ought to try one of those as well. Why would you want to waste your time writing quirky PowerShell scripts?!


Thank you for your post on my blog. I respectfully disagree with your blog about Powershell not being a tool. When I first started working with Powershell, I felt the same way as well as I was more comfortable with a GUI environment for all of my transactions. This however, became quickly clear as a Systems Engineer that the GUI would not work in enterprise environments. Why?

Take a school, for example, where you have students that come and go every year. One of my largest school clients has in excess of 700 students a year. When each student gets an active directory logon and an exchange email, you will have to develop a script to import these students. While the import-csv utility maps a csv file to active directory attributes, what happens when you try to import a user with an existing username? That’s why the function described in this article is powerful, as you can check before you import and have an error.

A second example, the company I am currently consulting for is in the Top 10 of the Fortune 500 organizations. They have to create systems to distribute to a multitude of hospitals. We have to create unique forests and domains for the systems. In doing this, we have a script that populates the active directory schema with OUs, Users and Groups, imports the predefined policies, and does a validation check to ensure Active directory meets the regulatory requirements.

With VB Scripts slated to go away in the next Server release, it’s imperative that Systems Engineers learn Powershell as it is the new standard for systems. Plus being able to perform EVERYTHING that you can in a VB script with Powershell and make references to .NET assemblies (like my encryption article), it’s a tough argument to not use it.

Happy Coding!


Thanks Brenton for posting this scriplet!
And to Marc, I can give direct feedback that not only what Brenton has explained is in fact the norm amongst Sys Admins/Engi’s, but his current post is going to help me out immensely.
Case in point: As of Exchange 2007, MS in their infinite wisdom has removed a very useful “GUI” tool. In Exchange 2003, you could install the “Exchange Tools”, as a separate optional install, on a domain controller, or better yet, a “Helpdesk” Terminal Services workstation. These 2k3 tools not only allowed you to deploy a mailbox directly from Users and Computers, but also more importantly you could create “Dynamic” groups called “Query Based” groups. They could be either (email enabled) Security Groups, or Dynamic Distribution Groups.
Well, now with 2007, they have moved completely away from managing anything Exchange related in ADUC (Active Directory Users and Computers). In this particular case, I think removing this funcationality was one of the stupidest ideas MS has ever had. The GUI Tools for those two particular functions were not just nicey-nicey “features”, but immensely helpful in reducing the time to “on-boarding”. And I come from a Linux/Scripting background; so for me to say I favored a particular MS GUI option is rare…
And myopically, for a person like myself who deals directly with Identity Management, issues this left me out in the cold. When this occurred, I started getting tons of calls saying, “Hey, you know all those Dist Lists we created based on “everyone in Hong Kong”, etc? They all stopped working!” my US-ALL, UK-ALL, etc, etc, etc groups all started to fail.
There is no “Easy Button” in this case. We had to recreate them all using OPATH attributes; for instance:
((RecipientType -eq ‘UserMailbox’ -and Co -eq ‘BE’) -and -not(Name -like ‘SystemMailbox{*’) -and -not(Name -like ‘CAS_{*’))
So to be brutally honest, you will not be able to be a continuing Exchange 2007 and further Admin without knowing your way around scripting.
I am glad to have found Brenton’s nugget of brilliance here, because I “may” be able to get out of my current predicament, in that there are none of these OPATH attributes other than those that MS has defined. For instance, we have defined our own Schema Attributes, like “CostCenter”.
So, I am stuck – either having to manually re-create these CostCenter based groups, and have Helpdesk manually update and edit them (the “yuck” factor choice)… or somehow automate this via scripting… which is what i am in the middle of trying to see if i can do.
Now that i found Brenton’s scriplet, I hope I can hack it together with some other scriptlets I have found to basically do a nightly reading of a current group, save the user list to memory/file, then do a new query to see who has been added or left the company that fits those same criteria, then fill the group back up again.
A good Sys Admin/Engi really cannot really call themselves such, or truly worth their salt until they get to a point where they have been able to fix certain situations like this via scripting.
When interviewing candidates for our Exchange Admin position that is currently open, these were some of the first and most heavily weighted questions:
“What websites do you use when you get ‘stuck’ “ – If his/her first answer isn’t Google… or something like, “Oh well, I search TechNet first, and then I check Experts-Exchange, and then I have some blogs I rely on, etc”… then I am not really going to take them seriously.
“What percentage of your day is spent managing your environment, and how do you do that, what tools?”
By this I mean that solely relying on manually using a GUI = bad Admin, bad!
Conversely if they say… “I actually spend very little time “managing” the environment; I automate most of my “daily” tasks, so that I don’t spend a lot of hands on time” then I would immediately perk up and consider that person more closely.
If someone says, “well, I have an MCSA/MCITP, so I have the experience to figure out how to use what’s given to me as tools, out of the box, and past that, well, I’m not really sure I follow your question” they would immediately be met with a response like, “Well, thank you for your time. We’ll let you know”.
Reading MS Press books, and depending upon the GUI, without being able to backup your experiences with anecdotes of how you were able to work your way around a problem with scripting, or doing some “engineering”, would mean to me that that person would make a maybe a decent Junior/2nd level Admin.

Not trying to be mean, just real.

Thanks again to you, Brenton for posting this!


I’d just like to add my name to the list of those who would rather get a script to do all the work rather than doing everything manually! I’m writing a powershell script to migrate several thousand users from one set of groups to another on a schedule – this function saved me a lot of time.


Great post, I am almost 100% in agreement with you

Great script! Would like to use it in a script listing folder permissions (including group members) however am having trouble getting find-dn to read it’s input from a txt/csv file.

Any help would be great

We are a group of volunteers and opening a new
scheme in our community. Your website provided us with useful info
to work on. You’ve done an impressive activity and our entire group will be thankful to you.

Where's The Comment Form?


    Business and Information Technology Tangents is dedicated to providing quality content while informing the world about technology.


    Subscribe Via RSS

    • Subscribe with Bloglines
    • Add your feed to Newsburst from CNET News.com
    • Subscribe in Google Reader
    • Add to My Yahoo!
    • Subscribe in NewsGator Online
    • The latest comments to all posts in RSS


Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: