How Can We Help?
LDP.EXE with Custom Control 1.2.840.113556.1.4.2309 (LDAP_SERVER_LINK_TTL_OID) (based on https://secureidentity.se/msds-shadowprincipal/)
Works with expanding tree or “Advanced” or “Asynchronous” searches:
$dc = "devdc01.esmobile.metabpa.org"
$rootDN = "OU=ESMOBILE,DC=esmobile,DC=metabpa,DC=org"
$filter = "(objectClass=group)"
[string[]] $attributesToGet = @("member","name")
[void] ([System.Reflection.Assembly]::LoadWithPartialName('System.DirectoryServices.Protocols'))
[DirectoryServices.Protocols.LdapConnection] $ldapConn = New-Object DirectoryServices.Protocols.LdapConnection($dc)
$ldapConn.AuthType = [DirectoryServices.Protocols.AuthType]::Kerberos
[System.DirectoryServices.Protocols.DirectoryControl]$jit_ctr = New-Object System.DirectoryServices.Protocols.DirectoryControl("1.2.840.113556.1.4.2309",$val,$true,$true)
[DirectoryServices.Protocols.SearchRequest] $ldapRequest = New-Object DirectoryServices.Protocols.SearchRequest($rootDN, $filter, 'SubTree', $attributesToGet)
$ldapRequest.Controls.Add($jit_ctr)
[DirectoryServices.Protocols.SearchResponse] $ldapResponse = $null
$ldapResponse = $ldapConn.SendRequest($ldapRequest)
foreach ($entry in $ldapResponse.Entries) {
$entry.DistinguishedName
foreach ($mship in $entry.Attributes['member']) {
$mstring = [System.Text.Encoding]::UTF8.GetString($mship)
if ($mstring -match "^<TTL=(\d+)>,") {
$mstring
}
}
}