How to obtain user principal names from canonical name of objects - powershell

When I run below PowerShell command:
(Get-Mailbox -Identity SharedMailbox1).GrantSendOnBehalfTo
I get the following output:
contoso.local/NZ/Users/Internal/Test, User21
contoso.local/NZ/Users/Terminated/Test, User12
contoso.local/NZ/Users/Terminated/Test, User3
contoso.local/NZ/Users/Internal/Test, User6
contoso.local/NZ/Users/Internal/Test, User10
I would like to obtain UPN from this output in an array. Is there a way?

This is actually straightforward. The GrantSendOnBehalfTo property contains objects of type [Microsoft.Exchange.Data.Directory.ADObjectId] which are suitable to be piped other cmdlets in the Exchange Management Shell.
(Get-Mailbox SharedMailbox1).GrantSendOnBehalfTo |
Get-Mailbox |
Select-Object -ExpandProperty UserPrincipalName
A shorter but less readable version:
((Get-Mailbox SharedMailbox1).GrantSendOnBehalfTo | Get-Mailbox).UserPrincipalName
You can also use it in conjunction with the ActiveDirectory module. You just have to insure you're piping a string down the pipeline that the AD cmdlets will accept for their -Identity parameter. Of course, you can't go wrong using the DistinguishedName:
((Get-Mailbox SharedMailbox1).GrantSendOnBehalfTo.DistinguishedName |
Get-ADObject -Properties UserPrincipalName).UserPrincipalName
I should point out that while rare it's possible to have a group in the GrantSendOnBehalfTo property. Groups do not have a UserPrincipalName attribute. you can get around that using Get-Recipient and filtering on Recipient Type:
(Get-Mailbox SharedMailbox1).GrantSendOnBehalfTo |
Get-Recipient |
Where-Object{$_.RecipientType -eq "UserMailbox"} |
Get-Mailbox |
Select-Object -ExpandProperty UserPrincipalName
Or the AD version:
(Get-Mailbox SharedMailbox1).GrantSendOnBehalfTo.DistinguishedName |
Get-ADObject -Properties UserPrincipalName |
Where-Object{$_.objectClass -eq "user"} |
Select-Object -ExpandProperty UserPrincipalName
There may be other object types too, but so long as you're filtering for user mailboxes you should be able to output correct data. Of course, these techniques can be expanded to report better if non-user/mailboxes are encountered etc...

Related

exporting AD users displayName for selected groups only - powershell

I am new to powershell so please excuse me if the answer is quite simple. I am trying to get user list sorted by selected AD groups and export that to table or csv at least. Due to the fact that:
Get-ADGroupMember -Identity "TestGroupName"
... gives me only user IDs for my AD, I used below:
Get-ADGroupMember -Identity "TestGroupName" | Get-ADObject -Properties displayName
This works perfectly but I do not want to type manually each group there so I decided to first export groups that I need which are beginning with "Test":
Get-ADGroup -Filter "name -like 'Test*'" |Select-Object Name | Export-csv -path \Groups.csv
Now I want to use information from Groups.csv to list all user displayName for groups listed in Groups.csv so I tried something like that:
Import-Csv -Path .\Groups.csv | Get-ADGroupMember ForEach($Name in $Groups) | Get-ADObject -Properties displayName | Export-csv -path \UsersByGroups.csv
unfortunately it does not work properly maybe because I still do not get exactly how to use ForEach
Can someone with more experience have a look and help?
Thanks!
Maciej
Just pipe the groups output by Get-ADGroup -Filter ... directly to Get-ADGroupMember:
Get-ADGroup -Filter "name -like 'Test*'" |Get-ADGroupMember |Get-ADObject -Properties displayName

Powershell - Populate list of AD users in large security group that are in a particular OU

