Disable/Enable AD user account from CSV - powershell

How can I enable or disable an AD user account from a csv based on an entry. If the status for both say Active, only one account gets enabled instead of both. Same for the disabled status
CSV file:
Samaccountname,Status
john.doe,Active
jane.doe,Disabled
What I have so far:
Import-CSV -Path c:\folder\adaccounts.csv
ForEach ($User in $Users)
{
IF ($User.Status -contains "Disabled")
{
Get-ADUser -Identity $user.samaccountname | Disable-ADAccount
}
elseif ($User.Status -contains "Active")
{
Get-ADUser -Identity $user.samaccountname | Enable-ADAccount
}


At the top of your script you are importing the CSV but it doesn't look like you have assigned it to a variable for your foreach loop
if you assign it to the $Users variable like below, the rest of the script should then go through your CSV as expected.
$Users = Import-Csv -Path c:\folder\adaccounts.csv


-Contains is an operator to test if something can be found in an array of things, not for testing if a string is equal or not to another string.
I would revise your code like this:
Import-CSV -Path 'c:\folder\adaccounts.csv' | ForEach-Object {
# test if a user with that SamAccountName can be found
$user = Get-ADUser -Filter "SamAccountName -eq '$($_.Samaccountname)'" -ErrorAction SilentlyContinue
if ($user) {
# set Enabled if Status is not 'Disabled'
$user | Set-ADUser -Enabled ($_.Status -ne 'Disabled')
}
else {
Write-Warning "User $($_.Samaccountname) does not exist"
}
}

Related

Replace AD attribute value with csv file header values

I want to replace AD attribute "userPrincipalName" value according to CSV file header value
here is what csv file(group.csv) contains
sAMAccountName
--------------
test.user1
test.user2
below the script
$data = Import-Csv -Path .\group.csv -Header 'sAMAccountName'
foreach($user in $data){
Get-ADUser -Filter {sAMAccountName -eq "$($user.sAMAccountName)"} | Set-ADUser -Replace #{userPrincipalName="$($user.sAMAccountName)#RES.GROUP"}
}
here I want to replace AD attribute "userPrincipalName" with the value of sAMAccountName from csv file, something like sAMAccountName#RES.GROUP
this script does not work, can anyone please correct it?

Ok, since your comment shows the CSV file indeed does not have a header, I would suggest changing the code to:
$data = Import-Csv -Path .\group.csv -Header 'sAMAccountName'
foreach($user in $data) {
$adUser = Get-ADUser -Filter "SamAccountName -eq '$($user.sAMAccountName)'" -ErrorAction SilentlyContinue
if ($adUser) {
$newUPN = '{0}#res.group' -f $user.sAMAccountName
$adUser | Set-ADUser -UserPrincipalName $newUPN
}
else {
Write-Warning "No user with SamAccountName '$($user.sAMAccountName)' could be found.."
}
}
This way, any mistakes in the file will not make the code quit when a user with that samaccountname cannot be found. Instead, in that case you will see a warning about it and the code will continue with the rest of the data.
It might be worth mentioning that you can use parameter -Server on both the Get-ADUser and Set-ADUser cmdlets to make sure you use the same domain server (DC) to set the new UPN. Otherwise, you can set it on one DC, but are looking at another which doesn't show the change immediately because the servers need time to synchronize..
Now that we have cleared up the question about the CSV and to answer your comment:
If you want to do this as a two-script solution, here's how you can do that
step 1: get all users in the search OU that have a UserPrincipalName ending in '*#test.group'
$searchBase = "OU=Teams,OU=Prod,DC=RES,DC=TEST,DC=GROUP"
Get-ADUser -SearchBase $searchBase -Filter "UserPrincipalName -like '*#test.group'" |
# select ony the SamAccountName and write to CSV with column header
Select-Object SamAccountName | Export-Csv -Path .\group.csv -NoTypeInformation
step 2: read the csv created above and
$searchBase = "OU=Teams,OU=Prod,DC=RES,DC=TEST,DC=GROUP"
$data = Import-Csv -Path .\group.csv
$result = foreach($user in $data) {
$adUser = Get-ADUser -SearchBase $searchBase -Filter "SamAccountName -eq '$($user.sAMAccountName)'" -ErrorAction SilentlyContinue
# if we have a user object AND its UserPrincipalName is not as desired go ahead and change that
if ($adUser) {
if ($adUser.UserPrincipalName -notlike '*#res.test.group') {
$newUPN = '{0}#res.test.group' -f $user.sAMAccountName
$adUser | Set-ADUser -UserPrincipalName $newUPN
# output this user object to be collected in variable $result
$adUser
}
else {
Write-Host "User $($user.sAMAccountName) already has UPN '$($adUser.UserPrincipalName)'"
}
}
else {
Write-Warning "User with SamAccountName '$($user.sAMAccountName)' not found.."
}
}
# now that we have changed some users, create a second csv with all users that were actually changed
if (#($result).Count) {
$result | Select-Object SamAccountName | Export-Csv -Path .\Updatedgroup.csv -NoTypeInformation
}
else {
Write-Host 'No users needed updating'
}
It seems a waste writing only the users SamAccountName property to the csv files.. Especially since Get-ADUser by default already returns these properties: DistinguishedName, Enabled, GivenName, Name, ObjectClass, ObjectGUID, SamAccountName, SID, Surname, UserPrincipalName

