Good Afternoon
I am trying to create a PS script which pulls all users not in a certain Security group. I have managed to get this to work fine. However i require it to omit certain OU's as i don't want certain accounts included in this process like terminated users and support accounts for examples.
So i created the below to do this but it seems to fail. Its where i have tried to add some filtering. Can someone help put this in the right direction?
import-Module activedirectory
$results = #()
$users = Get-ADUser -Properties memberof -Filter {enabled -eq $true} | ? {$_.DistinguishedName -notlike "*,OU=Exchange,OU=Support Accounts,OU=Terminated Users and Computers do not use,OU=TerminatedEmployeesContractors,OU=TestAccounts*"} *
$ExportPath = 'c:\app\users_in_ou1.csv'
foreach ($user in $users) {
$groups = $user.memberof -join ';'
$results += New-Object psObject -Property #{'User'=$user.name;'Groups'= $groups}
}
$results | Where-Object { $_.groups -notmatch 'SG_XXXXXXXXXXX' } | Select-Object user | export-csv $ExportPath
Thanks
I would build a regex from all OUs that should be excluded from the search by joining the strings with the regex 'OR' character (|) and use the -notmatch operator.
Because there may be characters in these strings that have special meaning in regex, use [Regex]::Escape() on each before joining them.
Something like below:
Import-Module ActiveDirectory
# create a regex from an array of OUs to exclude by 'OR-ing' them with the pipe character
$excludeOUs = ('OU=Exchange','OU=Support Accounts','OU=Terminated Users and Computers do not use',
'OU=TerminatedEmployeesContractors','OU=TestAccounts' | ForEach-Object {[Regex]::Escape($_)}) -join '|'
$ExportPath = 'c:\app\users_in_ou1.csv'
# get a list of objects not having any of the excluded OUs in their DistinguishedName
# and at the same time output objects with properties 'User' and 'Groups'
$users = Get-ADUser -Properties Name, MemberOf -Filter 'Enabled -eq $true' |
Where-Object {$_.DistinguishedName -notmatch $excludeOUs} |
Select-Object #{Name = 'User'; Expression = {$_.Name}},
#{Name = 'Groups'; Expression = {($_.MemberOf -join ';')}}
# next filter this out further by excluding a certain group and export to Csv
$users | Where-Object { $_.Groups -notmatch 'SG_XXXXXXXXXXX' } | Export-Csv $ExportPath -NoTypeInformation
Related
I am trying to grab the host file entries of servers in mulptiple OUs here to show the host file entries and server names
$OUpath =
'OU=Sales,OU=Servers,OU=_Production,OU=Upgraded,DC=fabrikam,DC=local'
'OU=DCHR,OU=Servers,OU=_Production,OU=Upgraded,DC=fabrikam,DC=local'
'OU=Finance,OU=Servers,OU=Test,OU=Upgraded,DC=fabrikam,DC=local'
$ExportPath = 'c:\servers.csv'
$OUpath | Foreach {
Get-ADComputer -Filter * -SearchBase $OUpath} | Select-object DistinguishedName,DNSHostName,Name,Description | Export-Csv -NoType $ExportPath
Part A up ran fine...How can i get the entries of the results. I am tending towards content but hope to have it all in one script. Any help would be nice.
An alternative to #FoxDeploy's helpful answer, here is how you can do the same using the pipelines with ForEach-Object.
Note that Description is not a default property for Get-ADComputer you will need to add -Properties Description to see it's value.
Another point to consider, by default, if you don't specify the -SearchScope, Get-ADComputer will perform a SubTree search, meaning that it will bring all computers of the specified OU and all computers on all the OUs contained in the Base OU. If you just want to bring the computers in the OU without going down in recursion, you should add -SearchScope OneLevel.
