I have a script that is supposed to search for computers in different OUs with the same name in AD.
eg.
Get-ADComputer -filter * -Searchbase "OU=domain,DC=home,DC=com" -properties * |
Where-Object {$_.DistinguishedName -like "*XXX09*"} |
Select name, DistinguishedName
Everything works fine, but it is terribly slow, is there any way to speed it up, or build the script differently ?
Not only can you speed-up this by using a filter, but also, using -Properties * is asking for ALL properties. That is useless and time consuming in this case because you only want to retrieve the Name and DistinguishedName.
Get-ADCumputer by default already returns these properties:
DistinguishedName, DNSHostName, Enabled, Name, ObjectClass, ObjectGUID, SamAccountName, SID, UserPrincipalName.
Try
Get-ADComputer -Filter "DistinguishedName -like '*XXX09*'" | Select-Object Name, DistinguishedName
Use the filter during the search instead of after will reduce the query time quite a bit.
Get-ADComputer -filter 'DistinguishedName -like "*XXX09*"' -Searchbase "OU=domain,DC=home,DC=com" -properties * | select name, DistinguishedName
You might need to tune the query slighty, but i tested it with 'name' instead of 'DistinguishedName' and that works just fine (and quite a bit quicker ;))
Related
New to using Powershell, so I apologize for any noobness that I show.
I'm trying to extract user names, active status, Expiration Dates and Titles from Active Directory.
My Powershell command is:
Get-ADUser -Filter * -SearchBase "DC=XXX,DC=XXXX" |
Select-Object Name, GivenName, Surname, SamAccountName, DistinguishedName, enabled, Title, AccountExpirationDate |
Export-Csv -Path c:\users\myname\ADUsersWithExpirationDate.csv
The query runs successfully, but does not ever show a Title or Expiration Date even though some user accounts have either or both values in AD. Also status (Enabled) does not always populate: the returned values are True, False, or null. All of the Nulls (that I've checked) are active user accounts, but appear to be in non-standard OU's (Admins for example).
Any insight or recommendations are very welcome.
Thanks in advance.
By default the AD cmdlets don't return all the attributes. You need to use the -Properties parameter to add the AccountExpirationDate and Title attributes to the query. Your command should look something like:
Get-ADUser -Filter * -SearchBase "DC=XXX,DC=XXXX" -Properties 'Title','AccountExpirationDate' |
Select-Object Name, GivenName, Surname, SamAccountName, DistinguishedName, enabled, Title, AccountExpirationDate |
Export-Csv -Path c:\users\myname\ADUsersWithExpirationDate.csv
Still learning Powershell for AD and i have one question that is bothering me. Have to change AD properties for multiple users in AD within specific location, for example we have in same OU people from Berlin and from Washington, and cities are set in each profile, but im wondering if i need to get also properties before changing address for one of those locations like this
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' -Properties StreetAddress, PostalCode | % {Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}}
or if it would work also without doing -Properties and just pipe filter City results to Set-ADUser
Thank you.
You do not need to specify -Properties unless you want to see them in the output. You also don't need the foreach, simply piping to Set-ADUser is sufficient.
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' |
Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}
This will update those values just fine. The same is true for filtering. The following command will filter on the postalcode but it will not be included in the output unless you add -Properties postalcode
Get-ADUser -Filter "PostalCode -eq '221202XX'"
Thank you for answer, i have left out -Properties and that seems fine, also tried but this won't work without foreach as i guess Set-ADUser does not know which of those users that are filtered out needs to be updated. So i had to use
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' | % {Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}}
while if i use without foreach
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' | Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}
i get error
Set-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the
argument, and then try running the command again.
but anyway, seems to be OK without -Properties which was my main concern
I'd like to get a list of users that haven't used their account in the past 90 days. And I'd like to see in which OU/DC they are without getting the CN. is this possible? I'm using PowerShell ISE for this
I currently have
Search-ADAccount -UsersOnly –AccountInActive –TimeSpan 90:00:00:00
–ResultPageSize 2000 –ResultSetSize $null
| ?{$_.Enabled –eq $True}
| Select-Object Name, SamAccountName, DistinguishedName, LastLogonDate
| Export-CSV “C:\Temp\InActiveUsers.CSV” –NoTypeInformation
This returns the full distinguished name and I have to remove the CN in Excel afterwards, which is an annoying mess - I'd rather not deal with that repeatedly.