If no user found in Get-ADUser script, output a message to my CSV of users found

I've got a simple script that works, takes in a list of user Ids and outputs a CSV with their Id, Enabled True / False, and their name. I'm trying to figure out how I can wrap into it a test where if a user is not found based on the Id in the input file, my output will include a "User [Id] is purged." or something similar.
I've been playing around but I'm not sure if I'm going to have to change my output plan to incorporate something like that. Here's what I have working, minus the check for if nothing found, write a message.
Get-Content $ENV:USERPROFILE\desktop\testusers.txt | ForEach {
Get-ADUser -Filter "SamAccountName -eq '$_'" -Properties SamAccountName,Enabled,Name |
Select SamAccountName,Enabled,Name
} | Export-CSV -path $ENV:USERPROFILE\desktop\output.csv -NoTypeInformation

If I understand correctly, you want to store users Get-ADUser cannot find as error in the output csv too.
In that case, simply try to get the user but swallow error messages and use an if{..} else {..} construct where in both cases you output objects with the same properties:
Get-Content "$env:USERPROFILE\desktop\testusers.txt" | Where-Object { $_ -match '\S' } | ForEach-Object {
$user = Get-ADUser -Filter "SamAccountName -eq '$_'" -ErrorAction SilentlyContinue
if ($user) {
# output the properties you need in the csv
$user | Select-Object SamAccountName, Enabled, Name
}
else {
# user does not exist; output a similar object with the error
[PsCustomObject]#{
SamAccountName = "User '$_' does not exist"
Enabled = $null
Name = $null
}
}
} | Export-CSV -path "$env:USERPROFILE\desktop\output.csv" -NoTypeInformation

This will display a warning for those users that could not be found.
Note, -Properties SamAccountName,Enabled,Name is not needed in this case, the 3 properties are default properties of the cmdlet.
$dom = (Get-ADRootDSE).defaultNamingContext
Get-Content $ENV:USERPROFILE\desktop\testusers.txt | ForEach-Object {
if([string]::IsNullOrWhiteSpace($_)){
continue # go to next iteration if this element is just white space
}
$usr = Get-ADUser -Filter "SamAccountName -eq '$_'" | Select SamAccountName,Enabled,Name
if(-not $usr){
Write-Warning "$_ could not be found on $dom"
continue
}
$usr
} | Export-CSV -path $ENV:USERPROFILE\desktop\output.csv -NoTypeInformation

Removing users from AD group given e-mail address in a CSV file

I have a CSV file of e-mail addresses. The CSV file has one column with the header name. I want to remove the Active Directory users associated with these addresses from a specific group.
Here's my attempt, but it seems like $user is not getting populated.
$data = import-csv -Path C:\Users\39415\Desktop\remove1.csv
ForEach ($name in $data)
{
$user = Get-ADUser -Filter {mail -eq "$_"} | Select SamAccountName
Remove-ADGroupMember -Identity "group name" -Members $user.SamAccountName -Confirm:$false
}
Please let me know what i'm doing wrong.

The biggest issue I see right away is you are using a named variable in your foreach loop but then trying to reference automatic variable $_
To use the named variable, change to
$data = import-csv -Path C:\Users\39415\Desktop\remove1.csv
ForEach ($name in $data.name)
{
$user = Get-ADUser -Filter "mail -eq '$name'" | Select SamAccountName
Remove-ADGroupMember -Identity "group name" -Members $user.SamAccountName -WhatIf
}
To use the automatic variable, change to Foreach-Object (still can be shortened to foreach but the former is known as the "foreach statement"
$data = import-csv -Path C:\Users\39415\Desktop\remove1.csv
$data.name | foreach {
$user = Get-ADUser -Filter "mail -eq '$_'" | Select SamAccountName
Remove-ADGroupMember -Identity "group name" -Members $user.SamAccountName -WhatIf
}
Also as I've shown you actually need to reference the name property of the $data variable.