#(
'OU=Sales,OU=Servers,OU=_Production,OU=Upgraded,DC=fabrikam,DC=local'
'OU=DCHR,OU=Servers,OU=_Production,OU=Upgraded,DC=fabrikam,DC=local'
'OU=Finance,OU=Servers,OU=Test,OU=Upgraded,DC=fabrikam,DC=local'
) | ForEach-Object {
Get-ADComputer -Filter * -SearchBase $_ -Properties Description
} | Select-Object DistinguishedName,DNSHostName,Name,Description |
Export-Csv 'c:\servers.csv' -NoTypeInformation
I think the primary issues were the array getting declared incorrectly, and incorrect syntax for the ForEach-Object cmdlet
$OUpath = #(
'OU=Sales,OU=Servers,OU=_Production,OU=Upgraded,DC=fabrikam,DC=local'
'OU=DCHR,OU=Servers,OU=_Production,OU=Upgraded,DC=fabrikam,DC=local'
'OU=Finance,OU=Servers,OU=Test,OU=Upgraded,DC=fabrikam,DC=local'
)
$ExportPath = 'c:\servers.csv'
$OUpath |
ForEach-Object {
Get-ADComputer -Filter * -SearchBase $_ -Properties Description
} |
Select-Object DistinguishedName, DNSHostName, Name, Description |
Export-Csv $ExportPath -NoTypeInformation
You have to use $_ in this context where you were using $OUpath previously. Select-Object can take the the piped output from the ForEach-Object loop rather than being in the loop, which should be more efficient. Likewise for Export-Csv.
As implied by FoxDeply's very good answer that might signal an attempt to use A ForEach(...) loop construct instead of ForEach-Object. But if we are going that route I think it's slightly better to let PowerShell populate the array for us.
$OUpath = #(
'OU=Sales,OU=Servers,OU=_Production,OU=Upgraded,DC=fabrikam,DC=local'
'OU=DCHR,OU=Servers,OU=_Production,OU=Upgraded,DC=fabrikam,DC=local'
'OU=Finance,OU=Servers,OU=Test,OU=Upgraded,DC=fabrikam,DC=local'
)
$Servers =
ForEach( $Path in $OUpath )
{
Get-ADComputer -Filter * -SearchBase $path -Properties Description |
Select-Object DistinguishedName, DNSHostName, Name, Description
}
$Servers | Export-Csv $ExportPath -NoTypeInformation
Alternatively you could skip the Select-Object inside the loop and add $Servers = $Servers | Select-Object ... right after the loop. Although the difference is probably negligible.
With some minor restructuring, this should get you past your issue
$OUpath = (
'OU=Sales,OU=Servers,OU=_Production,OU=Upgraded,DC=fabrikam,DC=local',
'OU=DCHR,OU=Servers,OU=_Production,OU=Upgraded,DC=fabrikam,DC=local',
'OU=Finance,OU=Servers,OU=Test,OU=Upgraded,DC=fabrikam,DC=local')
$ExportPath = 'c:\servers.csv'
$servers = new-object System.Collections.ArrayList
ForEach($path in $OUpath){
$ouServers = Get-ADComputer -Filter * -SearchBase $path | Select-object DistinguishedName,DNSHostName,Name,Description
$servers.AddRange($ouServers) | Out-Null
}
"found $($servers.Count) servers!"
$servers | export-csv $exportPath
I made the list of OU Paths a PowerShell array, then iterate through them using the standalone ForEach loop. Then commit the items to a variable that will persist ($servers) and output the CSV.
