get enabled user from OU - powershell

How would I add filter on this to query only enable users ?
(Get-ADUser -Filter * -SearchBase “ou=Users,dc=qq,dc=com”).count

Just tell it to look at the Enabled property in the -Filter parameter:
(Get-ADUser -Filter "Enabled -eq $true" -SearchBase "ou=Users,dc=qq,dc=com").Count
Note that there is no Enabled attribute in AD itself. But PowerShell exposes an Enabled property that maps to the value in AD (the userAccountControl attribute). The actual LDAP query this gets translated to looks something like this:
(Get-ADUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -SearchBase "ou=Users,dc=qq,dc=com").Count
So PowerShell simplifies it a bit for you.

Related

Combining PowerShell Commands

I've written two scripts that give me the independent output that I need, but am not sure how to put them together to give me the combined output.
Returns the count of all of the active users in a particular OU
(Get-ADUser -searchbase "OU=OU, DC=domain, DC=com" -filter * |Where {$_.enabled -eq "True"}).count
Returns the OU's underneath the same above OU that have "string" in the description property.
Get-ADOrganizationalUnit -searchbase "OU=OU, DC=domain, DC=com" -filter * -Properties description | where {$_.description -eq "string"}
What I'm trying to accomplish is for the script to give me a count of all of the active users underneath the OU's that have "string" in the description property.
I think this is the easiest way to achieve your goal
$OUs = Get-ADOrganizationalUnit -searchbase "OU=OU, DC=domain, DC=com" -filter * -Properties description | where {$_.description -eq "string"}
ForEach ($OU in $OUs) {
$count = (Get-ADUser -searchbase $OU -filter * | Where {$_.enabled -eq "True"}).count
Write-Host "OU $OU has $count users"
}
the result will be
OU OU=foo,DC=domain,DC=com has 6 users
OU OU=Computers,OU=foo,DC=domain,DC=com has 0 users
OU OU=Users,OU=foo,DC=domain,DC=com has 6 users
OU OU=Groups,OU=foo,DC=domain,DC=com has 0 users
Sergio Tanaka's helpful answer works well; let me complement it with a performance improvement:
You can greatly speed up your command by filtering at the source, by passing the filter criterion as a -Filter argument instead of retrieving all objects first and then filtering them with a separate Where-Object call:
Get-ADOrganizationalUnit -SearchBase 'OU=OU, DC=domain, DC=com' `
-Filter 'Description -eq "string"' -Properties description | #`
ForEach-Object {
$count = (Get-ADUser -SearchBase $_ -Filter 'Enabled -eq $true').Count
}
Note that the -Filter-string syntax of the AD cmdlets resembles PowerShell code, but it differs in many important ways - see Get-Help about_ActiveDirectory_Filter
The general advantages of using -Filter:
On a general note, the same performance improvement can be had with cmdlets for other PowerShell data providers, such as the one for the filesystem (e.g., Get-ChildItem), if they support a -Filter parameter:
A -Filter string is applied at the data source, which means that PowerShell only receives the result of the filtering.
Since providers are are implemented in compiled code (and they have access to lower-level internals), this generally makes for much better performance; additionally, in remoting scenarios performance improves by simply having to transfer less data over the network.
Note that -Filter parameters are always strings with provider-specific syntax, so you must consult the relevant provider/cmdlet documentation.

