Powershell deleting user in ADSI from outside LDAP domain - powershell

Our application allows the customer to authenticate to their own domain via Ldap but we keep a cached copy of those logons and accounts in "myserver" ADSI. Due to limitations with another part of our application I have a need to delete several thousand of those cached accounts from myserver ADSI
Keep in mind that this is NOT FOR MY DOMAIN but for the customer's domain. And no, I'm not trying to delete accounts in THEIR domain, just our cached copies in ADSI.
The following line of code does NOT throw an error but it also does NOT delete the acct (neither does piping it to "remove-aduser"
Get-ADObject -Server "myserver:3890" -SearchBase "CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentDirectory" -filter {name -eq "testuser"} | remove-adobject
Side note: I can query this tree of the default naming context just fine
Get-ADObject -Server "myserver:3890" -filter 'objectclass -like "*"' -SearchBase "CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentDirectory"
or I can use -ldapfilter switch to get pertinent info about a specific account.
It's a weird situation since I'm NOT dealing with accounts in my own domain. Many other variations on this theme throw errors referencing my own domain, partitions, etc. I've worked through all of those I think. The above examples SHOULD work in my opinion.
Final note: I CAN delete the user in the ADSIEDIT gui but as mentioned, they have given me a list of thousands of accts that need removing. There's gotta be a way?!

I figured it out (I’m feeding it a list of $users)
Get-ADObject -Server “myserver:3890” -SearchBase “CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentdirectoryDirectory” -Filter * | Where-Object {$_.name -eq “$user”} | Remove-ADObject -confirm:$false

Related

powershell - Remove all "ForeignSecurityPrincipals" from AD Groups selected by SID

Following situation: You have ForeignSecurityPrincipals in your AD Groups. But Remove-ADGroupMember cannot remove them, since it does not support removing "ForeignSecurityPrincipal". Using the DOMAIN\SamAccountName Method is not available as well, since that old domain does not exist any more. On top you are not allowed to use external modules since that company does not want external modules.
I needed this functionality today for a mass-cleanup job, as written without needing extra modules, and without having the old AD available since it was already killed. Found nothing, so I developed this solution and share it.
You have to get the DOMAINSID first, which should be simple. My example uses -Server since the "adminforest" is not the same as the forest of the groups to be modified. It searches all groups from the given OU, selects all groups with members matching the DOMAINSID, and then removes each member matching the DOMAINSID from those groups.
Don't forget to set $WhatIf=$false, else it runs in "we test only" mode.
$Groups = Get-ADGroup -Server other.domain.local -Filter * -SearchBase "OU=Groups,OU=SubOU,OU=Subsidary,DC=OTHER,DC=DOMAIN,DC=LOCAL" -Properties *
$GroupsWithForeignMembers = #($Groups.Where({$_.member -like "*S-1-5-21-2631234548-991234592-3812345124*"}))
$WhatIf=$true
foreach ($Group in $GroupsWithForeignMembers) {
$MemberForeign= #((Get-ADGroup -Server bk.bwl.net -Identity $Group.SamAccountName -Properties member).member.Where({$_ -like "*S-1-5-21-2631234548-991234592-3812345124*"}))
foreach ($Member in $MemberForeign) {
"Removing $Member from $($Group.SamAccountName)" | Tee-Object -Append "GROUPS-cleanup.log"
Set-ADObject -Server other.domain.local -Identity $Group -Remove #{member=$Member} -Verbose -WhatIf:$WhatIf
}
}

How To search for user across all domains?

I am writing a Powershell script to get password expiry for specific set of users. These users belongs to different domains (across the world) in our org.
I use Get-Aduser to get the do this. The script works only for users where the script is run from. So if the script is run from let's say US, the Get-AdUser finds only users from US.
How can I search across all domains?
I tried this
Get-AdUser -Server <GlobalCatalog> [...]
This does have the same result without -Server
Have you tried using the following:
Get-ADUser -Filter {(yourFilterCondition)} -SearchBase "" -Server X.Y.Z.W:3268 -Properties desiredProperties | select-object...
Setting SearchBase to "" is the key thing here. And, also try to perform the query on 3268 port for reading values from all domains.

