Find AD security groups on network folders - powershell

I am not a programmer, I must of taken a wrong turn! So that's out of the way, how on earth is there not an easy way to take a set of network folders and pipe out a list of AD security groups that are applied to it? I have googled my butt off but there are a million similar questions and i have tested a few scripts but cant get exactly what i want or a lot of errors. We have a top level directory of about 7 folders and security is about 3 levels deep. We want to cleanup unused or orphaned security groups out of AD TOOLS, and try to get a feel of what is used and what is not. Attempting a "Network drive cleanup" at my Organization.
What is the best way to accomplish this? I tried this in PS
Get-ChildItem "\\wfs.company.ca\adv\workgroups\adv services" -recurse | ForEach-Object {Get-Acl $_.FullName} | Export-CSV C:\"adv services".csv
It worked but gave me too much info and not specific Group names.
and i also tried something like this which just produced errors.
# Scope options are Universal, DomainLocal,Global
# Get-GroupMember -Scope DomainLocal
Function Get-GroupMember{
Param(
[parameter(Mandatory=$true)]
[string]
$scope
)
$Groups = Get-ADGroup -Filter {GroupScope -eq $scope -and Members -ne "NULL"} -Properties Name |
Select-Object Name, #{Name="GroupMembers";Expression={(Get-ADGroupMember -Identity "$_" |
Select-Object -ExpandProperty SamAccountName) -join "`n"}}
}
$Groups | Format-Table -AutoSize -Wrap
$Groups | Out-GridView
$Groups | Export-Csv C:\groups.csv -NoTypeInformation
I dont mind putting in the work and research i just dont know where to start.
Any pointers much appreciated.
Thanks!

You could use this to get a unique list of applied identities (groups and users):
(Get-ChildItem "\\wfs.company.ca\adv\workgroups\adv services" -Recurse | Get-Acl).Access.IdentityReference | select -Unique
Furthermore, you could use Get-ADGroup or other ways to check if it's a group or user.

Related

List out enabled users who are members of certain security groups

I'm trying to get a list of all enabled users in a particular Security group. Seems simple but i cannot manage to get the correct output.
Thanks
If you are using Active Directory:
Get-ADGroupMember "PUT_HERE_ADGROUP_NAME" -Recursive | Get-ADUser | Where-Object {$_.Enabled -eq $True} | Select-Object -ExpandProperty Name
If you want to see local users use Get-LocalGroupMember and Get-LocalUser with same filter

How to get the get-ADPrincipalGroupMembership for all users in a txt or csv file and put into a txt file for each user?

I am trying to get a file with the group-memberships for every user that is specified in a txt/csv file.
so this is what i had before:
Get-ADPrincipalGroupMembership -Identity $user -Server $DC | Select name | Where-Object name -like GUSR_* | Out-File "C:\temp\$user.txt"
this work fine for getting the groups from 1 singel user, but now i have to do this for 100+ users.
And instead of doing it one by one i am looking for a way to automate it.
so i got myself a .csv export of all the users i want this done for.
and started trying.
what i came up with so far:
$users = Get-Content "C:\temp\test.csv" |ForEach-Object {Get-ADPrincipalGroupMembership -Identity $users -Server $DC | Select name | Where-Object name -like GUSR_* | Out-File "\\ads.net\ADS\SDL\Temp\_ROLAND\RSD\test2\$users.txt"}
This cleary doesnt work.
I have tried a couple of other things with the foreach command but nothing did the trick.
I have the feeling i am not on the right path to get my result.
Maby somebody has done this before and can help me get on the right path.
i'm not new to powershell but i'm far from an expert, most of the time i use it for basic singel commands or edit some great scripts i find.
sadly for this i haven't found any yet.
with kind regards
Roland
Don't assign back to a variable
Import the CSV
No filter after select
Pretiffy your -like
Use $_ as pipeline variable
Use subexpression operator for string+variable concatenation
Import-Csv "C:\temp\test.csv" |ForEach-Object {Get-ADPrincipalGroupMembership -Identity $_.users -Server $_.DC | Where-Object {$_.name -like 'GUSR_*'} | Select -Expand Name | Out-String | Out-File "\\ads.net\ADS\SDL\Temp\_ROLAND\RSD\test2\$($_.users).txt"}

