With PowerShell, I'm trying to get an ADUser account with Get-ADUser with LdapFilter using the employeeid attribute. I'm using a GC server of the domain as the sourcing server for faster results. However, I'm not getting the matching ADUser account(s). However, I'm able to retrieve results using a DirectorySearcher object. Please refer to the tried code snippets below,
###
#1 DirectorySearcher
$empid = "123456"
$ldapcn = "GC://dc=mydomain,dc=net"
$ldapfilter = "(&(ObjectCategory=Person)(objectclass=user)(employeeid=" + $empid + "))"
$objent = new-object System.DirectoryServices.DirectoryEntry($ldapcn)
$objsearch = new-object System.DirectoryServices.DirectorySearcher
$objsearch.SearchRoot = $objent
$objsearch.SearchScope = "subtree"
$objsearch.Filter = $ldapfilter
$objsearch.pagesize = 1000
$properties = "employeeid","givenname","sn","samaccountname"
$objsearch.propertiestoload.addrange($properties)
$results = $objsearch.Findall()
# Working
# $results contains matching user records
######################################################
#2 Get-ADUser
$empid = "123456"
$Server_AD_GC = (Get-ADDomainController -Server mydomain.net | select -exp hostname) + ":3268"
$ldapfilter = "(&(ObjectCategory=Person)(objectclass=user)(employeeid=" + $empid + "))"
$results = Get-ADUser -LdapFilter $ldapfilter -Properties employeeid, givenname, sn, samaccountname -Server $Server_AD_GC
# NOT WORKING!
# $results DOES NOT CONTAIN matching user records
What am I missing here?! Any help would be highly appreciated.
UPDATE 1
I just verified the Partial Attribute Set (PAS) with the code below and DO NOT SEE employeeid included in the list
$Domain = "mydomain.net"
# $schemaNamingContext = "cn=Schema,cn=Configuration,dc=mydomain,dc=net"
$schemaNamingContext = (Get-ADRootDSE -Server $Domain).SchemaNamingContext
Get-ADObject -SearchBase $schemaNamingContext -LDAPFilter "(isMemberOfPartialAttributeSet=TRUE)" -Properties ldapDisplayName | Select ldapDisplayName | sort ldapDisplayName
For more background, I'm running the 'DirectorySearcher' code block to search the source mydomain.net and running it from a W2012R2 server joined to a trusted domain, say mycaller.net, which is from a different forest. Importantly, the calling trusted domain mycaller.net's PAS CONTAINS employeeid. However, as already said Get-ADUser is unable to fetch the record(s).
Below is a screenshot of results observed with different environments,
Now, if not for a solution, I'd be glad if at least someone is able to reproduce this behavior.
Query:
In my example,
DirectorySearcher's$ldapcn = "GC://DC=mydomain,DC=net"vs
Get-ADUser's$Server_AD_GC = (Get-ADDomainController -Server $Domain | select -exp hostname) + ":3268"I expected both to work in a similar fashion. I see that I haven't specified a host for
DirectorySearcherbut have given one forGet-ADUser. Is this something to be looked into?