I need some help with finding all active AD Users. The task is to find all users, that had been active for 8 months. So far, I managed to find all users that are active right now, but I need the specific period. Here's my Powershell code:
PS C:\Windows\system32> Get-ADUser -Filter 'enabled -eq $true' -Properties CN |
Select-Object #{Label='ParentContainer';Expression={$_.Distinguishedname -replace "CN=$($_.cn),"}} |
Group-Object -Property ParentContainer |
Select-Object Name,Count
| Out-File -FilePath C:\Users2.txt
Thx in advance
it seems that you need to know when the user has been disabled to find its history and find out the active users within a period
for example, if the users disable before last month that means it was active last month
this link will show that
https://social.technet.microsoft.com/Forums/en-US/2560e797-a929-4fe0-bfcb-8e7d850d865b/ad-users-disabled-date
Related
I'm pretty new on Powershell and this is by far the trickiest task I have gotten so far. I want to write a script that shows me if the same personal identity number occurs on multiple AD users.
I have managed to get a list of all AD users and their ID numbers using the Powershell Active Directory module and the following:
Get-ADUser -Filter * -SearchBase "OU=X,DC=X,DC=X,DC=X" -Properties PersonalIdentityNumber | Select-Object Name,PersonalIdentityNumber | Where-Object {$_.PersonalIdentityNumber} | Sort-Object -Property PersonalIdentityNumber
Although, I am not sure where to go from there. I suspect that I will have to use a for or foreach loop in some way, but I have tested a bit and not made any concluions. It will most likely be too heavy to compare every user against all other users, but I think that every user can be compared to the 20 users before or after, since matching ID numbers will probably be on users with the same name.
Any ideas on how to accomplish this?
Use the Group-Object cmdlet to group the users based on the value of the PersonalIdentityNumber property:
$usersWithPIN = Get-ADUser -Filter * -SearchBase "OU=X,DC=X,DC=X,DC=X" -Properties PersonalIdentityNumber | Select-Object Name,PersonalIdentityNumber | Where-Object {$_.PersonalIdentityNumber}
$usersWithSamePINGroups = $usersWithPIN |Group-Object PersonalIdentityNumber |Where-Object Count -gt 1
$usersWithSamePINGroups will now contain zero or more Group objects with a Count property (the number of users sharing a given PIN), and a Group property containing the user objects in question
I'd like to get a list of users that haven't used their account in the past 90 days. And I'd like to see in which OU/DC they are without getting the CN. is this possible? I'm using PowerShell ISE for this
I currently have
Search-ADAccount -UsersOnly –AccountInActive –TimeSpan 90:00:00:00
–ResultPageSize 2000 –ResultSetSize $null
| ?{$_.Enabled –eq $True}
| Select-Object Name, SamAccountName, DistinguishedName, LastLogonDate
| Export-CSV “C:\Temp\InActiveUsers.CSV” –NoTypeInformation
This returns the full distinguished name and I have to remove the CN in Excel afterwards, which is an annoying mess - I'd rather not deal with that repeatedly.
The solution doesn't have to be based on search-adaccount, but I do want it to be in a single code, so I don't have to get a list of users and then use that list with another bit of code to get their OU/DC.
You can grab the superior DN by splitting the string on the first non-escaped comma and discard the CN part:
# ...
| Select-Object Name,SamAccountName,#{Name='OU';Expression={($_.DistinguishedName -split '(?<!\\),',2)[1]}}, LastLogonDate
If your domain is running at least Windows 2012, you can ask for the msDS-parentdistname attribute, which will give you the DN of the parent object. It's a constructed attribute, which means it's calculated at the time you ask for it. You have to specifically ask for it, which means in this case I think you'll have to pipe the result into Get-ADUser to do so. That might slow things down quite a bit (there are faster ways to do this) but it should work.
Search-ADAccount -UsersOnly –AccountInActive –TimeSpan 90:00:00:00
–ResultPageSize 2000 –ResultSetSize $null
| ?{$_.Enabled –eq $True}
| Get-AdUser -Properties Name, SamAccountName, "msDS-parentdistname", LastLogonDate
| Select-Object Name, SamAccountName, "msDS-parentdistname", LastLogonDate
| Export-CSV "C:\Temp\InActiveUsers.CSV" –NoTypeInformation
I'm struggling to make a PowerShell script and can't find a complete solution online.