PowerShell to find all empty AD Security Groups with no Members OR Computer Objects

I am currently running this script:
Get-ADGroup -Filter {GroupCategory -eq 'Security'} | ?{#(Get-ADGroupMember $_).Length -eq 0} | Export-Csv -Path "C:\Users\177626\EmptySG.csv"
It technically is working by pulling all of the Security Groups without members but it is still pulling groups that have Computer Objects in the Members list. Is there anyway to modify this to filter out those groups that have those Computer Objects in them?
Thanks!
You can tell Get-ADGroup to provide more than just the default attributes. One of them is "Members". You can use the property .count to determine if the group is empty or not.
Get-ADGroup -Filter "GroupCategory -eq 'Security'" -Properties Members |
Where-Object {$_.Members.count -eq 0}

Powershell command, to get users with expiring passwords in the next month or 30 days?

I'm having the hardest time getting the following output from powershell. The console just stops at the blinking cursor like the command is running, but I wait 20 min or so, and I still have no output, both in the powershell console, as well as when I try to export as a csv. I'm using the following command:
Search-ADAccount -AccountExpiring -DateTime "01/29/2017" | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass -A | Export-Csv C:\temp
Could someone help? I've scoured the internet to no avail.
You are using format-table inappropriately. Don't use any Format-* cmdlets if you need to process the data after that point - formatting makes that impossible. Always save formatting for the very end, and only for user presentation.
Also, you're going to end up with a file in your C:\ root directory named temp that's not entirely usable as a CSV file, at least from Excel and other readers, because additional information is going to be inserted by Export-CSV. This will be eliminated by the -notypeinformation switch.
Additionally, you can speed this up by specifying the -UsersOnly switch for Search-ADAccount and skipping the where-object loop - the pipeline is really useful, but constructs like this can slow it down. Filter your data as far to the left as possible, and if you can do it inside a cmdlet that offers a filter, do it there.
Corrected script which should work as you expect:
Search-ADAccount -AccountExpiring -DateTime "01/29/2017" -UsersOnly | select-object -Property Name,ObjectClass | Export-Csv C:\temp\expiring.csv -NoTypeInformation;
Forgive me if this isn't perfect code, but this script will get you accounts expiring within the next 7 days. You can change the $DaysAhead variable to alter the time frame.
$maxPwdAge=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days;
$daysAhead = 7;
$dateMin=(get-date).AddDays(-$maxPwdAge);
$dateMax=$DateMin.AddDays($daysAhead);
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -gt 0} –Properties * | where {($_.PasswordLastSet) -ge $dateMin} |where {($_.PasswordLastSet) -le $dateMax} | select CN,EmailAddress,passwordLastSet | Format-Table;

office 365 Powershell

The HR department has 5000 unliscenced users. I want to remove them all.
I'm confused between two powershell commands and want to use the fastest one:
## 1
Get-MsolUser -UnlicensedUsersOnly | Remove-MsolUser -force
## 2
Get-MsolUser -All | where {$_.department -eq "HR"} | Remove-MsolUser -force
Although I don't think that there would be a huge difference in processing time since you're just using two different ways of retrieving a list of data, it seems like it would be a little faster to just pull the unlicensed users, as opposed to pulling all users and then filtering them based on department. However, are you sure that there aren't any unlicensed users in other departments that you may not want to delete?
Regarding which command is faster, have you tried using the Measure-Object command to see how long each one will take? You could just measure the Get-MsolUser command to confirm the difference.
Measure-Object {Get-MsolUser -UnlicensedUsersOnly}
Measure-Object {Get-MsolUser -All | where {$_.department -eq "HR"}}
Remove-MsolUser -force should take the same amount of time for both options. Also, I think you'll need to put the Remove-MsolUser command in a foreach loop:
foreach($user in Get-MsolUser -UnlicensedUsersOnly | where {$_.department -eq "HR"})
{Remove-MsolUser -ObjectId $user.ObjectId.guid -force}
https://technet.microsoft.com/en-us/library/ee176899.aspx