Ok so I am trying to use a variable to make up a where statement on a get-aduser command.
This is what I am trying to emulate which works:
get-aduser -filter * | where { $_.DistinguishedName -like "*Users,DC*" }
Note the are asterix before and after the User,DC. Not showing for some reason.
So here is what I have in the script which returns nothing:
$SearchBase = (get-addomain).DistinguishedName
$DefaultUsersOU = "*OU=Users," + $SearchBase
get-aduser -Filter * -Properties lastLogonTimeStamp -Searchbase "$($SearchBase)" | where-object { $_.DistinguishedName -like $DefaultUsersOU }
Found a similar article on here Where object as variable but if I apply that thinking to the DistinguishedName field it doesnt work either.
Related
I am trying to run the get-aduser query below and I keep getting the error Get-AdUser Cannot convert to the type system.string. Any idea what might be the problem? TIA
$Base = (Get-ADOrganizationalUnit -Filter {(Name -like "Department")}).DistinguishedName
Get-ADUser -Filter * -SearchBase $Base -Properties Name
I tested this, and I can confirm that if your call to Get-ADOrganizationalUnit returns more than one OU, then the DistinguishedName property will be an array rather than a plain string. So you will need to change your call to Get-ADOrganizationalUnit so that it returns only one.
You can do that by either using the -ResultSetSize parameter to only use the first result:
$Base = (Get-ADOrganizationalUnit -Filter {(Name -like "Department")} -ResultSetSize 1).DistinguishedName
Or change the Filter so that it matches only one OU. I assume you're using -like because you're using a wildcard in your actual code, so you probably just have to be more specific.
Update: If you want users from all the matched OUs, then you can use ForEach-Object:
Get-ADOrganizationalUnit -Filter {(Name -like "Department")} |
ForEach {
Get-ADUser -Filter * -SearchBase $_.DistinguishedName -Properties Name
}
I'm looking for some guidance on creating a powershell script that will check security and distribution groups from specific OU's and see if the owner is a user who's disabled.
We have lots of old groups in our AD created by ex employees that need to be cleaned up.
This is what i've started with.
$managedByGroups = get-adgroup -filter 'groupCategory -eq "Distribution"' -SearchBase "OU=SydExchangeGroups,OU=SydGroups,OU=Sydney,DC=my,DC=org,DC=biz" -Properties distinguishedname, managedby | select sAMAccountName, managedby
$disabledUsers = Get-ADUser -Filter {Enabled -eq $false} -SearchBase "OU=SydDisabledUsers,OU=SydMisc,OU=Sydney,DC=my,DC=org,DC=biz" | select distinguishedname
foreach ($group in $managedByGroups){
if($managedByGroups.managedby -eq $disabledUsers.distinguishedname)
{
write-output
}
}
Thanks
There are a number of issues with your if block:
you are looping through $managedByGroups, but you are never using that variable (it should be $group.managedby)
you are trying to compare 1 element with a list of elements, in this case consider using -in operator instead of -eq.
you should treat the case when there is no value for managedby attribute, in case you do not get the desired results.
An alternative to your code may is below.
I'm first getting the list of managedby users, then i'm looping though each entry, and if it is not null, we try to do a get-aduser filtering by enabled status and the distinguishedname.
$DisabledManagedBy variable will contains ADUser objects which are disabled.