I'm trying to get an AD Security Group down to a manageable size, but due to display limits in Powershell, this is proving difficult for me. The group is down to 47,720 now after removing all disabled AD accounts. Now I'm trying to filter it down to Enabled users that live in this particular OU. Below is what I've used with success in the console.
Get-ADGroup "very_large_secgroup" -properties Member | Select-Object -expandproperty member | get-aduser -Filter * -SearchBase "OU=PurgeStudents,OU=DisabledAccounts,DC=contoso,DC=com" | Select-Object SamAccountName,DistinguishedName
When I try to count this, or pipe it via Out-File though, I get:
get-aduser : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that
take pipeline input.
At line:1 char:92
+ ... ty member | get-aduser -Filter * -SearchBase "OU=PurgeStudents,OU=Dis ...
Any assistance would be greatly appreciated, as I am a novice in Powershell magic.
Instead of using -Filter *, you could filter for all previous retrieved users. And there is a cmdlet to get the members of a group:
Get-ADGroupMember -Identity "very_large_secgroup" -Recursive | Foreach-Object {Get-ADUser -Filter "Name -like $_.Name" -SearchBase "OU=PurgeStudents,OU=DisabledAccounts,DC=contoso,DC=com" | Select-Object -Properties SamAccountName, DistinguishedName}

Get a specific AD Group membership then export to csv

I have a list of computers that I need to find a specific AD Group Membership and output to csv.
How can I do this from PS ?
Get-ADPrincipalGroupMembership (Get-ADComputer ComputerName) | select-object name
Thanks you
You are not trying to find groups of users, but computers. using Get-ADPrincipalGroupMembership is useless.
Get-Content .\ListOfComputer.txt | Get-ADComputer -properties Memberof
| Where-Object {$_.MemberOf -like "*Specific Word*"} | export-csv SpecificADGroupMembership.csv -Append

How to retrieve only enabled users from the Active Directory

I'm trying to retrieve only enabled users in the AD. When I run this code line it returns the error. I tried using a filter as well to filter only enabled users for the requested info but it returns ALL users from every domain instead of just the single id.
Get-ADUser : A positional parameter cannot be found that accepts argument 'enabled -eq 'true''.
This is my code that is throwing the error.
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter '*' | Get-ADUser Where "enabled -eq 'true'" | Get-ADUser -Properties ('Mail')
This one returns ALL users from every domain
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter "enabled -eq'true'" | Get-ADUser -Properties ('Mail')
Is my syntax wrong on both of them? If I just want to return values from say "Animal shop A" and then "Animal Shop B"
.. or a little bit shorter this way:
Get-ADUser -Filter 'enabled -eq $true' -Properties mail |
Select-Object -Property Name,samaccountname,mail
Besides this I would recommend to use a -SearchBase. That's less stressful for the AD. ;-)
Get-ADUser -Filter * -Properties mail | Where { $_.Enabled -eq $True} | Select Name,samaccountname,mail
That will get all enabled users in your target domain that are enabled and display the name, username, and mail properties
Important to know for both commands:
You must work with an elevated powershell process.
Otherwise the result may not be complete.
get-aduser -filter 'enabled -eq "true"' -ResultSetSize $Null
simply try below commands in powershell as administrator permission.
As a guide, the first part will filter users, second part filtered enabled users and last part will give you export of results.
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like “false”} | Export-Csv -Path C:\eport.csv -Encoding ascii -NoTypeInformation
hope to be useful for you.

Domain Admin Cleanup with Foreach-Object

I'm in the process of cleaning up my inherited Domain Admins group and remove service accounts that are no longer needed. I'm trying to pull the group membership of the Domain Admins group and feed it into a Get-ADUser, with little success.
$name = Get-ADGroupMember "domain admins" | select -ExpandProperty Name
Foreach-Object {
Get-ADUser -Filter { Name -Like "$name"} -Properties * | FT Name, LastLogonDate
}
If I run the Get-ADGroupMember by itself it works. If I run the Get-ADUser with a name from the list (instead of the $name variable) it works. But when I attempt to tie them together it does not work.
I am glad you were able to make it work but I would like to offer some advice. First don't use -Properties * when all you really needed was LastLogonDate. You are pulling more data than you need to. Also you don't even need the ForEach loop since Get-Aduser will accept the pipeline input very nicely.
Get-ADGroupMember "domain admins" | Get-ADUser -Properties LastLogonDate |
Select Name,LastLogonDate
or if you really want console output, as supposed to standard output
Get-ADGroupMember "domain admins" | Get-ADUser -Properties LastLogonDate |
Format-Table Name,LastLogonDate -AutoSize
Thanks #EBGreen, your comment pointed me in the right direction. I am able to get what I need with the following:
Get-ADGroupMember "domain admins" | select -ExpandProperty SamAccountName | % {
$name=$_
Get-ADUser $_ -Properties *
} | FT Name, LastLogonDate -AutoSize