I am trying to get some information for an audit. here's the code that i used but the output is empty except for the name. Can anyone point me in the right direction?
Thanks in advance!
$ou = Get-ADGroup -Identity Administrators -Properties member
$user = Get-ADGroupmember -Identity $ou
foreach ($user in $ou){
Get-ADGroupmember -Identity Administrators | Select-Object name, lastlogondate,passwordlastset
}
Try this
$members = Get-ADGroupMember -Identity Administrators -recursive | select samaccountname
foreach ($user in $members){
Get-ADUser -Identity $user.samaccountname -Properties name, lastlogondate,passwordlastset| Select-Object name, lastlogondate,passwordlastset
}
By default the properties lastlogondate and passwordlastset are not returned, you have to specify those (or all by using a *) using the -properties argument
Get-ADGroupmember -Identity Administrators -properties name,lastlogondate,passwordlastset | Select-Object name, lastlogondate,passwordlastset
or
Get-ADGroupmember -Identity Administrators -properties * | Select-Object name, lastlogondate,passwordlastset
Related
I'm trying to run this PowerShell script that I found but it's not working for me and I'm getting an error could someone else check it and tell me if there is an issue here?
$CopyFromUser = Get-ADUser userName -Server domainName -Properties MemberOf
$CopyToUser = Get-ADUser userName -Server domainName -Properties MemberOf
$CopyFromUser.MemberOf | Where{$CopyToUser.MemberOf -notcontains $_} | Add-ADGroupMember -Members $CopyToUser
pause
This is the error that I'm getting.
| A positional parameter cannot be found that accepts argument
| 'Microsoft.ActiveDirectory.Management.ADPropertyValueCollection'.
Add the group memberships one at a time, explicitly pass the target DN to the -Identity parameter:
$CopyFromUser = Get-ADUser userName -Server domainName -Properties MemberOf
$CopyToUser = Get-ADUser userName -Server domainName -Properties MemberOf
$CopyFromUser.MemberOf |Where-Object {$CopyToUser.MemberOf -notcontains $_} |ForEach-Object {
Add-ADGroupMember -Identity $_ -Members $CopyToUser
}
$Users = Get-ADGroupMember -Identity " Colorado Students" | Get-ADUser -properties SamAccountName
$OU = Get-ADUser -SearchBase ‘OU=Colorado,OU=Middle,OU=Student,OU=Colorado-Users,DC=Colorado,DC=9,DC=CO,DC=US’ -Filter * -Properties SamAccountName
$OU = $OU | Where SamAccountName -notlike $Users
Foreach ($user in $OU) {
Add-ADGroupMember -Identity ‘Colorado Students' -Members $_
}
I am using Powershell 5.0 I am struggling with finishing this one. I want to compare my users to all users in OU then if users are in OU then add.
I believe what you're looking for is to Add all users on the Colorado OU that are currently not members of the Colorado Students group. If that's the case, below code should work:
$groupName = 'Colorado Students'
$adGroup = Get-ADGroup $groupName
$OU = 'OU=someOU,OU=Of,OU=Some,DC=Domain,DC=xyz'
# Look for all users on the OU 'someOU' that are NOT
# MemberOf 'Colorado Students'
$hash = #{
SearchBase = $OU
LDAPFilter = "(!memberOf={0})" -f $adGroup.DistinguishedName
}
$users = Get-ADUser #hash
Add-ADGroupMember -Identity $adGroup -Members $users
I'm trying to use powershell to get a list of global groups in an OU and output the global group name, the members and the domain local groups the global group is a member of, so far I have the output below, but how do I get the output for the "member of" details
$OU = 'OU=Role Groups,OU=USG,OU=Groups,OU=xxx,OU=xxxxxx,DC=xxxxxxx,DC=xxx'
$Groups = Get-ADGroup -Filter * -SearchBase $OU
$Data = foreach ($Group in $Groups) {
Get-ADGroupMember -Identity $Group -Recursive | Select-Object #{Name='Group';Expression={$Group.Name}}, #{Name='Member';Expression={$_.Name}}
}
$Data | Export-Csv -Path "C:\Temp\FolderPermissions.csv"
Why not take a more direct approach as defined in the help files?