How could I get a List of Members on multible AD Groups with more than 5000 Users
Example:
Group1 = includes 6000 Members and Group2
Group2 = includes 7000 Members
the result of the get-adgroupmember of Group1 should 13000
how can I do that? Here I have the Problem, that it will not look in sub groups recursive will not work with get-adgroup
$group = "group1"
$ADInfo = Get-ADGroup -Identity $Group -Properties Members
$outputfile = $group
$ADInfo.Members | get-aduser | Select name, enabled, UserPrincipalName, SamAccountName
#$ADInfo.Members | get-aduser | Select name, enabled, UserPrincipalName, SamAccountName | Export-Csv c:\temp\$outputfile-member.csv -Delimiter "," -NoTypeInformation
# to show output
$members = #()
$members = $ADInfo.members
$members.count
With groups that large, it will be slow, but this should do what you want:
$groups = 'group1', 'group2' # array of group names
foreach ($group in $groups) {
Write-Host "Working on group '$group'"
$result = Get-ADGroupMember -Identity $group -Recursive | Where-Object { $_.objectClass -eq 'user' } | ForEach-Object {
Get-ADUser -Identity $_.distinguishedName | Select-Object Name, Enabled, UserPrincipalName, SamAccountName
}
# show result on screen
$result | Format-Table -AutoSize
# write to export file
$result | Export-Csv -Path "c:\temp\$group-members.csv" -NoTypeInformation
}
Hope that helps
The easiest solution would be to adjust the MaxGroupOrMemberEntries parameter in ADWS on the DC you are targeting. You can see information on ADWS defaults here.
You could do something like the following, which is potentially convoluted:
function Get-ADGroupMembers
{
param ($groupname)
Get-ADGroupMember $groupname | where ObjectClass -eq 'Group' | ForEach-Object {
$_.Name
Get-ADGroupMembers $_.Name
}
}
$maingroup = 'group1'
$subgroups = Get-ADGroupMembers $maingroup
$allGroups = #($maingroup)+#($subgroups)
$regexEscapes = $allGroups |% { [regex]::Escape($_) }
$filter = "CN=({0})" -f ($regexEscapes -join "|")
$output = foreach ($group in $allGroups) {
Get-AdGroup $group -Properties Members | Select #{n='Members';e={$_.Members -notmatch $filter}}
}
$output.Members
Explanation:
The function will list the Name property value for each recursively discovered member group.
Since the -notmatch regex operator is used in filtering, a regex match string needs to be constructed. There could be multiple groups so the | (regex OR) character needs to be used.
The [regex]::Escape method escapes all backslashes and other special regex characters that may appear in the name strings.
$output is an array of PSCustomObjects that contain the Members property. The Members property contains the DN of all members that are users.
Non-PowerShell commands may be better suited for this particular case if the ADWS default limits are not modified.
I am able to export to users that are not members of particular groups such as IT_Group like below. But, this script gives me all membership of users within memberof column in csv output. If they are members of any groups that matches "IT" they should be displayed within memberof column in csv output like below.
Also , If user is not member to any group that is beginning with IT_ then it will write "any IT group is not member" keyword within memberof column in csv output.
There are 3 security groups such as IT_Group,IT_Group1,IT_Group2
I have tried so far :
Get-ADUser -Filter {(emailaddress -like "*#contoso.com" -and Enabled -eq $false -and sAMAccountName -like "TEST*") -or (emailaddress -like "*#contoso.com" -and Enabled -eq $false -and sAMAccountName -like "PROD*")} -SearchBase "OU=USERS,DC=contoso,DC=com" -SearchScope Subtree -Properties * | Where { [string]$_.memberof -notmatch 'IT_Group'} | Select-Object name , samaccountname ,#{Name="MemberOf";Expression={($_.MemberOf | %{(Get-ADGroup $_).sAMAccountName}) -Join ";"}} |Export-CSV -Path "C:\tmp\output.csv" -NoTypeInformation -Encoding UTF8
My Desired output :
name,samaccountname,memberof
User01,TEST1,IT_Test
User02,PROD1,IT_Prod
User03,TEST4,any IT group is not member
The -Filter should not be written as script block ({..}), but as a normal string.
