Hello,



I am having the worst time trying to figure out how to use Powershell to
search the entire forest for a user's universal group membership. It seems
as though many forums have this question unanswered and I hope Microsoft can
provide this directly.
Here is the code I am testing with <adapted from another post>:

$strName = "testv2"
$filter = "(&(objectcategory=user)(samAccountName=$strName))"
$ds = New-object System.DirectoryServices.DirectorySearcher([ADSI]"",$filter)
$user = ($ds.Findone()).properties.memberof
foreach ($grouppath in $user) {
$group = ([adsi]"LDAP://$($grouppath.tostring())").sAMAccountname
switch ($group) {
"BESusers" {write-host "You are a member of BESusers"}
"Domain Users" {write-host "you are a domain user"}
}
}

It runs just fine as long as the user is in the domain I running the script
in.
I believe it boils down to this question:

How do I get "New-object System.DirectoryServices.DirectorySearcher" to
search the entire forest?????

You need to specify a global catalog as the search root. You are currently
using the [adsi]'' DirectoryEntry shortcut as the search root in the
constructor which defaults to current domain.

I'm not that up to speed anymore on ADSI stuff but there is a way to specify
the global catalog when using the [adsi] shortcut.

Paul


"Ex-Microsoft Guy" wrote:

> I believe it boils down to this question:
>
> How do I get "New-object System.DirectoryServices.DirectorySearcher" to
> search the entire forest?????