Purging deleted external user from AzureAD / Office 365 fails with UserNotFoundException - powershell

I am trying to purge a deleted user from Office 365 / AzureAD. The way to do this seems to be Remove-MsolUser with the -RemoveFromRecycleBin flag.
I can retrieve the user with
Get-MsolUser -All -ReturnDeletedUsers | ? {$_.userPrincipalName -eq $USERNAME}
When I try to remove it with
Remove-MsolUser -UserPrincipalName $USERNAME -RemoveFromRecycleBin
I get
Remove-MsolUser : User Not Found in the Microsoft Online directory Deleted Users container. User:
xxxxxx#EXT##yyyyyyyyy.
In Zeile:1 Zeichen:1
+ Remove-MsolUser -UserPrincipalName $USERNAME -RemoveFromRecycleBin
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Remove-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UserNotFoundException,Microsoft.Online.Admini
stration.Automation.RemoveUser
https://support.microsoft.com/en-us/help/3019157/remove-msoluser-user-not-found-error-when-you-try-to-remove-a-user-fro states
This problem occurs if the user who is performing the action is not a global admin.
However my using is global admin.

In this case it would be better to pipe the output of Get-MsolUser -All -ReturnDeletedUsers | ? {$_.userPrincipalName -eq $USERNAME} directly to the Remove-MsolUser.
That way, the ObjectID property is used instead of the UserPrincipalName which looks to have been changed (#EXT#) once added to the Recycle bin.
The ObjectID (a guid) however is not changed and uniquely identifies the user object.
Try:
Get-MsolUser -All -ReturnDeletedUsers | ? {$_.userPrincipalName -eq $USERNAME} |
Remove-MsolUser -RemoveFromRecycleBin
Or:
$exUser = Get-MsolUser -All -ReturnDeletedUsers | ? {$_.userPrincipalName -eq $USERNAME}
Remove-MsolUser -ObjectId $exUser.ObjectID -RemoveFromRecycleBin

If you have to use the older MSOnline V1 PowerShell module for Azure Active Directory, you need to delete the guest user from the recycle bin with setting the username as the real email address of the guest user.
For example, if the guest user is aaa#outlook.com. It will be listed as aaa_outlook.com#EXT##***.onmicrosoft.com with Get-MsolUser. But you need set $USERNAME = "aaa#outlook.com" instead of "aaa_outlook.com#EXT##***.onmicrosoft.com".
Then you will be able to delete it from the recycle bin.

Related

Get-ADUser -Identity

Unable to pass a variable to the Identity parameter in Powershell.
$username = "John.Doe"
Get-ADUser -Identity "$username"
Get-ADUser : Cannot find an object with identity: 'John.Doe' under: 'DC=contoso,DC=com'.
At line:1 char:1
+ Get-ADUser -Identity "$username"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (John.Doe:ADUser) [Get-ADUser], ADIdentityNotFoundException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,M
icrosoft.ActiveDirectory.Management.Commands.GetADUser
If I just put Get-ADUser -Identity "John.Doe" the results come back just fine.
The -Identity parameter accepts the following:
A distinguished name
A GUID (objectGUID)
A security identifier (objectSid)
A SAM account name (sAMAccountName)
If you want to search based on another attribute, then you need to use the -Filter switch. For example, to find user based on UserPrincipalName, you can do the following:
Get-ADUser -Filter "UserPrincipalName -eq 'John.Doe#contoso.com'"
See Get-ADUser for more details.
I know it is old question but It might be the answer. It might help some one down the line.
I came across the same issue and it stumped me 1 hour. Finally I used $username = $username.trim() . So obviously the variable has space which need to be trimmed.