Get-ADUser -Properties not returning PasswordNeverExpires for all users

I am trying to list all users that have the PasswordNeverExpires flag set.
If I use
Get-ADUser
I get a list of all users in my domain, along with a load of default properties.
If I use
Get-ADUser -Filter * -Properties Name | Format-Table -Property Name -AutoSize
I also get a list of all usernames in my domain, as a table.
When I use
Get-ADUser -Filter * -Properties Name,PasswordNeverExpires | Format-Table -Property Name,PasswordNeverExpire
I get a table that contains a full list of usernames, but ONLY the following accounts have either True or False in the PasswordNeverExpires column
Guest
krbtgt
Administrator
SBSMonAcct
Network Administrator
<MyDomainAdminAccount>
SPSearch
<AnAdministratorAccountForOneOfOurSoftwareVendors>
<AnAccountThatWasCopiedFromTheDomainAdministratorAccount>
<AnotherAccountCopiedFromTheDomainAdministratorAccount>
All the other items/usernames in the table have empty/blank/non-existent values.
I have also tried
Get-ADUser -LDAPFilter "(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
but that only returns
<MyDomainAdminAccount>
SPSearch
Why is the PasswordNeverExpires flag not being picked up for all users? Thanks.
PasswordNeverExpires is calculated from the userAccountControl attribute.
Probably the fastest way to search for users that have that flag set is as follows:
Get-ADUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=65536)" -Properties PasswordNeverExpires
See the documentation for more information on searching using a bitwise filter. 65536 (0x10000) corresponds to the ADS_UF_DONT_EXPIRE_PASSWD bit position, so this LDAP search filter searches only for accounts that have that flag set.
Hmm, your third line pulls the property "PasswordNeverExpires" but Selects "PasswordNeverExpire". If this was just a typo in your question this disregard. If not then there is your answer. :-)

get-adgroup -filter "SID -like '*-512'"

I have been wanting to figure out how to use -filter to get what I want. What I am trying to do is find the Domain Admins group by a -like statement of *-512 against the SID property using the following:
get-adgroup -filter "SID -like '*-512'"
It works if I put the actual SID
get-adgroup -filter "SID -eq 'S-1-5-21domain-512'"
I know doing it this way will work
get-adgroup -filter * | ? {$_.SID -like '*-512'}
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
As BenH comments, you cannot partially filter on SIDs in LDAP queries, because of the way SID values are stored in the directory. The SID string you see is an SDDL representation of an underlying byte array.
I assume your motivation for attempting wildcard matching against a well-known RID is that you don't know the domain SID in advance. You can easily obtain that with the Get-ADDomain cmdlet:
$DomainSID = (Get-ADDomain).DomainSID
$DomainAdminsSid = New-Object System.Security.Principal.SecurityIdentifier ([System.Security.Principal.WellKnownSidType]::AccountDomainAdminsSid,$DomainSID)
Get-ADGroup -Filter {SID -eq $DomainAdminsSid}

How to display "Description" attribute in any user's account?

I want to use the Get-ADUser cmdlet to determine who's accounts are disabled.
The "Description" attribute in any user's account is not showing up.
Is it only the attributes that you get when you do Get-ADUser [username], as listed here:
DistinguishedName
Enabled
GivenName
Name
ObjectClass
ObjectGUID
SamAccountName
SID
Surname
UserPrincipalName
We list the employeeID number in the description of the user account and that's helpful when we have duplicate names and need to figure out who's who. The command I'm using is:
Get-ADUser -SearchBase "OU=ou,OU=ou,OU=ou,DC=dc,DC=dc,DC=dc" -Filter {Enabled -eq $false} | FT SamAccountName,Name,Description
and the results for one person would look like this:
SamAccountName          Name                   Description
-------------------------          --------                   ---------------
john.doe                          John Doe
Just a blank spot, not even <> like if you listed something that doesn't exist.
That tells me the Powershell command acknowledges the attribute exists, just won't grab it from the AD Account's info.
Sounds like it is not one of the default properties that get-aduser displays. Hence in order to get this information you have to explicitly tell it to display the description property. Hence:
Get-ADUser -Properties description -SearchBase "OU=ou,OU=ou,OU=ou,DC=dc,DC=dc,DC=dc" -Filter {Enabled -eq $false} | FT SamAccountName,Name,Description

Finding all members in OUs of the same name

My organization has a different OU for each site we have. Within each site is a nested out called OU=USERS.
I want to find all members in every sites nested USERS OU.
Simply using the following command does not work:
Get-ADUser -Filter * -SearchBase "OU=USERS,DC=*****,DC=*****"
Obviously, this does not return anything. I must specify a site:
Get-ADUser -Filter * -SearchBase "OU=USERS,OU=MySite,DC=*****,DC=*****"
Is it possibly to search through every site OU looking for the sub USERS ou?
You could use another cmdlet to get the OU's you are looking for.
$ous = Get-ADOrganizationalUnit -Filter "Name -eq 'Users'"
$ous | ForEach-Object{
Get-ADUser -Filter * -SearchBase $_.DistinguishedName
}
Get-ADOrganizationalUnit will get all the USERS OU's for you then you can run Get-ADUser against each of those.