I have an existing script which will search data from different domain separately.Please help me to search data from different domain in one shot.
script im using :
Get-ADUser -Server "domainA" -Filter {samaccountname -like "xyaxsdf"} -Properties
samaccountname,EmailAddress
You can use something as simple as this.
Just set your domains in $Domains then a Foreach loop will do the query for each domain. Result as you can see is stored in the $Output variable, which will contains the results of all your queries
$Domains = #('DomainA', 'DomainB')
$Output = Foreach ($Dom in $Domains) {
Get-ADUser -Server $Dom -Filter { samaccountname -like "xyaxsdf" } -Properties samaccountname, EmailAddress
}
Related
My company uses Microsoft Intune. We've got 4 groups in an on-premise AD that controls the conditional access. We'll just call them AllowGroup1, AllowGroup2, BlockGroup1, and BlockGroup2. What I want know find is all users that are not in all of the groups. The result I'm wanting to find is any User object that is not in the mentioned groups. That way I can provide proof that our entire system is compliant. See below for the Powershell code I've borrowed from this post List AD Users who do not belong to one of several groups
I'm running these tests on my home domain controller. The problem I'm having is that the script isn't looking in the entire domain for users. Specifically, there is an OU in my personal DC that is called Home (I created the OU) and there are 2 user objects in a child OU called Users that this script isn't pulling from. I am running this script with a user that is in the Enterprise Admins group so I know it has sufficient privilege's. It's supposed to search AD via PowerShell for users not in multiple groups and place those users in a group called NotInGroup
To further elaborate, some users will be in AllowGroup1 and in BlockGroup2. Some users will be in BlockGroup1 and BlockGroup2. I want to find all users that are not in any of the groups listed above.
Import-Module ActiveDirectory
$groupname = "NotInGroup"
$members = Get-ADGroupMember -Identity $groupname
foreach($member in $members)
{
Remove-ADGroupMember -Identity $groupname -Member $member.samaccountname
}
$users = Get-ADUser -Filter
{
((memberof -notlike "CN=AllowGroup1,OU=Intune,OU=Groups,DC=domain,DC=local")
-AND (memberof -notlike "CN=AllowGroup2,OU=Intune,OU=Groups,DC=domain,DC=local")
-AND (memberof -notlike "CN=BlockGroup1,OU=Intune,OU=Groups,DC=domain,DC=local")
-AND (memberof -notlike "CN=BlockGroup2,OU=Intune,OU=Groups,DC=domain,DC=local"))
}
-SearchBase "dc=domain,dc=local" -SearchScope Subtree
foreach($user in $users)
{
Add-ADGroupMember -Identity $groupname -Members $user.samaccountname -ErrorAction SilentlyContinue
}
I don't think a complex filter like that would work and I would opt for using a regex.
Perhaps something like
# get users not in groups 'AllowGroup1', 'AllowGroup2', 'BlockGroup1', 'BlockGroup2'
$regex = 'CN=(AllowGroup[12]|BlockGroup[12])'
$users = Get-ADUser -Filter * -Properties MemberOf | Where-Object { ($_.MemberOf -join ';') -notmatch $regex }
Or you could try using the LDAPFilter parameter:
$filter = '(!(|(memberof=CN=AllowGroup1,OU=Intune,OU=Groups,DC=domain,DC=local)
(memberof=CN=AllowGroup2,OU=Intune,OU=Groups,DC=domain,DC=local)
(memberof=CN=BlockGroup1,OU=Intune,OU=Groups,DC=domain,DC=local)
(memberof=CN=BlockGroup2,OU=Intune,OU=Groups,DC=domain,DC=local)))'
$users = Get-ADUser -LDAPFilter $filter
Both parameters Filter and LDAPFilter are expecting a string, not a scriptblock
I want to make a script that deletes bulk users, instead of using SAMACCOUNTNAME I want to use the first and last name, is that possible?
Import-Module ActiveDirectory
$ADusers = Import-csv C:\TEST\Delete.CSV
Foreach ($user in $ADusers) {
#Confirming the identity
$users = Get-ADUser -Identity $user -Properties | Select-Object Givenname, Surename
#Removing the user
Remove-ADUser -Identity $user.samAccountName -Confirm:$false
}
I like Ambiguous Name Resolution when searching for users in AD:
Get-ADUser -LDAPFilter "(anr=Jim Smith)"
This will search for all objects where any of the naming attributes (see link above for list) start with the string "jim smith", plus all objects where (givenName=jim*) and (sn=smith*), plus objects where (givenName=smith*) and (sn=jim*).
This is useful when 'Jims' account uses his fully name of 'Jimmy', this would be returned by ANR but not by a direct givenName/sn filter.
You can have multiple users with the same First/Last name, so you will need to deal with the situation of multiple users being returned.
SAMAccoutName, however is unique to a single account
EDIT:
If you've got a csv with the two columns GivenName & Surname:
foreach ($user in $ADusers) {
$firstname = $user.GivenName
$lastname = $user.Surname
Get-ADUser -LDAPFilter "(anr=$firstname $lastname)"
}
The above just lists the users returned from Get-ADUser, to remove them just pipe to Remove-ADUser. I'm using WhatIf to test, remove to actually delete the users:
Get-ADUser -LDAPFilter "(anr=$firstname $lastname)" | Remove-ADUser -WhatIf
Yes it is.
Get-ADUser -Filter {GivenName -eq "Max" -and sn -eq "Muller"} | Remove-ADUser
You need to alter your script accordingly.
