Using Powershell to Read NDS Users

Adam Bertram

Adam Bertram

Read more posts by this author.

I work at a place where Groupwise and NDS are still used; unfortunately, I know. Prior to implementing an identity management solution, I needed to compare users with NDS against Active Directory. By utilizing the free Netcmdlets package‘s Get-Ldap cmdlet I was able to make that happen.

However, before I could get to that point I had to create a secure method of passing credentials to the NDS server. This can be accomplished by creating a credential and exporting it to an XML which keeps it on the file system for later use. To do this you need to use PowerShell’s Get-Credential cmdlet. By default, this cmdlet prompts you with a GUI message box to input the username and password.

To authenticate with NDS the username needs to be in the form cn=user,o=something. Get-Credential won’t accept this because it’s looking for an Active Directory username.

To get around this, the first task you must do is set the ConsolePrompting registry string to a string value of True.

New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\PowerShell\1\ShellIds -Name ConsolePrompting -Value "True"

Once you do this, Get-Credential will now prompt you via the console and allow non-standard usernames. Now created a credential object with the NDS username and password.

$cred = Get-Credential

## Step through the username and password prompts here

Export-Clixml -InputObject $cred -Path secret_user.xml 

Now we’ve got a way to pull credentials without typing in a password every time. Now to get the credentials from the XML file and query the NDS server via LDAP to find all users on the server.

$nds_cred = Import-Clixml 'secret_user.xml'
Get-Ldap -server SERVERNAME -search 'objectclass=person' -DN 'o=DNNAME' -Credential $cred | 
    Select-Object @{Name='Username';Expression={$_.cn}},
    @{Name='Firstname';Expression={$_.givenname}},
    @{Name='Lastname';Expression={$_.sn}},
    @{Name='EmployeeNumber';Expression={$_.workforceid}},
    @{Name='LoginTime';Expression={$_.loginTime[0]}},
    @{Name='DN';Expression={$_.ResultDN}} 

The heavy lifting is done via the Get-Ldap cmdlet. All I needed to do was pass the server name I want to query, the LDAP search string (in this case all person objects), the base DistinguishedName I want to start the search at along with the credential to access the server. Just for a pretty display I chose to use Select-Object‘s calculated properties.

Subscribe to Adam the Automator

Get the latest posts delivered right to your inbox

Looks like you're offline!