I want to delete users from a group in Active Directory - powershell

I have a created a custom power shell activity to delete users from a group in A.D.
In the execution command i have given the code like,
Remove-ADGroupMember -Identity "Cab-Approval" -Members Williams,James.Anderson,Jaffer.Hamzad
So, when i clikced on Test Inputs it is giving error like,
enter image description here
SO what is this error, and how to over come this. Can some one help me here
Regards,
Vijay

Welcome to Stack Overflow! Be sure to read the FAQs on how to format your questions. Posting an image is discouraged as we're not able to easily digest it as oppose to pre-formated code blocks. A link to the FAQ for asking is here
That said, it looks like from your error message that you're either running the script remotely or running it from a non-interactive shell. The reason you're receiving this error is because Remove-ADGroupMember prompts you for an Are you sure? response.
You can do the following to mitigate this:
Remove-ADGroupMember -Identity "Cab-Approval" -Members Williams,James.Anderson,Jaffer.Hamzad -Force
The -Force switch will ignore the prompts.

Related

Setting a mail forward in Exchange Powershell

I want to be able to set an email forward in Exchange Powershell O365
I'm trying
Set-Mailbox -Identity emailaddress -DeliverToMailboxAndForward $true -ForwardingSMTPAddress forwardingaddress
but getting
A parameter cannot be found that matches parameter name
'DeliverToMailboxAndForward'.
Do I need to load a snap-in? I can't find any help about this.
You forgot your $'s my friend
Set-Mailbox -Identity $emailaddress -DeliverToMailboxAndForward $true -ForwardingSMTPAddress $forwardingaddress
Also something to look out for when using Exchange Online PSSession (and maybe regular Exchange PSSession) is that it uses the JEA functionality of PowerShell. JEA is Just Enough Administration it actually looks at what roles the account used to connect to the PowerShell Session has and it ONLY gives you the commands that account has the roles to do. I'm not sure if it goes to the level of removing parameters from functions you only have partial access to do. For the missing Cmdlet part though I ran into this while beating my head against the wall writing a batch migration utility come to find out SysAdmin never gave me the permission to do batch migration. As soon as They gave me the permission and I imported the PSSession again BAM Cmdlet was there.
Hope that helps.

Powershell: Unable to use the -Recursive switch for AD group membership

I have (what I think is) an odd problem.
I have two domain admin accounts and one domain controller (for the purpose of this question). Here is the scenario:
Admin1 RDPs to dc01 and runs the Powershell command (see command below), and it succeeds
Admin2 RDPs to dc01 and runs the Powershell command (see command below), and it fails (see error below).
In both cases, we are entering the credentials of admin1 when prompted by Get-Credential
Command:
Get-ADGroupMember administrators -Credential (Get-Credential) -Server dc01 -Recursive
Error:
Get-ADGroupMember : There is no such object on the server
If I remove the -Recursive parameter, then the command works for both admins (again, using the credentials of admin1). If I open ADUC as admin1, then look at the members of Administrators, I can see all members, opening sub-groups without issue.
What in the world is going on? Thanks.
Well, looks like it was a permissions issue. I added the service account to Enterprise Admins and the failure stopped. I have no idea which object is causing the failure.

Using Read-Host to output information from a script

I am trying to run a script against exchange to bring back all of the mailboxes a certain user has access to. I want to be able to input the usersname using read-host. I currently have this:
$username = Read-Host("Please enter users username")
#Enable Exchange cmdlets
add-pssnapin *exchange* -erroraction SilentlyContinue
Get-MailBox | Get-MailboxPermission -User $username | FL > C:\MailboxPermissions.txt
However, when I run this via powershell, it asks for the username, looks like it is starting to run the script, then powershell just exits and there is not data outputted
Any help would be greatly appreciated
Thanks for all the help
I finally figured it out and there were a couple of issues. It was to do with the result size. I added -resultsize unlimited:
$username = Read-Host("Please enter users username")
add-pssnapin *exchange* -erroraction SilentlyContinue
>Get-MailBox -resultsize unlimited | Get-MailboxPermission -User $username | FL > C:\MailboxPermissions.txt
It would also not work by running the .ps1 file as this was not run by admin, and it needs admin permissions to output to the location I want. Once I created a shortcut for it to run via the powershell.exe with admin credentials it is now working as expected.
The problem is that you are only out putting to the screen.
This means that when you run your script it will carry out the required action, print to screen and close the window immidiatly. In turn, this means you can't see the output.
As #DarkLite1 mentioned, you could output to a file.
Or, you could simply allow the console to wait before closing. This is done like this at the end of your code:
Write-Host "Press any key to continue ..."
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
You may also need a Write-Host on the last action in your code snippet, I'm not entirely sure as I am not familiar with how Get-Mailbox works, but try it without first.
To summarize, You must keep the window open or print the results to file to actually see anything. The code you have currently will complete so fast you will never see any output.

Windows Server 2012 - Set-ADUser TsProfilePath not found / How to set?

I would set the TsProfilePath and the TsHomeDrive.
How can i do that with PowerShell?
In the attribute editor of active directory is no attribute for that.
With Google i found out that i have to use Set-QAdUser.... But Command not found!
Thanks in advance for ideas!
Get-ADUser MyTestUser | Set-ADUser -TsProfilePath "\\srv\profiles$\<username>"
Thats my example but its not working :(
I tried also Get-QADUser and Set-QADUser but the commands are unknown.
I mean the remote desktop attributes! Not the normal ProfilePath. Thats to easy :D
The QAD cmdlets can be found on Quest's website
If you need a pure generic PowerShell answer, I found the following article that explains the process but it doesn't seem too easy: How Can I Edit Terminal Server Profiles for Users in Active Directory?
EDIT: Okay, I got curious so I gave it a try myself and it wasn't that hard actually:
Get-ADUser MyTestUser | ForEach-Object {
$User = [ADSI]"LDAP://$($_.DistinguishedName)"
$User.psbase.invokeset("TerminalServicesProfilePath","\\Server\Share\HomeDir\Profile")
$User.psbase.invokeset("TerminalServicesHomeDrive","H:")
$User.psbase.invokeset("TerminalServicesHomeDirectory","\\Server\Share\HomeDir")
$User.setinfo
}
Quick edit. The last statement $User.setinfo should be $User.setinfo(). Otherwise, you get the OverloadDefinitions statement.

Set-MailboxFolderPermission does not, what it should do

I'm currently working on a script to change some Mailboxfolderpermissions in Exchange 2010.
The basic functions work, I can read out the current permission-status and I can set permissions, but the cmdlet Set-Mailboxfolderpermission does not correctly set the permissions.
For example:
Set-MailboxFolderPermission -Identity Owner:\Calendar -User TargetUser -AccessRights Contributor
This results in a custom named setting, where nothing changed in relation to the previous setting.
Same thing when I substitute Contributor with the explicit permissions FolderVisible, CreateItems.
Update:
I just tried to use the cmdlet from the shell and there it works.
To test whether the internal output is right, I printed the permissions on the shell and everything was fine.
Right now I'm wondering even more.
What is the point here? Is it a bug, am I to frustrated to see the right way out of my problem?
I use the below - just be certain to use the UPN & Set permission - Set doesn't always work - You could just first remove the current & then add a different permission:
Remove-MailboxFolderPermission -identity "Owner#something.com:\calendar" -User targetUser#something.com
Add-MailboxFolderPermission -identity "Owner#something.com:\calendar" -User targetUser#something.com -AccessRights owner