How do I search Active Directory for objects by GUID? In other words, what would be a good way to find what objects belong to specified GUIDs?
Asked
Active
Viewed 1.3e+01k times
6 Answers
22
Either on a DC or install RSAT and enable AD Tools:
Open "Active Director Module for Windows PowerShell" (find it in with the other Admin tools)
get-aduser -id {guid}
Or for any object:
get-adobject -id {guid}
Might want to pipe it through a format-list to make it readable:
get-adobject -id {guid} | fl
Chris S
- 78,455
3
Using Powershell and the QuestAD cmdlets, the following code returns my user account based on my guid.
$Guid = "d65e4578-475a-422e-ac99-123456789012"
Get-QADUser -IncludeAllProperties|Where {$_.guid -eq $Guid}
Not the most efficient manner since it loads all objects from AD while doing the search, but it worked for me.
Christopher
- 1,673
0
ADSI is installed by default on Windows.
Does not require installing any additional modules.
Powershell Example:
# define constants
$LDAPserver = "DeathStar.Empire.Galactic"
$GetItem = "GUID=d65e4578-475a-422e-ac99-123456789012"
use this if you have a SID
$GetItem = "SID=S-1-1-555-423432-437584356"
Get the Distinguished Name
$DistinguishedName = $([ADSI]"LDAP://$($LDAPserver)/<$($GetItem)>").DistinguishedName
Use the distinguished name to fetch the actual object
$Searcher = [ADSISearcher] ([ADSI] "LDAP://$(LDAPserver)")
$Searcher.Filter = "(&(objectCategory=Person)(DistinguishedName=$($DistinguishedName)))"
$AdsiObject = $Searcher.FindAll()
Get the ADSI object properties
$AdsiObject.properties
Ro Yo Mi
- 336
- 2
- 10
0
It's a lot easier to do than how all the other answers show. Each code-block below is a standalone method, you can do any of them (they're mostly the same).
Obviously Remote Server Administrator Tools (RSAT) needs to be installed, or you need to be working on a Domain Controller (DC).
If you're using the SID, i.e. the folders within a Recycle Bin, permissions on a folder, etc. (they all begin with S-1-), you can do:
Get-ADUser -Filter { SID -eq "S-1-5-21-000-000...0001" } | select Name, GivenName, Surname, SID
or for multiple, add an OR:
Get-ADUser -Filter { SID -eq "S-1-5-21-000-000...0001" -or SID -eq "S-1-5-21-000-000...0002" } | select Name, GivenName, Surname, SID
Or if you have them all in an array, iterate over the array:
$MyArray = "S-1-5-21-000-000...0001", "S-1-5-21-000-000...0002"
$MyArray.ForEach( { Get-ADUser -Filter { SID -eq $_ } | select Name, GivenName, Surname, SID })
If you're actually searching by GUID:
Get-ADUser -Filter { OBjectGUID -eq "e257c3da-9388-0000-00...0001" } | select Name, GivenName, Surname, SID
Clearly, the above are when searching for Users. You can search any object:
Get-ADObject -Filter { OBjectGUID -eq "e257c3da-9388-0000-00...0001" } | select Name, ObjectClass, ObjectGUID
Or for objects by ObjectGUID if you have them all in an array:
$MyArray = "e257c3da-9388-0000-00...0001", "e257c3da-9388-0000-00...0002"
$MyArray.ForEach( { Get-ADObject -Filter { OBjectGUID -eq $_ } | select Name, ObjectClass, ObjectGUID })
Aubs
- 128
0
In my opinion, the given answer doesn't always work because if you're looking for more advanced (or esoteric) AD object, you have to look in different naming contexts. The given answer assumes the "Default Naming Context". If you wanted to search the entirety of Active Directory, you have to search all the different Naming Contexts separately. To list all of them you can do the following:
(Get-ADRootDSE).NamingContexts
Then, you can search each naming context by adding: -SearchBase <naming context> to the Get-ADObject command.
