AD Search Scopes
In AD we can define a scope for our search. In most of the examples we have seen we are starting at the root of the domain and searching every OU. This is the default – also known as a SubTree search i.e. it searches all children of the defined container.
This examples use Get-ADUser but we could use the Quest cmdlets or a script. But the provider is limited to the defined container or all child containers of the root.
$ou = "OU=BlogTests,DC=Manticore,DC=org"
$user = "cn=usera,OU=BlogTests,DC=Manticore,DC=org"
"`Default Scope"
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -Filter * |
Format-Table Name, DistinguishedName
"'nBase"
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -SearchScope Base -Filter * |
Format-Table Name, DistinguishedName
"'nOneLevel"
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -SearchScope OneLevel -Filter * |
Format-Table Name, DistinguishedName
"'nSubTree"
Get-ADUser -ResultSetSize 3000 -SearchBase $ou -SearchScope SubTree -Filter * |
Format-Table Name, DistinguishedName
"'nBase Examples"
"single user"
Get-ADUser -ResultSetSize 3000 -SearchBase $user -SearchScope Base -Filter * |
Format-Table Name, DistinguishedName
"single object"
Get-ADObject -ResultSetSize 3000 -SearchBase $ou -SearchScope Base -Filter * |
Format-Table Name, DistinguishedName
The scope options are:
SubTree is the defined container and all child containers – including their children etc
OneLevel is the defined container
Base is an oddity – it returns the object that is defined! So when we ask for all users in an OU using a base scope we get nothing back. If we give a specific user, or we use Get-ADObject we get that individual user or object returned!