Basically the script needs to have multiple functionality:
Needs to return inactive computer objects based on the LastLogon attribute for 30, 60, 90 days.
Needs to return results from multiple OU's, not just one.
Needs to exclude any OU with the word Laptop in it.
Needs to email the results in a .csv to an email address.
Please find my crappy start here which outputs 30,60,90 days but only from one OU. PowerShell Inactive Computers
Since you are getting the required result, only thing being you need to iterate.
To get all the list of all OU's from AD you can use below command.
$OUs=Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName
To exclude any OU with the word Laptop in it, you can use below snippet.
$OUsWithoutLaptop=$OUs | where {$_ -notlike '*Laptop* '}
Then you can use the iteration as in the following sample.
foreach ($item in $OUsWithoutLaptop)
{
$time = (Get-Date).Adddays(-60)
Get-ADComputer -SearchBase $item -Filter {LastLogon -lt $time -and enabled -eq $true} -Properties LastLogon, description| ? {$_.distinguishedname -notlike '*OU=SydLaptops,OU=SydComputers,OU=Sydney,DC=domain,DC=domain,DC=domain'} |
select-object Name,DistinguishedName, description, enabled,#{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.LastLogon)}} | export-csv $logfile60 -notypeinformation
}
Is there a way to do the above? I've managed to follow the below link successfully but we're looking to set different limits based on the user's role.
The aforementioned link
Where is says :
Additional filters can be applied to the Get-Mailbox cmdlet or to the Get-User cmdlet to control the users for whom the change is applied. The following is an example in which three cmdlets are used to filter the command to the sales department of an organization:
Get-User | where {$_.Department -eq "Sales"} | Get-Mailbox | Set-Mailbox -ProhibitSendQuota < Value > -ProhibitSendReceiveQuota < Value > -IssueWarningQuota < Value >
Kinda got me confused as to where it's pulling the "Sales" group from?
Probably being a muppet here but any help appreciated.
You could do this, using the Active Directory PowerShell module:
Get-ADUser -Filter * -Properties Department | Where-Object { $_.Department -eq "Sales" } | [...]
But that's just pulling everybody and looking at the Department field from Active Directory. That's the example the article gives, but it doesn't answer your question about assigning quotas based on groups.
I suspect what you'll want based on your problem is this:
Get-ADGroupMember -Identity $GroupName | Get-ADUser | Get-MailBox | Set-ProhibitSendQuota [...]
I don't know if you need Get-ADUser there or if the output of Get-ADGroupMember can be piped directly to Get-MailBox. I no longer administer Exchange, so I don't have access to those cmdlets anymore. $GroupName can be the group's name, distinguished name, or even the SID, IIRC.
All the new user accounts created in Active Directory are kept as disabled and the option "user must change password on next login" is ticked. This accounts will remain as disabled for 7 days and in the 8th day it needs to be enabled.. Creating the account is already done by another script and I am stuck with account enable part.
How can I archive enabling these account using PowerShell script? How to use all account properties like lastlogon date, account creation date, account status(disabled), and the option "user must change password on next login" to validate and find the user is a new user which needs to enable?
get-aduser -f {-not ( lastlogontimestamp -like "*") -and (enabled -eq $false) -and (pwdLastSet -eq 0)} |
Select-Object name,SamAccountName |
export-csv -path data.csv
Use filters to filter according to your criteria. This snippet gets user objects for accounts that are disabled then filters out those less than a week old. It stores them in a collection of user objects. You can further filter $userlist by any user object property using the $variable | $variable where { [filter] } format. The filters can be as complex as you want. I like putting one on each line so I can easily comment out given filters. Use the filtered list for whatever you want.
$WeekAgoDate = $(Get-Date).addDays(-7)
$userlist = get-aduser -filter { enabled -eq $false } -Properties *
$userlist = $userlist | Where { $_.created -lt $WeekAgoDate }
"$userlist.count accounts found"
$userlist | select name, samaccountname | format-table
To enable $userlist:
$userlist | Enable-ADAccount
Here is how you can do it but you will need to write the script:
Check the whenCreated attribute It has a date time stamp and you can use that to see how old the account is.
If the account is older then 7 days and the account is disabled set the userAccountControl attribute to enabled IE 512 and then set your user must change password property true