I've been working an identity management project involving Active Directory and hit a case I can't figure out the Powershell to. Essentially we are looking at the employeeID attribute, we want to find all users that have the same value in that attribute across the whole domain. Users shouldn't have the same employeeID, so if there are two or more with the same employeeID. They need to be cleaned up.
I know Powershell could do this for me but I'm not sure what commands I would need. I've been looking Get-ADUser but nothing is jumping out at me to even get started. I essentially just want a report of all users that have the same employeeID as another user so that they can be cleaned up.
You could:
Enumerate all accounts with an employeeID value
Compare and group them based on the value using Group-Object
# Fetch all user accounts with an employeeID
$employeeAccounts = Get-ADUser -Filter 'employeeID -like "*"' -Properties employeeID
# Group them by value of employeeID attribute, keep any group with more than 1 account
$accountsByEmployeeID = $employeeAccounts |Group-Object employeeID |Where-Object Count -gt 1
foreach($ID in $accountsByEmployeeID){
# $accounts will contain a list of accounts with the same employeeID
# you could send an email, file a ticket, or disable one or more of the accounts here
$accounts = $ID.Group
}
Related
I am trying to get a table of permissions out of some groups that I have in AD. I'm pretty new to PowerShell and I'm not sure what I want is even possible.
So far I've been able to select the groups that I want by using
Get-ADUser -Identity groupname
And I can see the info pulled up in the response from PowerShell, but from there I've hit a huge dead-end with piping the result into anything that would let me see the permissions for that group.
I'm assuming you want the permissions to the group itself (for example, who is allowed to modify the group).
You can use Get-Acl (ACL stands for Access-Control List), which is used for getting permissions from files as well. To direct it to AD, you use the AD: drive, along with the distinguished name of the AD object. For example:
(Get-Acl "AD:CN=SomeGroup,OU=Groups,DC=example,DC=com").Access
If you don't know the distinguished name, you can get that from your call to Get-ADGroup (I assume you meant to use Get-ADGroup, not Get-ADUser like you put in your question).
$group = Get-ADGroup groupname
(Get-Acl "AD:$($group.distinguishedName)").Access
More reading here: Understanding Get-ACL and AD Drive Output
This seems so simple, but I have spent hours digging and could not find a solution. I try to manipulate others scripts to meet my needs but I keep jacking it up somehow. I am not great with Powershell.
I have the following command that seems to work great. It successfully pulls the name/MobilePhone and imports it into AD.
Import-Csv -Path .\test123.csv | ForEach {Set-ADUser $_.name -mobilePhone $_.MobilePhone}
The problem is that the default "ADUser" value in AD is very inconsistent. Over the years people have created ADUser accounts in many different ways. Some using the employees ID, some being FirstnameLastInitial, some being fullname. So I am wanting to mass update the mobilePhone value with users EmployeeID value instead. As everyone should have an accurate EmployeeID value...
Does anyone know the command I can use to meet this requirement?
The test123.csv has two columns. One "name" column and one "MobilePhone" column.
Looking up a user by employeeId can be done, but be aware that the documentation shows that it is not indexed. So to find a user by employeeId, it has to look at every user account until it's found. That can make for a slow query, depending on how many users you have on your domain.
But here's how you would do it, and you can decide if it's too slow, or if your AD admins will yell at you for making a bunch of these queries.
Use Get-ADUser to find the user, then pipe that into Set-ADUser:
Import-Csv -Path .\test123.csv | ForEach {
Get-ADUser -LDAPFilter "(employeeId=$($_.name))" | Set-ADUser -MobilePhone $_.MobilePhone
}
As title says I need to get a specific part of a group name of group of users.
Yup, Get-ADPrincipalGroupMembership allows to get user's groups. But it returns all user's groups (while I would like to get an exact one) and, as I understood, only for a exact user.
So I have three OUs. Each OU has users. Each user is member of a few groups, but I need to get a group(s) with a standard name per user. And standard name is department - X, where X part is specific for each user. So in a result I want to get a table, where will be Name, SamAccountName and X part of the group(s).
Hence, I need:
Get list of users and it's groups from exact OU;
From list of all users and it's groups I need to get group that has standard name per user. Standard name is department - X, where X part is specific for each user, and one user could has more than one group with the standard name;
Per user I need to get X part from group(s) with the standard name.
I would try something like that:
Get-ADUser -filter * -SearchBase "OU=OU1,OU=OU2,OU=OU3,DC=domain,DC=local" -Properties memberOf | % { [PSCustomObject]#{ Name = $_.Name; SamAccountName = $_.SamAccountName; Groups = ($_.MemberOf | ? { $_ -match "department" } | % { $_.Split(',')[0].Split('=')[1].Replace("department - ","") }) -join "," } }
This gets all the users from a given OU together with their membership. The value of a memberOf property is a DN of the group as a string, so somethinglike CN=group,OU=OU1,DC=domain,DC=local. Out of those it selects only entries that match department and splits the DN by comma and equal sign to get the CN part (which should match group's name).
I'm trying to retrieve a list of all Ad users matching a filter, pipe that into Get-ADPrincipalGroupMembership and then export the result to an easy to read CSV.
*NB I can't use MemberOf as it returns blank for every single Ad user, and most successful scripts I've found are using MemberOf.
Here's what I've tried which gives me a list of groups but no association as to who goes where. Tried to export-csv as well but it complains of an empty pipe?
import-module activedirectory
foreach ($user in (Get-AdUser -Filter {(Name -Like "*(s)") } | select samaccountName)) {
Get-ADPrincipalGroupMembership $user.samaccountName | select samaccountname,name
}
This will include the user's sAMAccountName in the group results:
Import-Module ActiveDirectory
ForEach ($user in (Get-AdUser -Filter {(Name -Like "*(s)") } | select sAMAccountName)) {
Get-ADPrincipalGroupMembership $user.sAMAccountName| select #{Expression={$user.sAMAccountName};Label="User"},sAMAccountName,name
}
That weird notation is for creating a custom table. You can read more about it here: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-powershell-1.0/ee692794(v=technet.10)
Not seeing anything in memberOf may be normal. If you check in Users and Computers, do you see a value in memberOf?
The memberOf attribute will only show groups with a Universal scope in the same AD forest, Global groups on the same domain, or Domain Local groups on the same domain of the server you're reading from (which may not be the same domain as the user). So it has its limitations.
Users can also be "a member" of a group by the primaryGroupId attribute, which stores the RID (the last section of the SID) of the user's primary group. This is usually only used for the Domain Users group.
Get-ADPrincipalGroupMembership takes care of all of that for you. It will include the primary group and search every domain in your forest for Global and Domain Local groups that have the user as a member.
I use a simple Get-ADGroup on this top level of our networks Active Directory and I get back the error "get-adgroup : cannot find an object with identity 'GroupName' under: Domain
I have tried to query the group using "Find" in Active Directory Users and Computers and it is only able to be found if set to search for Organizational Units, however if I try a Get-ADOrganizationalUnit with the name of the OU nothing will populate.
Most of the time, the group name you see from your front-end is not actually what the group name is in ActiveDirectory.
I suggest you install Active Directory Users and Computers
Query the group based on the current group name you think it is.
Open the properties and see what the actual group name is.
The fact that Get-AdGroup returned that error means you have the wrong group name.
For Get-ADGroup you have to use the objects GUID or the DistinguishedName. What I typically do with this is something like this:
Get-DistributionGroup -identity "GroupName" | select -Expand DistinguishedName | Get-ADGroup