Powershell setting Mailnickname attribute

I have a bit of powershell code that after a user has been created the code assigns the account loads of attributes using Quest/AD. All the attributes assign except Mailnickname. Is there a reason for this / how can I fix it. Below is my code:
get-qaduser $xy | Add-QADProxyAddress -Address ("SMTP:"+$x) -verbose
get-qaduser $xy | Add-QADProxyAddress -Address ("SMTP:"+$xy+"#domainexample.mail.onmicrosoft.com") -verbose
get-qaduser $xy | Set-QADUser -ObjectAttributes #{msExchVersion="44210883383015"} -verbose
Set-QADUser -identity $xy -ObjectAttributes #{mailnickname = $xy}
Would anyone have any suggestions of what to / how to go about setting this.
Thanks in advance.
Steve
Do you have to use Quest? This works in PS v3 natively:
Get-ADUser $xy | Set-ADUser -Add #{mailNickname=$xy}
Or:
Get-ADUser $xy | Set-ADUser -Replace #{mailNickname=$xy}
Responding to your question below:
I assume you mean PowerShell v1. I haven't used PS v1. Are you starting your script with Import-Module ActiveDirectory? If not, you should post that at the top of your line. For Quest around here the script always starts with Import-Module ActiveDirectory and the next line is Add-PSSnapIn Quest.ActiveRoles.ADManagement. This would work in PS v2:
Import-Module ActiveDirectory
Add-PSSnapIn Quest.ActiveRoles.ADManagement
#This line lets you just type the user you want to modify
$XY = Read-Host "Input User ID"
#This is your code you said works
get-qaduser $xy | Add-QADProxyAddress -Address ("SMTP:"+$x) -verbose
get-qaduser $xy | Add-QADProxyAddress -Address ("SMTP:"+$xy+"#domainexample.mail.onmicrosoft.com") -verbose
get-qaduser $xy | Set-QADUser -ObjectAttributes #{msExchVersion="44210883383015"} -verbose
#This should add the mailNickname property through standard PS
Get-ADUser $XY | Set-ADUser -Add #{mailNickname = $XY}
See if that does what you need and get back to me. Remember: in this example you're declaring the variable $XY to be whatever the user inputs when running the script.
The likely reason you're seeing this is because of the ARS 'Built-in Policy - Default E-mail Alias' Policy. You can verify that this is the case by checking the change history for the user object(s) you're trying to create/modify.
You'll see Property 'Alias (mailNickName)' is removed from the operation request as no Exchange tasks were requested.
Try setting the targetAddress attribute at the same time to avoid being dropped by this policy.

Errors when using Set-ADUser and Add-ADGroupMember in child domains (across forest)

I've built a script that is supposed to query for users across the forest and do a few things:
Set ExtensionAttribute2
Add the user to a domain-specific group in their own domain
Add the user to a group in the root domain
When I run this against a GC in the root domain of the forest, users in the root domain are processed just fine. Users in child domains process step #3 just file, but steps #1 and #2 cause errors.
Edit for clarification: These commands are being run against a 2012 domain controller in the root forest that is also a global catalog server. I'm running these commands as an Enterprise Admin with access to all child domains. Using these same credentials and the same server I can make all of these edits manually using Active Directory Users and Computers.
Here is the script that I've created:
$csvpath = ".\users.csv"
$groupcbr = Get-ADGroup "CN=test group,OU=Test OU,DC=contoso,DC=com"
Import-CSV -Path $csvpath | Foreach-Object {
$userprincipalname = $_.userprincipalname
$activationkey = $_.activationkey
Get-ADUser -Filter {userprincipalname -like $userprincipalname} -SearchBase "DC=contoso,DC=com" -Server "ROOTGC.contoso.com:3268" | Foreach-Object {
$dn = $_.DistinguishedName
#Set default as root domain
$domain = "contoso"
$domainserver = "ROOTGC.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Test Group Users"
If ($dn -like "*DC=childdomain1*") {
$domain = "childdomain1"
$domainserver = "childgc1.childdomain1.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Test Group Users" -Server "ROOTGC.contoso.com:3268"
}
If ($dn -like "*DC=childdomain2*") {
$domain = "childdomain2"
$domainserver = "childgc2.childdomain2.contoso.com"
$groupscript = Get-ADGroup -Identity "$domain Office 365 Users" -Server "ROOTGC.contoso.com:3268"
}
Write-Host "$domain | $userprincipalname [$($_.SamAccountName)] will get $activationkey added, and put into groups: $groupscript | [$dn]"
#Set ExtensionAttribute2
SET-ADUSER -Identity $dn -replace #{ExtensionAttribute2="$activationkey"}
#Add the user to their own domain-based group
Add-ADGroupMember -Identity $groupscript -Members $_
#Add the user to the root domain's universal group
Add-ADGroupMember -Identity $groupcbr -Members $_
}
}
Again, the users in the root domain process just fine. The users in the child domains hit errors on #1 (set the extensionattribute2) and #2 (add the their local domain group).
Here are the errors:
Setting ExtensionAttribute2:
SET-ADUSER : A referral was returned from the server
At C:\***\Untitled1.ps1:52 char:3
+ SET-ADUSER -Identity $dn -replace #{ExtensionAttribute2="$activationkey"}
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (CN=User1...contoso,DC=com:ADUser) [Set-ADUser], ADReferralException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8235,Microsoft.ActiveDirectory.Management.Commands.SetADUser
Adding to the local domain group:
Add-ADGroupMember : The server is unwilling to process the request
At C:\***\Untitled1.ps1:53 char:3
+ Add-ADGroupMember -Identity $groupscript -Members $_
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=ChildDomain1 Tes...contoso,DC=com:ADGroup) [Add-ADGroupMember], ADInvalidOperationException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8245,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
I've searched all over the place but haven't found any way to figure this out yet. I've tried the following (and more):
Added -Server "ROOTGC.contoso.com:3268" to each command to see if that helped, but all it did was break those commands for everyone (including the root users who were working already).
Tried to add the individual domain servers for each domain to the end of the command (as per the variable that I populated: $domainserver), but all of the child domain DC's are Windows 2003; the servers don't accept the connection.
Moved pieces of code around to various places (making it less efficient, but what the heck - I'm trying anything).
What am I missing? Help me please!! I had to go through my CSV file manually and set what needed to be set because it had to get done tonight, but I'm going to be processing thousands of users in the next 2 weeks.
The server you run this against must have a copy of the global catalog, otherwise it won't be able to resolve the referrals. Or you must run the command against a DC of the target domain. Also, your user must have Enterprise Admin privileges in order to be able to create/modify/delete objects in other domains of the forest (or appropriate delegations must be made in the target domains).
Another problem is that the shiny AD cmdlets won't work without the Active Directory Web Service, which isn't available prior to Windows Server 2008 R2, running on all involved DCs. You can work around that by handling the foreign security principals and directory objects yourself, though:
$fsp = New-Object Security.Principal.NTAccount('DOM1', 'username')
$sid = $fsp.Translate([Security.Principal.SecurityIdentifier]).Value
$dn = Get-ADGroup -Identity 'groupname' | select -Expand distinguishedName
$group = New-Object DirectoryServices.DirectoryEntry("LDAP://$dn")
[void]$group.member.Add("<SID=$sid>")
$group.CommitChanges()
$group.Close()
With that said: you do realize that Windows Server 2003 will reach end-of-life the day after tomorrow, don't you? Why are your DCs still running that antique version?

