$UserInfo = Get-ADUser -Filter { mail -eq $email } -properties mail, title, manager, SamAccountName, distinguishedName | Select-Object SamAccountName, distinguishedName, title, manager
$UserSam = $UserInfo.SamAccountName
$ADGroups = Get-ADPrincipalGroupMembership -Identity $UserSam | Select-Object distinguishedName, name | Where-Object { ($_.distinguishedName -ne 'CN=Domain Users,CN=Users,DC=Corp,DC=Domain,DC=com') -and ($_.distinguishedName -ne 'CN=Google-Users,OU=Security Groups,OU=Groups,DC=Domain,DC=com') }
I visually confirm the user has AD groups besides the two and the samaccountname is right. There is no error except that $ADGroups is empty. The odd thing is sometimes it works and sometimes not.
Thoughts?
Turns out the domain is not syncing correctly. The command I am running is correct as far as I can tell.
Related
I've been looking online for ways of doing this and I'm at a loss here. I'm looking for a way to look up a particular user within a particular group in AD through powershell. Here's what I've tried.
(Get-ADUser userName –Properties MemberOf).MemberOf
I get a bunch of groups
(Get-ADGroupMember "groupname").name
I get a bunch of usernames
I tried this command but it's taking forever to get results.
(Get-ADGroupMember 'groupname' | Get-ADUser -Property DisplayName | Where-Object { $_.Name -eq 'username'})
Is there a way where I can get a command that both fast and efficient. I'm also looking for their email address and surname and last name.
Thanks in advance
As commented, it is best not use the Name property, but if you have it use the SamAccountName or DistinguishedName of the user you seek to rule out ambiguous names.
$user = Get-ADGroupMember -Identity 'GroupName' |
Where-Object { $_.objectClass -eq 'user' -and $_.SamAccountName -eq 'userSamAccountName' } |
Get-ADUser -Properties DisplayName, EmailAddress, GivenName, Surname # add more properties if you need them
# display the user object on screen
$user
Or do this way:
$user = $null
$member = Get-ADGroupMember -Identity 'TheGroupName' |
Where-Object { $_.objectClass -eq 'user' -and $_.SamAccountName -eq 'TheuserSamAccountName' }
if ($member) {
# add more properties if you need them
$user = Get-ADUser -Identity $member.DistinguishedName -Properties DisplayName, EmailAddress, GivenName, Surname
}
else {
Write-Host "User 'TheuserSamAccountName' is not a member of group 'TheGroupName'"
}
# display the user object on screen
$user
The resulting $user object will also contain these properties:
DistinguishedName, Enabled, Name, ObjectClass, ObjectGUID, SamAccountName, SID, UserPrincipalName
If you don't need all of these properties simply filter them out using
$user | Select-Object DisplayName, EmailAddress, GivenName, Surname
I've got some logic/formatting brain block here.
I have a CSV with GivenName and Surname Property to use
I need to pipe that info against the AD User Estate and Return the information on the users in the list with a few properties including their name, Office, SamAccountName and Email address. I've got as far as this:
$employees = import-csv 'c:\employees\employeelist.csv'
$UserInfo = ForEach ($user in $employees) { Get-ADUser -Filter * | `
Where-Object { $_.GivenName -like
$employee.GivenName -and $_.Surname -like $employee.Surname
}
The information is returned but not in a table form and i can't believe i cant seem to figure how to pipe it to a CSV, it's not working out, it is returned like this:
Reference : 201111
Surname : Smith
GivenName : Name
Effective from : 24-Sep-13
Business Area : Client Ops
Department : ATE
Organisation Unit : ATE Ops
Any Ideas why when i | export-csv i don't get the correct format?
As commented, you are using the wrong variable name in your foreach loop.
($employee should be $user) since that is the variable you define in the loop.
Something like this:
$employees = Import-Csv 'c:\employees\employeelist.csv'
$UserInfo = foreach ($user in $employees) {
Get-ADUser -Filter * -Properties GivenName, Surname, Office, SamAccountName, EmailAddress |
Where-Object { $user.GivenName -eq $_.GivenName -and $user.Surname -eq $_.Surname } |
Select-Object GivenName, Surname, Office, SamAccountName, EmailAddress
}
$UserInfo | Export-Csv -Path 'c:\employees\employees.csv' -NoTypeInformation
As you can see, I'm also naming the properties you want returned, because Get-ADUser by default returns a subset of properties and withour it, you won't get the Office and EmailAddress properties.