$grp = get-adgroup -filter 'groupCategory -eq "Distribution"' -Properties ManagedBy,DistinguishedName
$DisabledManagedBy = foreach ($item in $grp.ManagedBy) {
if ($item) {
Get-ADUser -Filter {Enabled -eq $false -and DistinguishedName -like $item} -Properties DistinguishedName
}
}
I worked this out eventually by doing the following:
$myDisabledUsers = #()
$date = get-date -format dd-MM-yyyy
$managedSydGroups = Get-ADGroup -Filter * -Properties * -Searchbase "OU=SydExchangeGroups,OU=SydGroups,OU=Sydney,DC=my,DC=biz,DC=org" | where {$_.managedby -ne $null} | select name, managedby
$disabledSydUser = Get-ADUser -Filter * -SearchBase "OU=SydDisabledUsers,OU=SydMisc,OU=Sydney,DC=my,DC=biz,DC=org" | where {$_.enabled -eq $false} | select -ExpandProperty distinguishedname
$disabledOwners = foreach($group in $managedSydGroups)
{
$managedByString = [string]$group.managedby
if($disabledSydUser -contains $managedByString)
{$myDisabledUsers += $group}
}
New to PowerShell and am having issues with Get-ADUser -Filter. I believe the issue has to do with the -Filter
$TC_TellerID_Array = #()
$TC_TellerID_Array = Import-Csv "C:\Designer.csv"
$ADUsersArray = #()
$ADUsersArray=get-aduser -filter * -Properties * | select Name, SamAccountName, extensionAttribute1, Enabled | where extensionAttribute1 -ne $null
Foreach ($User in $ADUsersArray)
{$TrimmedTeller = ($User.extensionAttribute1).Trim()
Foreach ($TC_TellerID in $TC_TellerID_Array)
{
Get-ADUser -Filter "'$TrimmedTeller' -eq '$TC_TellerID.TellerID'" -Properties * | Select Name,SamAccountName,extensionAttribute1, Enabled
}
}
Those single quotes are forcing a literal string. As #JosefZ pointed out. You would also want to pull your value of TellerID out using a SubExpression . Try changing your code to look like
Get-ADUser -Filter {$TrimmedTeller -eq $($TC_TellerID.TellerID)} -Properties * | Select Name,SamAccountName,extensionAttribute1, Enabled
Just getting started with Powershell and I've run into a roadblock. I'm trying to iterate through AD and get a list of all OU's. From there I'm trying to get user account info for each user in each OU. To test I've been able to get the DN for all OU's and output to console but when I try and pass those values to the get-aduser cmdlt it fails.
Here's my code:
import-module activedirectory
$SearchBase = get-adorganizationalunit -filter * -searchbase "ou=users,ou=myUsers,dc=company,dc=local" -Properties CanonicalName | select-object -Property distinguishedName
foreach ($ou in $SearchBase) {
get-aduser -filter * -searchbase $ou -Properties givenName,sn,mail
}
I'm getting the following error message: "The supplied distinguishedName must belong to one of the following partitions..."
I think the issue is that when passing $ou to the get-aduser cmdlt the distinguished name must be enclosed in quotes after -searchbase correct? If so not sure how to go about that. Any help is appreciated.
The issue you are having is you need to expand the property you are selecting. You will notice if you run:
get-adorganizationalunit -filter * -searchbase "ou=users,ou=myUsers,dc=company,dc=local" -Properties CanonicalName | select-object -Property distinguishedName
It will show the parent property:
There are two ways to fix this:
Expand the property in your select statement:
$SearchBase = get-adorganizationalunit -filter * -searchbase "ou=users,ou=myUsers,dc=company,dc=local" -Properties CanonicalName | select-object -ExpandProperty distinguishedName
OR Call the Property in your foreach:
foreach ($ou in $SearchBase) {
get-aduser -filter * -searchbase $ou.distinguishedName -Properties givenName,sn,mail
}
I am running into a strange issue when using Get-ADGroups and Get-ADGroupMembers
This line works correctly (no issues)
$searchFilter = "OU=Projects,DC=my,DC=lab"
Get-ADGroup -Filter * -Properties * -SearchBase $distinguishedName | Get-ADGroupMember | Where-Object {$_.objectClass -eq "user"} | Get-ADUser | ft Name, SamAccountName, Enabled
However this block does not work
$groups = Get-ADGroup -Filter * -Properties * -SearchBase $distinguishedName
foreach ($g in $groups) {
Write-Host "Group:" $g.CN "(" $g.DistinguishedName ")"
Get-ADGroupMember -Identity $g.DistinguishedName -Debug -Verbose | Where-Object {$_.objectClass -eq "user"} | Get-ADUser | ft Name, SamAccountName, Enabled
}
Returns the following exception
Microsoft.ActiveDirectory.Management.ADException: An operations error occurred ---> System.ServiceModel.FaultException`1[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADGroupMemberFault]: Active Directory returned an error processing the operation.
Anyone have any thoughts on why?
Your second one works for me. Double-check your $distinguishedName value that you are passing to -SearchBase.
I noticed that you define $searchFilter, but you never actually reference it. Is that a typo?