Problem
You want to search for a specific user account, but don’t know the user’s distinguished name (DN).
Solution
To search for a user in Active Directory, use the [adsi] type shortcut to bind to a container that holds the user account, and then use the System.DirectoryServices. DirectorySearcher class from the .NET Framework to search for the user:
$domain = [adsi] "LDAP://localhost:389/dc=Fabrikam,dc=COM" $searcher = NewObject System.DirectoryServices.DirectorySearcher $domain $searcher.Filter = '(&(objectClass=User)(displayName=Ken Myer))'
$userResult = $searcher.FindOne() $user = $userResult.GetDirectoryEntry()
Discussion
When you don’t know the full DN of a user account, the System.DirectoryServices. DirectorySearcher class from the .NET Framework lets you search for it.
You provide an LDAP filter (in this case, searching for users with the display name of Ken Myer), and then call the FindOne() method. The FindOne() method returns the first search result that matches the filter, so we retrieve its actual Active Directoryentry. Although the solution searches on the user’s display name, you can search on any field in Active Directory—the userPrincipalName and sAMAccountName are two other good choices.
When you do this search, always try to restrict it to the lowest level of the domain possible. If we know that Ken Myer is in the Sales OU, it would be better to bind to that OU instead:
$domain = [adsi] "LDAP://localhost:389/ou=Sales,dc=Fabrikam,dc=COM"
For more information about the LDAP search filter syntax, search http://msdn. microsoft.com for “Search Filter Syntax.”