ADSISearcher

What is ADSISearcher?

ADSISearcher is a simplification of the .NET class `System.DirectoryServices.DirectorySearcher` in PowerShell. It allows you to make LDAP queries to retrieve data from the Active Directory, such as user and computer information, group memberships and other properties of AD objects. The syntax is comparatively simple, as ADSISearcher is a short form.

How do I perform a simple query with ADSISearcher?

LDAP (Lightweight Directory Access Protocol) is a protocol for querying and modifying directory services such as Active Directory. To use ADSISearcher, it is important to understand the LDAP syntax. The queries are realized by filters that work with attributes such as `objectClass` or `objectCategory`. Example of a user query: ([adsisearcher]”(objectCategory=person)”).FindAll() This query searches for all user objects in the AD domain.

How do I improve the performance of ADSISearcher queries?

One of the biggest challenges when working with ADSISearcher is optimizing queries for large AD environments. Efficient queries are based on indexed attributes, such as ‘AMAccountType’, which is set to the value ‘805306368’ for user objects. This reduces the load on the domain controller and shortens search times. An inefficient query such as `(&(objectClass=user)(objectCategory=person))` can place a load on the AD servers, as both attributes are not optimized.

How do I find inactive users or computers?

ADSISearcher makes it possible to find inactive users or computers by querying attributes such as `lastLogon` or `lastLogonTimestamp`. These attributes indicate when a user or computer was last logged on. For example, to find inactive computers that have not been logged on for 90 days, the following query can be used: ([adsisearcher]”(&(objectCategory=computer)(lastLogonTimestamp<=$((Get-Date).AddDays(-90).ToFileTime())))”).FindAll() This helps to minimize potential security risks from unused accounts.

Which attributes are most useful for AD queries?

ADSISearcher allows specific AD attributes to be loaded in order to limit the search results output to relevant data, which improves performance. Example: $searcher = [adsisearcher]”(objectCategory=user)”
$searcher.PropertiesToLoad.AddRange(@(‘sAMAccountName’, ‘displayName’, ‘lastLogon’))
$searcher.FindAll() In this case, only the `sAMAccountName`, `displayName` and the `lastLogon` attribute are returned. This specification helps to structure the output and make queries faster.

Query of Service Principal Names (SPN) and special accounts

ADSISearcher can also be used to find service accounts or special users by querying attributes such as `servicePrincipalName`. SPNs are essential for the authentication of services in the network. Such queries are often important in security auditing to identify vulnerabilities, such as poorly configured service accounts. With the ability to query AD specifically for security-relevant information, ADSISearcher plays a key role in the monitoring and defense of IT infrastructures.

Cookie Consent with Real Cookie Banner