This should do what you are after:
$filter = "(Enabled -eq 'False' -and EmailAddress -like '*#contoso.com') -and (SamAccountName -like 'TEST*' -or SamAccountName -like 'PROD*')"
Get-ADUser -Filter $filter -SearchBase "OU=USERS,DC=contoso,DC=com" -SearchScope Subtree -Properties EmailAddress, MemberOf | ForEach-Object {
if ($_.MemberOf -match 'CN=IT_(Test|Prod)') {
# the user is a member of any IT_Group, get the names of all groups for this user
$groups = foreach ($grp in $_.MemberOf) { (Get-ADGroup -Identity $grp).Name }
$_ | Select-Object Name, SamAccountName, #{Name = 'MemberOf'; Expression = {$groups -join ', '}}
}
else {
# the user is not a member of any IT_Group
$_ | Select-Object Name, SamAccountName, #{Name = 'MemberOf'; Expression = {'Not a member of any IT_Group'}}
}
} | Export-CSV -Path "C:\tmp\output.csv" -NoTypeInformation -Encoding UTF8
Parsing the name of an object from the DistinghuishedName is tricky, because there can be special characters in there. That is why this code uses the Get-ADGroup cmdlet to get the group names.
If the SamAccountNames do not matter and you want to get ALL users in OU OU=USERS,DC=contoso,DC=com that are not Enabled AND have an EmailAddress ending in #contoso.com, than simply change the $filter variable to
$filter = "Enabled -eq 'False' -and EmailAddress -like '*#contoso.com'"
As per your latest comment, you would only want to list the groups IT_Test and/or IT_Prod for users that are member of any of these two groups, the code below should do that:
$filter = "(Enabled -eq 'False' -and EmailAddress -like '*#contoso.com') -and (SamAccountName -like 'TEST*' -or SamAccountName -like 'PROD*')"
Get-ADUser -Filter $filter -SearchBase "OU=USERS,DC=contoso,DC=com" -SearchScope Subtree -Properties EmailAddress, MemberOf | ForEach-Object {
$testgroups = $_.MemberOf | Where-Object { $_ -match 'CN=IT_(Test|Prod)'}
if ($testgroups) {
# the user is a member of group IT_Test and/or IT_Prod, get the names of these groups for this user
$groups = foreach ($grp in $testgroups) { (Get-ADGroup -Identity $grp).Name }
$_ | Select-Object Name, SamAccountName, #{Name = 'MemberOf'; Expression = {$groups -join ', '}}
}
else {
# the user is not a member of any IT_Group
$_ | Select-Object Name, SamAccountName, #{Name = 'MemberOf'; Expression = {'Not a member of any IT_Group'}}
}
} | Export-CSV -Path "C:\tmp\output.csv" -NoTypeInformation -Encoding UTF8
Hope that helps
This code get all users that have groups begining with "IT_" it's provided by $_.memberof -like 'CN=IT_*'.Then for each user getting his name,login and groups what beggins from"CN=IT_",format it with -replace and add it to csv file without rewrite.
$users=Get-ADUser -Filter {filter options} -Properties MemberOf| Where-Object { $_.memberof -like '*CN=IT_*'}
foreach ($user in $users){
$user|Select-Object name , samaccountname ,#{Name="MemberOf";Expression={((($_.MemberOf | Select-String -Pattern 'CN=IT_*')-replace "CN=")-replace ",.+$") -Join ";"}} |Export-CSV -Delimiter ';' -Path "D:\testdir\uss.csv" -NoTypeInformation -Encoding UTF8 -Append
}
Not sure if anyone can assist. I have a script which pulls from AD all users not part of a Security group. This script uses $excludeOUs to exclude OU's with accounts which don't need to be in this group. However when i run this it seems to generate a few accounts mainly Healthmailbox but the OU they sit in it seems to show them in the report. Is there some form of command that needs to be added to exclude these.
