Add AD user to group when creating the user? - powershell

I've seen multiple examples on adding a user to a group after creation, but not at the time of creation. Is that possible? Currently, I have something like this: (most attributes removed for simplicity)
$user = New-ADUser -Name "person" -Path "OU=test,OU=myorg" -Office "home" -samAccountName "snuffy.john" -PassThru
if ($user){
Add-ADGroupMember -Identity mygroup -Members $user.samAccountName
}
This causes two calls to the ldap server for each user added and I'm trying to prevent that as I have many thousands of users and the script takes a long time to run. I've checked MS docs but didn't see anything. If it's not possible, it is what it is. Thought I'd try asking at least. I also just started using powershell last week.

You may turn your thinking. with thousands of users I would do it like this.
First create all users.
Then get them by Get-ADUser -Filter * -SearchBase "OU=test,OU=myorg" (or maybe Filter the CreatedDate Attribute to get all new users)
After getting the users try to filter them for the groups you want to put them into and use the Add-ADGroupMember cmdlet, which accepts an array of ADPrincipals for parameter "-members".
This will speed up your code.

Related

Get description field for AD users in PS

I found this MS script to extract admin users from AD. It gets the roles with $AzureADRoles = #(Get-AzureADDirectoryRole -ErrorAction Stop), iterates over them, and gets the users using $RoleMembers = #(Get-AzureADDirectoryRoleMember -ObjectId $AzureADRole.ObjectId).
It works great, only I need to access the description field on these users. Unfortunately, the $RoleMembers don't have a description attribute, even though the $AzureADRoles do!
Is there some way I can get the description field for the users, perhaps with a similar command? I see some commands that would do the trick if I wanted to traverse group members, but I'm looking for something role-based.
Thanks!!!
I found the answer here. I just had to add $Admin = Get-ADUser -Identity $RoleMember.DisplayName -Properties Description before constructing $ObjectProperties in a try/catch block, then get the description from $Admin and grab everything else just like before.

How to extract a list of users with rights to create domain users in the Active Directory?

I was tasked with creating Powershell scripts that we will use to review the Active Directory of our clients. I like to add that my knowledge of Powershell is very basic, but I've found A LOT online (including many Stack Overflow topics!) to help me with this task. My script is pretty much in place, but there is one functionality that I would like to add to my script. I do not know if (and how) this even possible. I've looked at many sites to help me with this issue, but I did not find any solutions. So I decided to ask it to the community itself. Here is a description of my issue.
What I want is to have a list of users that have the rights to create Domain Users and have the rights to install Updates / Hot-Fixes on Domain Controllers. In order to be able to create a Domain User, the user must have a membership (or equivalent) to Domain Administrators (Found here https://technet.microsoft.com/en-us/library/dd894463(v=ws.10).aspx. It's easy to get the Domain Administrators and Enterprise Administrators (the latter having also the ability to create Domain Users obviously). I have a script that retrieves all the Domain Users and the groups that they have membership to, so that is covered.
What I want to achieve is to get Domain Users that are not a member of the Domain Administrators (or equivalent) groups that have rights to create Domain Users (or within certain OU's like explained in this topic https://serverfault.com/questions/83686/how-to-create-a-limited-domain-admin-that-does-not-have-access-to-domain-contr).
There is not an attribute that defines what I am looking for. I had some ideas of using de 'admincount' property like this: Get-ADUser -Server $ADServer -Filter {admincount -gt 0}. This returns to me all the ADUsers that are within the Default Protected Groups within the Active Directory. But what I want is to be able to get Users that are not contained in these groups.
Is there a way to get this information?
Sorry I began fully coding this but without seeing your script and not having a full test AD env in front of me at the moment, I will give you the psudo-code as it seems like you've done enough that you can probably take this code and run with it and pretty easily have a fully working script since most the primary commands/filters needed I have included below:
Get a list of all OUs
$OUs = #(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName)
$OUs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName
$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -SearchScope OneLevel -LDAPFilter '(objectClass=container)' | Select-Object -ExpandProperty DistinguishedName
Get a filtered list of all non-admin users using:
Get-ADUser -Server $ADServer -Filter { admincount -eq 0 }
Loop through each of the OUs and retrieve their permissions
foreach ($OU in $OUs)
(Get-Acl $OU).access | where { accesscontroltype -eq 'Allow' })
Inner loop your filtered non-admin user array with each access permission needed to perform the pseudo-admin duties using:
foreach ($objUser in $(Get-ADUser -Server $ADServer -Filter { admincount -eq 0 }))
(Get-Acl $OU).access | where { identityreference -eq <TRIMMED INNER LOOP USER OBJECT NAME FROM $objUser> }
If matched, add to new array, otherwise do nothing
Dump array to report

