Reading Attributes of Directory Service Objects

  • Article

The previous blogs described how to create an OU, a user account, and a group, and set the description attribute on each of these objects. The next common task is to read an attribute of each object.

Reading an Active Directory object’s attributes involves two simple steps:

  1. Connect to the Active Directory object you want to read.
  2. Read one or more of the object’s attributes.

The goal of the three scripts in this blog will be to read the description attribute of the HR OU, the MyerKen user account, and the Atl-Users group and display their values on the screen.

Reading an Attribute of an OU

The  following script reads and displays the description attribute of the OU named HR in the na.fabrikam.com domain. To carry out this task, the script performs the following steps:

  1. Connect to the HR OU object in the na.fabrikam.com domain.
  2. Read the object’s description attribute.

Reading the description Attribute of an OU

$objOU = [ADSI]"LDAP://localhost:389/OU=HR,dc=NA,dc=fabrikam,dc=com"

$objOU.Get("description")

When this script runs in the na.fabrikam.com domain, it echoes the description of the HR OU to the command window, as shown:

Human Resources

Reading an Attribute of a User Account

The following script reads and displays the description attribute of the user account named MyerKen, located in the HR OU of the na.fabrikam.com domain.

  1. Connect to the MyerKen user account object in the HR OU of the na.fabrikam.com domain.
  2. Read the object’s description attribute.

Reading the description Attribute of a User Account

$objUser = [ADSI]"LDAP://localhost:389/CN=MyerKen,OU=HR,dc=NA,dc=fabrikam,dc=com"

$objUser.Get("description")

When this script runs in the na.fabrikam.com domain, it echoes the description of the user account to the command window, as shown:

HR employee

Reading an Attribute of a Group

The following script reads and displays the description attribute of a global group named Atl-Users, located in the HR OU of the na.fabrikam.com domain.

  1. Connect to the Atl-Users group in the HR OU of the na.fabrikam.com domain.
  2. Read the object’s description attribute.

Reading the description Attribute of a Group

$objGroup =[ADSI]"LDAP://localhost:389/CN=Atl-users,OU=HR,dc=NA,dc=fabrikam,dc=com"

$objGroup.Get("description")

When this script runs in the na.fabrikam.com domain, it echoes the description of the group to the command window, as shown:

Atlanta users

Important observations about the scripts in this blog

  • They perform the same basic steps: They connect to an Active Directory object and read an attribute of the object.
  • They use the same method (Get) without regard to the class of object being read.

As demonstrated in this blog, the process for reading attributes is uniform from one object to the next. In fact, within a particular task, the steps you follow from one object to the next are consistent. This consistency empowers you to write scripts that can read thousands of attributes from the many objects stored in Active Directory.