I'm getting the following error when I run my script:
Get-ADUser : A referral was returned from the server At line:25 char:70
+ ... -Identity $G.name -Recursive | Get-ADUser -Server $dom -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (CN=User...,DC=org:ADUser) [Get-ADUser], ADReferral Exception
+ FullyQualifiedErrorId : ActiveDirectoryServer:****,Microsoft.ActiveDirectory.Management.Commands.GetADUser
This is my script:
$Domains = (Get-ADForest).Domains.ForEach{(Get-ADDomain $_).PDCEmulator}
$Users = #()
$Groups = #()
$list = Get-Content C:\temp\ADGroups.txt
ForEach ($dom in $Domains) {
Foreach ($o in $list) {
$ObjectClass = (Get-ADObject -server $dom -Filter {SamAccountName -eq $o}).ObjectClass
If ($ObjectClass -eq "User") {
$U = Get-ADUser -Properties * -Identity $o -Server $dom
$User = "" | Select FullUserName, LoginID, Description
$User.FullUserName = $U.DisplayName
$User.LoginID = $U.SamAccountName
$User.Description = $U.description
$Users += $User
} Else {
If ($ObjectClass -eq "Group") {
$G = Get-ADGroup -Properties * -Identity $o -Server $dom
$GM = Get-ADGroupMember -Server $dom -Identity $G.name -Recursive | Get-ADUser -Server $dom -Properties *
Foreach ($gmember in $GM) {
$Group = "" | Select GroupName, GroupDescription, GroupMemberName, GroupMemberLoginID, GroupMemberDesc
$Group.GroupName = $G.Name
$Group.GroupDescription = $G.Description
$Group.GroupMemberName = $gmember.Name
$Group.GroupMemberLoginID = $gmember.SamAccountName
$Group.GroupMemberDesc = $gmember.Description
$Groups += $Group
}
}
}
}
}
$Users | Export-Csv C:\temp\Users.csv -NoTypeInformation
$Groups | Export-Csv C:\temp\Groups.csv -NoTypeInformation
The purpose of my script is to pull users that belong in a group and export to a .csv file. It works for the most part, but it gives me an error for certain users. I think it could be because those users in the group belong in a different domain.
See the answers in this question. Answers there indicate you can retrieve the referral location in the exception and retry the Get-ADUser against the other server.
You might reconsider how you search for all these groups and users. Users are replicated throughout the forest. Global and Universal groups are too. So you could search the Global Catalog instead of iterating through one DC in every domain. Get-DomainController -GlobalCatalog and run your Get-AD* commands against that server's global catalog port, i.e. Get-ADUser -server $GCServerName:3268
However, bear in mind that the GC doesn't contain complete user and group properties, and the properties it does return are subject to replication delays.
Whether this is helpful depends on your domain architecture. In my own workplace, querying remote domain controllers is very expensive. Our site domain controller is a global catalog, though, so searching it for forest information is very fast.
I think that you can simply drop the -Server from Get-ADUser. Since Get-ADGroupMember returns a ADPrincipal[] type, every user contains a fully qualified DistinguishedName, which implies the domain ("server") that the results come from.
Yes, you are right in thinking that essentially (pesudocode):
"contoso.com\user" | Get-ADUser -Server "DC01.theOtherContoso.com"
Will not work. And when piping from Get-ADGroupMember, you get the error:
Get-ADUser : A referral was returned from the server
If you run the same query, but omitting the -Server portion from the Get-ADUser portion, it will use the distinguished name to figure out where to pull the information:
$GM = Get-ADGroupMember -Server $dom -Identity $G.name -Recursive | Get-ADUser -Properties *
It should return you the user objects that you need.
I have got the value in the file is under the SMTPproxyaddresses header.So, I'm trying something along this lines.
foreach ($user in $userID)
{
$ADuser = Get-ADUser -Filter "ProxyAddress -eq $($user.SMTPproxyaddresses)" -Properties whenCreated, Enabled, SAMAccountName
}
CSV file :
SMTPproxyaddresses
userproxy#contoso.com
testproxy#contoso.com
user2proxy#contoso.com
user3proxy#contoso.com
I couldn't get it working with a variable inside the Filter parameter, but it worked typed outright. However, the alternative is using an LDAPFilter and this worked for me.
Get-AdUser -LDAPfilter "(ProxyAddresses=*$($user.SMTPaddresses))" -Properties whenCreated, Enabled, SamAccountName
I'm trying to get a (one line) answer to get a list of users (based on a filter of get-aduser) then use that list to do a search matching on an extended version of their name - e.g. I have:
UserA
UserB
UserAAdmin
UserBAdmin
and want to find (when user A is disabled) the UserAAdmin. This seemed like it would be simple, but I can't seem to use the SAMACCOUNTNAME with a like or equals statement no matter what I try- i.e.
Get-ADUser -Filter {Enabled -eq $false} -Properties sAMAccountName |
ForEach {Get-AdUser -Filter {samaccountname -like ($_.samaccountname + "Admin")}}
(as for the why, well, because the client I'm working with has a structure such that all their user accounts have ADMIN added to the end of their admin accounts and we want to find any disabled USER accounts and find (and then disable) the associated admin account).
Thanks
The answer of Avshalom is correct, but it is not efficient and useless to queries your AD twice ...
Once you have all your disabled users then you can just filter
$Users = Get-ADUser -Filter {Enabled -eq $false}
Foreach ($User in $Users)
{
$Match = "ADM-"+$User.SamAccountName
$Users|?{$_.samaccountname -like $match}
}
If i understand you right, you can try this...
$DisabledUsers = Get-ADUser -Filter {Enabled -eq $false}
Foreach ($User in $DisabledUsers)
{
$Match = $User.SamAccountName + '*'
$MatchedUsers = Get-AdUser -Filter {samaccountname -like $match}
foreach ($MatchUser in $MatchedUsers)
{
"You Can do here what you want"
}
}