Get-ADGroup
Get-ADGroupMember
Get-ADGroup |
Where-Object {GroupScope -eq 'Global'} |
Get-ADGroupMember
Or
$OU = 'OU=Role Groups,OU=USG,OU=Groups,OU=xxx,OU=xxxxxx,DC=xxxxxxx,DC=xxx'
Get-ADGroup -Filter "GroupScope -eq 'Global'" -SearchBase $OU |
Get-ADGroupMember | Select-Object -Property SamAccountName
I have an issue with the following script:
get-aduser -filter * -searchbase "dc=domain,dc=global" -ResultSetSize $null | where-object {((get-aduser $_.samaccountname -properties memberof).memberof -ne "Mimecast Remote Access Exceptions")} | ForEach {add-adgroupmember -identity "Mimecast Internal Access" -member $_.samaccountname}
It is still adding all users but not filtering out users who are members of the remote access exceptions group. Any idea what I am doing wrong?
First of all, you don't need to perform Get-ADUser twice.
Then, the MemberOf user property is a collection, not a single string, so you need to use -notcontains instead of -ne
Try:
# get the DistinguishedName property of the group
$groupDN = (Get-ADGroup -Identity "Mimecast Remote Access Exceptions").DistinguishedName
Get-ADUser -Filter * -SearchBase "dc=domain,dc=global" -Properties MemberOf |
Where-Object {$_.MemberOf -notcontains $groupDN} |
ForEach-Object { Add-ADGroupMember -Identity "Mimecast Internal Access" -Members $_ }
Building on #Theo's Answer
.memberOf will return distinguished name strings. -notcontains won't work unless you change the left hand side to the DN. That might look something like:
$DN = 'CN=Mimecast Remote Access Exceptions,OU=SomeOU,DC=domain,DC=global'
Get-ADUser -Filter * -SearchBase "dc=domain,dc=global" -Properties MemberOf |
Where-Object {$_.MemberOf -notcontains $DN } |
ForEach-Object { Add-ADGroupMember -Identity $DN -Members $_ }
Obviously correct $DN for your environment etc...
I've been looking online for ways of doing this and I'm at a loss here. I'm looking for a way to look up a particular user within a particular group in AD through powershell. Here's what I've tried.
(Get-ADUser userName –Properties MemberOf).MemberOf
I get a bunch of groups
(Get-ADGroupMember "groupname").name
I get a bunch of usernames
I tried this command but it's taking forever to get results.
(Get-ADGroupMember 'groupname' | Get-ADUser -Property DisplayName | Where-Object { $_.Name -eq 'username'})
Is there a way where I can get a command that both fast and efficient. I'm also looking for their email address and surname and last name.
Thanks in advance
As commented, it is best not use the Name property, but if you have it use the SamAccountName or DistinguishedName of the user you seek to rule out ambiguous names.
$user = Get-ADGroupMember -Identity 'GroupName' |
Where-Object { $_.objectClass -eq 'user' -and $_.SamAccountName -eq 'userSamAccountName' } |
Get-ADUser -Properties DisplayName, EmailAddress, GivenName, Surname # add more properties if you need them
# display the user object on screen
$user
Or do this way:
$user = $null
$member = Get-ADGroupMember -Identity 'TheGroupName' |
Where-Object { $_.objectClass -eq 'user' -and $_.SamAccountName -eq 'TheuserSamAccountName' }
if ($member) {
# add more properties if you need them
$user = Get-ADUser -Identity $member.DistinguishedName -Properties DisplayName, EmailAddress, GivenName, Surname
}
else {
Write-Host "User 'TheuserSamAccountName' is not a member of group 'TheGroupName'"
}
# display the user object on screen
$user
The resulting $user object will also contain these properties:
DistinguishedName, Enabled, Name, ObjectClass, ObjectGUID, SamAccountName, SID, UserPrincipalName
If you don't need all of these properties simply filter them out using
$user | Select-Object DisplayName, EmailAddress, GivenName, Surname