Display groups a user belongs to by searching their email address - Quest Powershell Active Roles Management Shell

This is the command I'm using currently:
$user = Get-QADUser -email user#domain.com -enabled ; $user.memberOf |
Get-QADGroup | findstr Green
"Green" is just an identifying marker on group names.
Sometimes this command works just fine. It displays to me, based on the email address input, all groups that match "Green" that the user belongs to.
Sometimes, however, it does not... and I get this:
Get-QADGroup : Cannot validate argument on parameter 'Identity'. The
argument is null or empty. Supply an argument that is not null or
empty and then try the command again. At line:1 char:97
+ $user = Get-QADUser -email user#domain.com -enabled ; $user.memberOf | Get-QADGroup <<<< | findstr Green
+ CategoryInfo : InvalidData: (:) [Get-QADGroup], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Quest.ActiveRoles.ArsPowerShellSnapIn.Powershell.Cmdlet
s.GetGroupCmdlet
I've been googling and trying modifications of and variations on this for weeks on and off, and no luck. I'm hoping someone can explain the inconsistent behavior and provide a better or just more consistently working command.
Give this a try:
Get-QADMemberOf -Identity user#domain.com -Name Green

Exchange Powershell - Check if a user is in a specific mailbox database

I am trying to writing a script to move a user to a new database and then export their mailbox to pst, but I need to verify if the user is in the correct database to begin with from a user input.
I am trying a command like:Get-Mailbox -Database "Archive Mailbox Database" -Identity Fbloggs
Then I would error trap if the user is not found. This line does not work however with error:
Parameter set cannot be resolved using the specified named parameters.
+ CategoryInfo : InvalidArgument: (:) [Get-Mailbox], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Get-Mailbox
Many thanks for any help.
NA
Try with the Filter parameter (you can also use Name instead of Alias):
Get-Mailbox -Database "Archive Mailbox Database" -Filter {Alias -eq 'Fbloggs'}
Or the other way around:
(Get-Mailbox -Identity Fbloggs).Database.Name
Or
Get-Mailbox -Database "Archive Mailbox Database" | Where-Object {$_.Name -eq 'Fbloggs'}