Powershell filter computers with no LAPS password set

I have recently deployed LAPS (Local admin password service) on our domain, and would now like to create a script I can run to find machines that have not yet communicated with AD to install the group policy extension and update their local admin password.
I can see that if I run:
Get-AdComputer -Identity Computer_Name -Properties *
I am presented with a computer that has updated its password, and shows the two properties:
ms-Mcs-AdmPwd
ms-Mcs-AdmPwdExpirationTime
My powershell is not great, so I may have the syntax wrong, but when trying to run:
Get-AdComputer -Filter {ms-Mcs-AdmPwd -ne ''}
I get an error that says:
The search filter cannot be recognised
Can anyone advise how I can filter on these two properties? Do I have to pipe into a Where-Object or perhaps even use LDAP filters?
The most appropriate way to do this is with an LDAP filter rather than a PowerShell filter. LDAP filters can test for existence, rather than comparing to a value that could be there (even if it's only remotely possible).
To get a list of computers WITH a password:
Get-ADComputer -LDAPFilter "(ms-mcs-AdmPwd=*)"
And to find computers without one:
Get-ADComputer -LDAPFilter "(!(ms-mcs-AdmPwd=*))"
You can combine that with other parameters to Get-ADComputer if you want to search a specific OU etc.
Ok so I think my issue was to do with me looking for attributes that had not yet been set.
I suspect there may be an ever so slightly more elegant way to filter, but the below works just fine for me:
Get-ADComputer -Filter {ms-Mcs-AdmPwd -notlike "*"}
If I run the command
Get-ADComputer -Filter {ms-Mcs-AdmPwd -notlike '<not set>'}
on my 2016 DC I get a list with all the computers with a password set.

PowerShell - Remove-ADGroupMember - Locking my admin account

I have the following line of code in a PowerShell file, intended to remove a user from all Active Directory groups beginning with an # symbol;
Get-ADGroup -Filter 'name -like "#*"' | Remove-ADGroupMember -Members $UserID
It actually works fine, and successfully removes them from the correct groups, however the script locks my admin account every time it's run. Weird!
From trawling the internet for a while, I suspect it's something to do with it 'using up' my Kerberos authentication tokens (it uses too many, as it runs for every single AD group beginning with #), or it thinks I'm trying to do something malicious because I'm sending such a large amount of commands in a short time?
Is there a way for me to amend this line of code, so that instead of running Remove-ADGroupMember for every single # group in the Active Directory, it only runs for the groups that the user is a member of? Or any other ideas?
Thank you.
Try this:
$groups = Get-ADPrincipalGroupMembership $user | where {$_.name -like "#*"} | select -expandproperty name
foreach($group in $groups){
Remove-ADGroupMember -identity $group -Members $user
}
It will only looking for the groups that the $user is a member in so you should be fine token wise.
Don't forget to change $user with user name or fill the variable beforehand.
Hmm, I don't have an AD infrastructure at home, but it looks like your example has nothing defining $UserID.

Processing ForeignSecurityPrincipal

DomainA and DomainB trust each other. Some DomainB users are members of DomainA local domain groups. How can I get ForeignSecurityPrincipal in PowerShell and get list of its groups?
That was surprisingly simple:
Get-ADObject -Filter {ObjectClass -eq "foreignSecurityPrincipal"} -Properties msds-principalname,memberof
where "msds-principalname" is sAMAccountName, so I can search now through FSPs by sAMAccountName and get its groups.
You can get the list of foreign security principals in a domain by running Get-ADObject cmdlet with SearchBase set to CN=ForeignSecurityPrincipals,DC=domain,DC=com and LDAPFilter to something acceptable, like (|(objectCategory=user)(objectCategory=group)). Then, you can use this script to get its domain\username. Then you query that domain for DCs via Get-ADDomain and Get-ADDomainController, get the user object from there and run Get-ADPrincipalGroupMembership in your current domain against the retrieved user. An example (untested, as I have no env with many domains):
$ldf='(|(objectCategory=user)(objectCategory=group))'
$fspc=(get-addomain).ForeignSecurityPrincipalsContainer
$fsps = get-adobject -ldapfilter $ldf -searchbase $fspc
# got principals here
foreach ($fsp in $fsps) {
$fspsid=New-Object System.Security.Principal.SecurityIdentifier($fsp.cn)
($fspdomain, $fspsam) = ($securityPrincipalObject.Translate([System.Security.Principal.NTAccount]).value).Split("\")
# ^ this can throw exceptions if there's no remote user, take care
$fspdc=(get-addomaincontroller -domainname $fspdomain -discover)[0] # taking first one
$fspuser=get-aduser $fspsam -server $fspdc.hostname # use crossdomain DNS to resolve the DC
$fspgroups=get-adprincipalgroupmembership $fspuser # local query
$fspgroups # now do whatever you need with them and the $fspuser
}