Power Shell CSV to AD

Maybe someone can to help?
I have a script it take parameters from scv and put them to AD, script work without mistakes but I`m does not have results from some reasone.
Please help!
Import-CSV -Path "$home\desktop\Scripts\test4.scv" | ForEach-Object -process {Write-Host $_ }
{Set-ADuser|]= -Identity $_.DisplayName -extensionattribute5 $_.extensionattribute5}
example scv

According to the docs, the -Identity parameter on Set-ADUser must be one of
A distinguished name
A GUID (objectGUID)
A security identifier (objectSid)
A SAM account name (sAMAccountName)
This means that you cannot use the DisplayName property from the CSV for this parameter.
Try:
Import-CSV -Path "$home\desktop\Scripts\test4.scv" | ForEach-Object {
$user = Get-ADUser -Filter "DisplayName -eq '$($_.DisplayName)'" -Properties DisplayName -ErrorAction SilentlyContinue
if ($user) {
Write-Host "Setting extensionattribute5 property for user $($_.DisplayName)"
$user | Set-ADuser -Add #{extensionattribute5=$_.extensionattribute5}
}
else {
Write-Warning "User $($_.DisplayName) could not be found"
}
}
Instead of -Add #{extensionattribute5=$_.extensionattribute5}, you may rather want -Replace #{extensionattribute5=$_.extensionattribute5}. This isn't clear in the question

Try this:
Import-CSV -Path "$home\desktop\Scripts\test4.scv" | ForEach {
Write-Host $_
Set-ADuser -Identity $_.DisplayName -Add #{extensionattribute5=$_.extensionattribute5}
}
Your code was broken. Bracing was incorrect. Also Extended attributes are added with a hash table using -Add parameter.

Powershell Import-Csv then Get-Aduser results in all users in ad being displayed when a Blank Line appears

I am writing a powershell script to disable users due to the fact that we get a list of them everyday and it is monotonous. I paste the list from the ticket into a csv formatted as Lastname, Firstname then run my script with imports the list, serches ad and ask if you want to disable if it finds them. Here is the code...
# Set variables
$Import = "C:\Scripts\Support Files\Users_To_Disable.csv"
$Export = "C:\Scripts\Support Files\Disabled_Users_Output.txt"
# Import user list
$Users = Import-CSV $Import
foreach ($User in $Users)
{
# Set user variables
$LastName = $User.("Surname")
$FirstName = $User.("GivenName")
# Use user variables from list to search ad
$UserName = (Get-ADUser -Filter "GivenName -like '$FirstName*' -and Surname -like '$LastName*'").SamAccountName
# What to do if it finds nothing
If ($UserName -eq $Null)
{
Write-Host $LastName, $FirstName NA -ForegroundColor Yellow
Write-Output "$LastName, $FirstName NA" | Out-File $Export -Append
}
# What to do if it finds a user
Else
{
# Ask for user input
Write-Host $LastName, $FirstName Found -ForegroundColor Green
Write-Host UserName = $UserName -ForegroundColor Green
DO {
$Disable = Read-Host "Do you want to disable user? (Y/N)"
If($Disable -eq "Y")
{
# Disable the user
Disable-ADAccount -Identity $UserName
# Move the user
Get-ADUser $UserName | Move-ADObject -TargetPath "OU=Disabled - Retention,DC=intranet,DC=sw"
# Add Disabled Users group
Add-ADGroupMember "Disabled Users" -Members "$UserName"
# Set Disable Users as primary group
$Group = Get-ADGroup "Disabled Users" -Properties #("PrimaryGroupToken")
Get-ADUser "$UserName" | Set-ADUser -Replace #{PrimaryGroupID=$Group.PrimaryGroupToken}
# Remove all other groups
$User = Get-ADUser "$UserName" -Properties MemberOf
$Groups = $User.MemberOf |ForEach-Object { Get-ADGroup $_ }
$Groups | ForEach-Object { Remove-ADGroupMember -Identity $_ -Members $User -Confirm:$false }
# Output
Write-Host $LastName, $FirstName Disabled -ForegroundColor Red
Write-Output "$LastName, $FirstName Disabled" | Out-File $Export -Append
Break
}
}
Until ($Disable -eq "N")
}
}
Invoke-Item $Export
All of that works, what is scary is that if there are blank cells above a user then it returns all of the users in ad and asks if you want to disable all of them. In other words if the csv looks like this...
Surname GivenName
User Test
Everything works fine, but if it looks like this...
Surname GivenName
User Test
Pandemonium, well not really but it does ask if you want to initiate a resume generating event, which I don't so how can I build in some safety that would stop it from returning all of ad when there are blanks in the csv before users?

You can eliminate the blank lines by filtering out Null values on your import, which should resolve the problem.
$Users = Import-CSV $Import | Where-Object {$_.Surname}