PS Script: search for a object in AD or LDAP fast or from a non domain joined pc with support for workflows – Part 1

PS Script: search for a object in AD or LDAP fast or from a non domain joined pc with support for workflows – Part 1
PS Script: search for a object in AD or LDAP fast or from a non domain joined pc with support for workflows – Part 2

This is the first part of a 2 part post. In this post I will be releasing 2 new functions for searching AD or LDAP databases. One will have a broad support for all kind of query`s from domain joined or non domain joined computers. The other one is based on speed for when you need to do lots of query`s. Both functions are based on the .NET LDAP class “System.DirectoryServices”. Due to the use of this class there is no need for the active directory PowerShell module. This will speedup the runtime of  your PowerShell script or run spaces if you use workflows. I will explain workflows in a later post. The first function “Get-LdapObjectfast” is build for speed instead of supportability. The second function “Get-LdapObject” is build for supportability in any environment and it can query AD configuration partitions for reading object of exchange for example.

You can find the scripts in the TechNet gallery or under the script section of this site.

Technet gallery:

So let`s jump in to the action:

Get -Ldapobjectfast

The main reason for creating this function is to have a function that is not dependent on the active directory module so it can run fast inside a workflow or a parallel workflow. Secondly the object returned should be as small as possible and third It must be very versatile so it can be used to query anything in AD or LDAP. When you are working in big environments and you need to process lots of objects, every second per object counts. So you wonder   is this function really faster. Let`s look at a sample from my environment.

Trail run task: Get all 100 security groups from AD, Get their members and retrieve the email address of those members. Every group has 3 members so total of 300 email address is to be retrieved.

First lets run the classic way. Start a powershell and past the code in with the measure-object to measure time.

So that took 16.4 seconds. We already lost 8 seconds for loading the Active directory module ( depending on you system speed this may vary ) and than the code ran for 8.4 seconds. Not bad. The result show the 300 objects are in the variable so nice job done at a average of 0.54 seconds per object.

Now lets take a look at what the .NET frame work can offer.

In a single past we pasted the function and the code within a measure-object again. As you can see the code use the Get-ldapObjectFast function to retrieve the groups, get the members and query each member for its mail address. We don’t lose any time loading modules just a few milliseconds for loading the function. The code completes in 8.4 seconds that’s the same speed as the native module but 8 seconds faster because the module does not have to load. You might say 8 seconds delay that’s not much but if you run parallel instance and have to load that module a 100 times that’s 800 seconds delay.

Lets explain this function first:

There are 3 variables that are mandatory to keep the function at full speed. These are “-DC” for a domain controller name or FQDN,  “-OU” for the partition or sub partition you want to search and “-LDAPFilter” to define a filter for the objects to return. To see a list of common LDAP query`s check out this post.

A basic query to get the first object the search encounters that starts it`s name with “13th-d”  would look like this:

To return all object the search finds user the “-findall $true” parameter. If you don’t use “-findall” or set it to “$false” it will only return the first match. This is a nice way to test you ldap filter and not having to wait for output or breaking if the results seems wrong.

The next example shows that using the “-properties” parameter your returned object is very small and only contains the properties you have declared and the path the object is located. If you leave the “-properties” parameter out of the command all properties are being returned. In this case 39 properties.

That’s all for now. In part 2 I will explain the version of this function with broad support for all kind of situations.
Leave any comment here and rate the script if you like it on the TechNet gallery.


Martijn ( Scriptkiddie ) van Geffen


Leave a Reply

Your email address will not be published. Required fields are marked *