The solution doesn't have to be based on search-adaccount, but I do want it to be in a single code, so I don't have to get a list of users and then use that list with another bit of code to get their OU/DC.
You can grab the superior DN by splitting the string on the first non-escaped comma and discard the CN part:
# ...
| Select-Object Name,SamAccountName,#{Name='OU';Expression={($_.DistinguishedName -split '(?<!\\),',2)[1]}}, LastLogonDate
If your domain is running at least Windows 2012, you can ask for the msDS-parentdistname attribute, which will give you the DN of the parent object. It's a constructed attribute, which means it's calculated at the time you ask for it. You have to specifically ask for it, which means in this case I think you'll have to pipe the result into Get-ADUser to do so. That might slow things down quite a bit (there are faster ways to do this) but it should work.
Search-ADAccount -UsersOnly –AccountInActive –TimeSpan 90:00:00:00
–ResultPageSize 2000 –ResultSetSize $null
| ?{$_.Enabled –eq $True}
| Get-AdUser -Properties Name, SamAccountName, "msDS-parentdistname", LastLogonDate
| Select-Object Name, SamAccountName, "msDS-parentdistname", LastLogonDate
| Export-CSV "C:\Temp\InActiveUsers.CSV" –NoTypeInformation
I need to retrieve a list of Distribution groups with their x400 and x500 addresses. I have determined the attributes are proxyaddresses and TextEncodedORAddress. We are running Exchange 2013. When I look at a high level searchbase like "OU=Exchange,OU=company,DC=company,DC=com" and use Get-ADUser it returns the user accounts, however I need Distribution Groups.
Using the following returns the users with the attributes I need, but I need distribution groups, not users.
Get-ADUser -SearchBase "OU=Exchange,OU=company,DC=company,DC=com" `
-Filter * -Properties * | Select * |
FT CN,distinguishedName,proxyaddresses,textEncodedORAddress
I tried Get-Mailbox, Get-DistributionGroup, but I get an error saying it's not a cmdlet. I also tried using the attribute groupType to filter, but it didn't work. I'm not sure if I'm able to use Get-ADObject as I'm not quite sure how I'd use that cmdlet. Any help would be appreciated.
Because there are multiple values in that proxyaddresses, I was receiving Microsoft.ActiveDirectory.Management.ADPropertyValueCollection, therefore I had to use the following.
Get-ADGroup -SearchBase "OU=Exchange,OU=Company,DC=company,DC=com" `
-Filter * -Properties proxyAddresses | Select CN,distinguishedName,textEncodedORAddress,`
#{L=’ProxyAddress_1′; E={$_.proxyaddresses[0]}},
#{L=’ProxyAddress_2′; E={$_.ProxyAddresses[1]}},
#{L=’ProxyAddress_3′; E={$_.proxyaddresses[2]}},
#{L=’ProxyAddress_4′; E={$_.proxyaddresses[3]}},
#{L=’ProxyAddress_5′; E={$_.proxyaddresses[4]}}|
Export-CSV C:\temp\x500_Export.csv
The only thing I can't figure out for the output, is why I see the various proxyaddresses and the distinguishedname, however it won't show CN, or displayname. Those are blank.
get-adgroup -filter "GroupCategory -eq 'Distribution'"
I am very new to Powershell and am having an issue when using the Get-ADUser and GetADComputer cmdlets.
I am trying to use the Get-ADComputer and Get-ADUser to retrieve the memberOf from Active-Directory of all the users and computers. It only appears to be retrieving information from users and computers that are in 2 or more groups. Any users/computers that are only in 1 group display nothing.
For example: If UserA is in group Administrators I get no output when I use MemberOf. But if User2 is in both Administrators and Domains Administrators I get some output. However it will only output one of those groups.
Get-ADGroup does the same thing.
Is this normal? I can't imagine it is.
Here is my code:
Get-ADUser -Filter * -Properties * | Select-Object -Property Name,MemberOf | Sort-Object -Property Name
Thanks
Your trouble comes from the fact that the primary group is not part of the memberOf attribute.
So try this :
Get-ADUser -Filter * -Properties * | Select-Object -Property Name,MemberOf,PrimaryGroup | Sort-Object -Property Name
You'll find a deeper explanation in this answer.