Problem
You want to search for a specific group, but don’t know its DN.
Solution
To search for a security or distribution group, use the [adsi] type shortcut to bind to a container that holds the group in Active Directory, and then use the System. DirectoryServices.DirectorySearcher class from the .NET Framework to search for the group:
$domain = [adsi] "LDAP://localhost:389/dc=Fabrikam,dc=COM" $searcher = NewObject System.DirectoryServices.DirectorySearcher $domain $searcher.Filter = '(&(objectClass=Group)(name=Management))'
$groupResult = $searcher.FindOne() $group = $groupResult.GetDirectoryEntry()
Discussion
When you don’t know the full DN of a group, the System.DirectoryServices. DirectorySearcher class from the .NET Framework lets you search for it.
You provide an LDAP filter (in this case, searching for groups with the name of Management), and then call the FindOne() method. The FindOne() method returns the first search result that matches the filter, so we retrieve its actual Active Directory entry. Although the solution searches on the group’s name, you can search on any field in Active Directory—the mailNickname and sAMAccountName are two other good choices.
When you do this search, always try to restrict it to the lowest level of the domain possible. If we know that the Management group is in the Sales OU, it would be better to bind to that OU instead:
$domain = [adsi] "LDAP://localhost:389/ou=Sales,dc=Fabrikam,dc=COM"
For more information about the LDAP search filter syntax, search http://msdn. microsoft.com for “Search Filter Syntax.”