Also, I have changed the -like operator into -eq to fetch exact matches.
P.S. Instead of using the Where-Object construction, the code would be more optimized if you use the -Filter like:
$UserInfo = foreach ($user in $employees) {
Get-ADUser -Filter "GivenName -eq '$($user.GivenName)' -and Surname -eq '$($user.Surname)'" -Properties GivenName, Surname, Office, SamAccountName, EmailAddress |
Select-Object GivenName, Surname, Office, SamAccountName, EmailAddress
}
I'm looking for some guidance on creating a powershell script that will check security and distribution groups from specific OU's and see if the owner is a user who's disabled.
We have lots of old groups in our AD created by ex employees that need to be cleaned up.
This is what i've started with.
$managedByGroups = get-adgroup -filter 'groupCategory -eq "Distribution"' -SearchBase "OU=SydExchangeGroups,OU=SydGroups,OU=Sydney,DC=my,DC=org,DC=biz" -Properties distinguishedname, managedby | select sAMAccountName, managedby
$disabledUsers = Get-ADUser -Filter {Enabled -eq $false} -SearchBase "OU=SydDisabledUsers,OU=SydMisc,OU=Sydney,DC=my,DC=org,DC=biz" | select distinguishedname
foreach ($group in $managedByGroups){
if($managedByGroups.managedby -eq $disabledUsers.distinguishedname)
{
write-output
}
}
Thanks
There are a number of issues with your if block:
you are looping through $managedByGroups, but you are never using that variable (it should be $group.managedby)
you are trying to compare 1 element with a list of elements, in this case consider using -in operator instead of -eq.
you should treat the case when there is no value for managedby attribute, in case you do not get the desired results.
An alternative to your code may is below.
I'm first getting the list of managedby users, then i'm looping though each entry, and if it is not null, we try to do a get-aduser filtering by enabled status and the distinguishedname.
$DisabledManagedBy variable will contains ADUser objects which are disabled.
$grp = get-adgroup -filter 'groupCategory -eq "Distribution"' -Properties ManagedBy,DistinguishedName
$DisabledManagedBy = foreach ($item in $grp.ManagedBy) {
if ($item) {
Get-ADUser -Filter {Enabled -eq $false -and DistinguishedName -like $item} -Properties DistinguishedName
}
}
I worked this out eventually by doing the following:
$myDisabledUsers = #()
$date = get-date -format dd-MM-yyyy
$managedSydGroups = Get-ADGroup -Filter * -Properties * -Searchbase "OU=SydExchangeGroups,OU=SydGroups,OU=Sydney,DC=my,DC=biz,DC=org" | where {$_.managedby -ne $null} | select name, managedby
$disabledSydUser = Get-ADUser -Filter * -SearchBase "OU=SydDisabledUsers,OU=SydMisc,OU=Sydney,DC=my,DC=biz,DC=org" | where {$_.enabled -eq $false} | select -ExpandProperty distinguishedname
$disabledOwners = foreach($group in $managedSydGroups)
{
$managedByString = [string]$group.managedby
if($disabledSydUser -contains $managedByString)
{$myDisabledUsers += $group}
}
I'm trying to run a script that gets a user info from the AD. After the employee ID was provided the script gets all the user's groups and prints it as a list. After that it gets more attributes such as SamAccountName, LockedOut etc. Then it checks if the user is member of an "eTips" group.
My problem is that for some reason the output of the scripts shows not in the order that the scripts is written.
