Sdílet prostřednictvím


AD: LDAP search - OctetString

Ever needed to search Active Directory objects by attribute value which is storing guids? On the first, process seems fair easy, but soon after executing command like Get-ADObject -LDAPFilter "(objectGuid=b0ae470c-16bc-4019-b455-8c96ec515f55)" and you get nothing, big question mark pops up above your head.

I won't explain exact scenario because it's tied to environment I'm working with, but let's just say that attribute was storing guid value. objectGuid attribute will be used for demonstration together with Get-ADObject cmdlet, even though you can implement your own DirectorySearcher if you like. So, this is how it started.

Run search with Ldap filter "(objectGuid=b0ae470c-16bc-4019-b455-8c96ec515f55)" and got nothing. First thing I done was looking on the attribute through AdsiEdit and at first glance everything seemed just fine:

GetADObject OctetString

But while I double clicked on the property, it was actually showing me that attribute value is in some other format than just plain string (Octet String):

objectGuid adsi OctetString

I run simple query agains attribute in schema to confirm what exactly DirectorySearcher will expect (Syntax):

 ([DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()).FindProperty("objectGuid")


Name                   : objectGuid
CommonName             : Object-Guid
Oid                    : 1.2.840.113556.1.4.2
Syntax                 : OctetString
Description            : 
IsSingleValued         : True
IsIndexed              : True
IsIndexedOverContainer : False
IsInAnr                : False
IsOnTombstonedObject   : True
IsTupleIndexed         : False
IsInGlobalCatalog      : True
RangeLower             : 16
RangeUpper             : 16
IsDefunct              : False
Link                   : 
LinkId                 : 
SchemaGuid             : bf9679e7-0de6-11d0-a285-00aa003049e2

From what we are able to see, DirectorySearcher was expecting typeOf OctetString. So I dig little bit further on MSDN (https://msdn.microsoft.com/en-us/library/windows/desktop/ms180873%28v=vs.80%29.aspx) which showed example for a SID, but I ended up writing something similar for guids:

 function Get-OctetStringFromGuid
{
    [CmdletBinding()]
    param
    (
        [System.Guid]
        $GuidToConvert
    )
    
    return ("\" + ([System.String]::Join('\', ($GuidToConvert.ToByteArray() | ForEach-Object { $_.ToString('x2') }))));   
}

Feed function with a guid and returned result pass to DirectorySearcher:

 Get-OctetStringFromGuid -GuidToConvert b0ae470c-16bc-4019-b455-8c96ec515f55 
\2c\47\ae\b0\bc\16\19\40\b4\55\8c\96\ec\51\5f\55

Get-ADObject -LDAPFilter "(objectGuid=\2c\47\ae\b0\bc\16\19\40\b4\55\8c\96\ec\51\5f\55)" | fl

DistinguishedName : CN=Administrator,CN=Users,DC=int,DC=domain,DC=com
Name              : Administrator
ObjectClass       : user
ObjectGUID        : b0ae470c-16bc-4019-b455-8c96ec515f55