Microsoft Lync Server 2010 provides two cmdlets – Get-CsUser and Get-CsAdUser – that return information about user accounts. (Get-CsUser returns information only for user accounts that have been enabled for Lync Server; Get-CsAdUser returns information for all your Active Directory user accounts, regardless of whether those accounts have been enabled for Lync Server.) Because administrators often want to work with all the accounts found in an organizational unit, both of these cmdlets include a –OU parameter; when included in a command, this parameter causes the cmdlet to return all the user accounts found in the specified OU, as well as any child OUs. For example, this command returns information about all the user accounts in the Redmond OU:
Get-CsAdUser –OU "ou=Redmond,dc=litwareinc,dc=com"
So what’s wrong with that? Nothing; the cmdlet – and the –OU parameter – work great. However, there is one possible catch here. (Yes, we know. But when isn’t there at least one possible catch?) Suppose the Redmond OU has a child OU, an OU named Finance (ou=Finance,ou=Redmond,dc=litwareinc,dc=com) . Let’s pretend the two OUs – and their user accounts – look like this:
Let’s further pretend that we’ve just run this command:
Get-CsAdUser –OU "ou=Redmond,dc=litwareinc,dc=com" | Select-Object DisplayName
Here are the display names that get returned when we run the command:
As you can see, we get back the names of the two users in the Redmond OU (Ken Myer and Pilar Ackerman). However, we also get back the names of the two users in the Finance OU (Jonathan Haas and Kim Abercrombie). And that’s the potential problem: what if we don’t want the users from the child OU? What if we only want the users found in the parent OU (Redmond)?
If you’re thinking, “I bet this is the place where they show us the cool little trick that causes the –OU parameter to ignore child OUs when returning data,” well, we’re afraid you might be a little disappointed: as far as we know, there isn’t any trick that can do that. To the best of our knowledge, you can’t directly use Get-CsUser or Get-CsAdUser to return information from a parent OU while ignoring any child OUs; the cmdlets just aren’t built that way. However, you can return data from a single OU by using a Windows PowerShell script similar to this one:
$strFilter = "(objectCategory=user)"
$ou = "LDAP://" + $args
$objDomain = New-Object System.DirectoryServices.DirectoryEntry($ou)
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 1000
$objSearcher.Filter = $strFilter
$objSearcher.searchScope = "OneLevel"
$colPropList = "Path"
foreach($i in $colPropList)
$colresults = $objSearcher.FindAll()
foreach($objResult in $colResults)
$x = $objResult.Path
$x = $x -replace "LDAP://", ""
Get-CsAdUser -Identity $x | Select-Object DisplayName, CsEnabled
We won’t explain this script in any great detail; suffice to say that:
You pass the script the distinguished name of an OU (e.g., ou=Redmond,dc=litwareinc,dc=com).
The script searches for all the user accounts (objectCategory=user) in that OU (and only that OU).
The script returns the value of the Path attribute for each user in the OU. For example: LDAP://cn=Ken Myer,ou=Redmond,dc=litwareinc,dc=com.
The script removes the LDAP:// prefix from each account, leaving a user ID similar to this: cn=Ken Myer,ou=Redmond,dc=litwareinc,dc=com.
The script uses Get-CsAdUser (using the newly-created user ID as the user Identity) to connect to each user account in the OU.
The script displays the display name (DisplayName) for each user, and indicates whether or not the user has been enabled for Lync Server (CsEnabled).
In other words (and assuming that you saved this script under the name C:ScriptsGet-OU.ps1) you’d issue a command similar to this:
And, with any luck, you should get back something that looks like this:
Ken Myer True
Pilar Ackerman False
Hey, where there’s a will there’s a way, right?