# create a regex from an array of OUs to exclude by 'OR-ing' them with the pipe character
$excludeOUs = ('OU=Exchange','OU=Support Accounts','OU=Terminated Users and Computers do not use',
'OU=TerminatedEmployeesContractors','OU=TestAccounts','OU=Contractors and Consultants',
'OU=MIS Users and Groups','OU=Service Accounts','OU=Security Groups','OU=Users',
'OU=Testing','OU=Microsoft Exchange System Objects','OU=Microsoft Exchange Security Groups',
'OU=CorpServiceAccounts','OU=Elevated','OU=***','OU=*** Assets','OU=Monitoring Mailboxes','OU=Users','OU=Q_Users','OU=Microsoft Exchange System Objects' | ForEach-Object {[Regex]::Escape($_)}) -join '|'
$ExportPath = 'c:\app\UsersNotinSG.csv'
# get a list of objects not having any of the excluded OUs in their DistinguishedName
# and at the same time output objects with properties 'User' and 'Groups'
$grp=(Get-ADGroup 'SG_********').DistinguishedName
Get-ADUser -Filter { -not (memberof -eq $grp) -and (enabled -eq $true) } -Properties MemberOf |
Where-Object {$_.DistinguishedName -notmatch $excludeOUs} |
Select-Object #{Name = 'User'; Expression = {$_.Name}},
#{name = "OU";expression={$_.DistinguishedName.split(',')[1].split('=')[1]}}|
Export-Csv $ExportPath -NoTypeInformation
Thanks
HealthMailboxes* are in CN=Monitoring Mailboxes rather than OU= – AdminOfThings
I've been trying to find analogs to this in the forums, but it's the logic that's tying me up - putting it all together.
I have an AD and I have a CSV of users that should be in a particular OU. I want to compare the users in the OU to the CSV, and users NOT in the CSV, I want to disable them and move them to a different OU.
I'm new to Powershell and having a bit of a rough time with this. What's getting me is the comparison and IF-Then logic...I just can't get the syntax right. I've tried a few options...this is what I have right now
Import-Module ActiveDirectory
$path = "f:\aDMGMT\"
$logpath = "f:\admgmt\logs\diable_ad_users.log"
$userfile = $path + "\files\ad_currentemployees.csv"
$location = "OU=Faculty,OU=People,DC=mydomain,DC=com"
$disabledou = "OU=disabledemployees,OU=Disabled,DC=mydomain,DC=com"
$AD_users = Get-ADUser -Filter * -SearchBase "OU=Faculty,OU=People,DC=mydomain,DC=com" | select -ExpandProperty SamAccountName
$sams = $userfile | Select-Object -ExpandProperty NameUnique #the
Compare-Object $AD_users $sams | Out-File $logpath
But the tags available are things like includeequal and excludedifferent...but not includedifferent...and how would I do it for only one side?
Help!
What you could do is pipe the results into a where clause using the SideIndicator to filter on.
Compare-Object $AD_users $sams |
Where-Object{$_.SideIndicator -eq "<="} |
Select-Object -expandproperty inputobject
Using the direction that you need, either "<=" or "=>", you would then pipe into a Select-Object to restore the input object that you were filtering on. That last part would be more important if your object was multidimensional.
I am going to try this with real data as this has only breifly tested but should work.
I re-thought my logic and came up with this. It works perfectly.
Import-Module ActiveDirectory -ErrorAction Stop
$path = "f:\aDMGMT\"
$date = Get-Date
$logdate = Get-Date -UFormat "%y%m%d"
$log = $path+"\logs\diable_ad_users_"+$logdate+".log"
$userfile = $path + "\files\ad_currentemployees.csv"
$location = "OU=employees,OU=People,DC=myorg,DC=com"
$disabledou = "OU=disabledemployees,OU=Disabled,DC=myorg,DC=com"
$AD_users = Get-ADUser -Filter * -SearchBase "OU=employees,OU=People,DC=myorg,DC=com" | select -ExpandProperty SamAccountName
$sams = Import-csv $userfile | select nameunique
ForEach ($user in $AD_users)
{
$exists = $sams.nameunique -contains $user # clean output for array w/ header vs. array without header demands .namunique
If(!$exists)
{
Get-ADUser -Identity $user | Move-ADObject -targetpath $disabledou
Disable-ADAccount -Identity $user
}
}