This is the code:
$EmpID = Read-Host "Enter Employee ID"
$ShowMemberOf = Read-Host "Want to see all the groups he members of (takes time...)? (y/n)"
if ($ShowMemberOf -eq "y" -or $ShowMemberOf -eq "yes") {
$User = get-aduser -Filter {EmployeeID -like $EmpID} | Select-Object -ExpandProperty SamAccountName
Write-Host "Group list:"
Get-ADPrincipalGroupMembership $User | select name
Write-Host "The rest of the user's info:"
get-aduser -Filter {EmployeeID -like $EmpID} -Properties * | Select-Object SamAccountName, PasswordExpired,
PasswordLastSet, OfficePhone, LockedOut, Enabled, CN
$MemberOfEtips = get-aduser -Filter {EmployeeID -like $EmpID} -Properties MemberOf | Select-Object -ExpandProperty MemberOf | Select-String -Pattern "etips"
if ($?) {
write-host "Member of an eTips group"
}
else {
write-host "NOT member of eTips group"
}
}
else {
Write-Host "The rest of the user's info:"
get-aduser -Filter {EmployeeID -like $EmpID} -Properties * | Select-Object SamAccountName, PasswordExpired,
PasswordLastSet, OfficePhone, LockedOut, Enabled, CN
$MemberOfEtips = get-aduser -Filter {EmployeeID -like $EmpID} -Properties MemberOf | Select-Object -ExpandProperty MemberOf | Select-String -Pattern "etips"
if ($?) {
"Member of an eTips group"
}
else {
"NOT member of eTips group"
}
}
This is the output:
Enter Employee ID: 4449871
Want to see all the groups he members of (takes time...)? (y/n): y
Group list:
The rest of the user's info:
name
----
Domain Users
SMS_USERS
dg_computingl
ManagerUsers
eTips
Member of an eTips group
As you can see the script continues to run even though the "Get-ADPrincipalGroupMembership" cmdlet wasn't complete yet. So the result is I'm getting the group list under the rest of 'the rest of the user's info' instead of under the 'Group list:'.
The second weird this is that because of that, it even doesn't run this part:
get-aduser -Filter {EmployeeID -like $EmpID} -Properties * | Select-Object SamAccountName, PasswordExpired,
PasswordLastSet, OfficePhone, LockedOut, Enabled, CN
It just skips to the part where it checks of the user is part of eTips group.
Please explain what I'm doing wrong here.
Remove Write-Host everywhere you used it, the other commands you use behave like Write-Output, this is why the order looks weird. Just put the strings you want to output on a line of their own, to have the same behavior and appropriate display.
The second Get-ADUser command does run, but I guess it simply does not produce any output, you should check it separately.
I'd rather run the if against $MemberOfEtips than $?, but that may only be a pattern unknown to me.
By default, a majority of PowerShell cmdlets are synchronous (there are specific exceptions, like jobs).
I have limited, self-taught experience with PowerShell so this is probably something basic but I can't seem to get it right.
I'm in Active Directory and I need to pull a list of users who's email address doesn't start with their SamAccountName.
(So if your login is jdoe but your email is johndoe#mycompany.com then your profile would be returned)
I've got most of what I need...but I can't figure out how to compare the two properties against eachother.
Right now I have
Get-ADUser -Filter 'enabled -eq $true' -Properties *|
Where {$_.PasswordNeverExpires -eq $false} |
Select Name, SamAccountName, EmailAddress, PasswordNeverExpires
I've tried a few different things to filter what I need, the following command shows exactly what I want (but of course this syntax doesn't work)
Get-ADUser -Filter 'enabled -eq $true' -Properties *|
Where {$_.PasswordNeverExpires -eq $false} |
Where-Object EmailAddress -Contains SamAccountName |
Select Name, SamAccountName, EmailAddress, PasswordNeverExpires
Thanks!
Use a scriptblock for the Where-Object filter like in your second pipeline element:
Where-Object { $_.EmailAddress -notlike "$($_.SamAccountName)*" }
You can even combine it with the first filter, using the -and operator:
Where-Object { $_.PasswordNeverExpires -eq $false -and $_.EmailAddress -notlike "$($_.SamAccountName)*" }
Finally, specify only the properties you need rather that -Properties * (no need to wait for the Domain Controller to return data you won't need):
$Properties = 'Name','SamAccountName','EmailAddress','PasswordNeverExpires'
Get-ADUser -Filter 'enabled -eq $true' -Properties $Properties |Where-Object {
$_.PasswordNeverExpires -eq $false -and
$_.EmailAddress -notlike "$($_.SamAccountName)*"
} |Select-Object $Properties