Active Directory Querying with PowerShell

I am building a report on our active directory groups and am having a hard time when it comes to different forests.
We have groups from forestA with users inside from forestB. I was able to pull those groups using Quest AD:
$GroupUsers = Get-QADGroupMember $GroupName -Type 'user' -Indirect
The only problem is that even though the users inside are from forest B, they come up showing they are from forestA. They do exist in both forests, don't know if that's a problem.
Any clue on why this happens?
Thanks in advance.
There is -Server parameter of Get-ADGroupMember cmdlet where you may specify domain controller from another domain/forest. Something like:
Get-ADGroupMember -Identity $GroupName -Server DC.AnotherDomain.com
you can query forest for domains or all global catalogs: get-adforest (properties GlobalCatalogs,Domains) - I often did something like this:
I pulled the list of all SIDs in the group then checked which one belongs to my domain/forest, the rest was searched in external forest.

Find and replace custom attribute values in AD using Powershell

So I have an interesting script I am trying to figure out, basically I need to change a custom attribute value to a new one. The problem is its for both users and computers and not specific to the groups. So for instance the value might be Billing1 for several users in an OU and this need to be Billing2. So I need to find any instance of the Value of Billing1 and change it to Billing2 not knowing the user or computer object. I can successfully change one at a time if I know who the user is by using Set-ADUser, Set-ADComputer and even with Set-AdObject but I need to figure out a Find and replace function.
I have searched for this and I have found examples of where I can use CSV for users and computers but again I don't know who has what since the value in the attribute can vary and also changes if a reorg happens.
got the correct script...
Get-ADComputer -Properties enterattributename -Filter {enterattributename -like "value to search" } |Set-ADComputer –replace #{ enterattributename =”value to change”}
this also can be applied to Get-ADUser and Get-ADObject

Detect null object in powershell:

I am working on implementing some user creation in active directory using the built in powershell commandlets, recently I came across this issue. When attempting to read in a data file of users where $_.UID is one of the fields in the file, I do a Get-ADUser with the UID to check if the user already exists in ldap. If I get a null object, then I would like to create the user because this id is not already in ldap otherwise I would like to skip the entry in the datafile. My script as is creates the users the first time through. If I run it a second time on the same data file (users should no longer be null for the UID field) the if condition is still true and the script attempts to create users a second time. I am new to powershell scripting so I must be misunderstanding something. What am I doing wrong? Your help is appreciated!
Function createUsers{
Import-CSV "~\Desktop\inData.csv" | ForEach-Object {
$USER = Get-ADUser -LDAPFilter "(uid=$_.UID)"
if($USER -eq $Null){ #BROKEN DOESN'T DO ANYTHING
#(!$USER) Doesn't work either
Write-Host "Making next user."
.
.
.
}else{
Write-Host "Skipping, user exists!!"
}
}
}
I think that your problem is in your Get-ADUser Query. There is no property called "uid" in Active Directory. This will make $USER always null, and cause it to always want to create a new user.
Try using sAMAccountName instead:
$User = Get-ADUser -LDAPFilter "(sAMAccountName=$_.UID)"
To get a full list of all the properties available to you, I like to execute the following:
Get-ADUser MyUserName -Properties *