The Company I am working at has an audit. I just need the code to see the group Company Administrators in Powershell check and validate if they are enforced with MFA authentication or rather make their status enforced. searched online came up with bits and pieces of the code. pretty new to the Powershell coding so much appreciated if you guys can help with the code I am working as a It Security and Powershell coding is not a part of it
Connect-MsolService
#I think this will get company admins
$role = Get-MsolRole -rolename "Company Administrator"
$rm = Get-MsolRoleMember -roleObjectId $role.ObjectId
#not sure what this code is for
foreach ($c in $rm)
{
Get-MsolUser -UserPrincipalName $c.EmailAddress | Select displayname
}
Output will be Displayname containing the name
UserPrincipalName will be the email addresses of Company Admins
and MFA status output will be Enforced
this is the other code
$role = Get-MsolRole -rolename "Company Administrator"
Get-MsolRoleMember -RoleOBjectId $role.ObjectId
Output will display Rolemember type email address Displayname in Ad
and if user is Licensed = true or false
thanks if someone will reply to this
I cannot test this myself, so first try it out on a group of test users:
# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Import-Module ActiveDirectory
Connect-MsolService –Credential $cred
# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State = "Enforced"
# get the members of the group (users only)
Get-ADGroupMember -Identity 'Company Administrators' | Where-Object { $_.objectClass -eq 'user' } | ForEach-Object {
# get the UserPrincipalName for this user
$upn = Get-ADUser $_.SamAccountName | Select-Object -ExpandProperty UserPrincipalName
$mfa = Get-MsolUser -UserPrincipalName $upn | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
Write-Host "Enforcing MFA for user $upn"
Set-MsolUser -UserPrincipalName $upn -StrongAuthenticationRequirements #($requirement)
}
else {
Write-Host "MFA is already enforced for user $upn"
}
}
Alternative code using Get-MsolRole and Get-MsolRoleMember
# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred
# set up a StrongAuthenticationRequirement object with the state you want the users in
$requirement = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$requirement.RememberDevicesNotIssuedBefore = (Get-Date)
$requirement.RelyingParty = "*"
$requirement.State = "Enforced"
# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
foreach ($role in $roles) {
# get the list of members for this role and loop through
Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
$mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0 -or $mfa[0].State -ne 'Enforced') {
Write-Host "Enforcing MFA for user $($_.DisplayName)"
Set-MsolUser -ObjectId $_.ObjectId -StrongAuthenticationRequirements #($requirement)
}
else {
Write-Host "MFA is already enforced for user $($_.DisplayName)"
}
}
}
Update
If all you really need is a report of who is in the "Company Administrators" group and their MFA ststus, the code can be much simpler:
# first, get the credentials for a user that is allowed to do this
$cred = Get-Credential
Import-Module MSOnline
Connect-MsolService –Credential $cred
# get a list of administrator roles (possibly only one role object is returned)
$roles = Get-MsolRole -RoleName "Company Administrators"
$result = foreach ($role in $roles) {
# get the list of members for this role and loop through
Get-MsolRoleMember -RoleObjectId $role.ObjectId | ForEach-Object {
$mfa = Get-MsolUser -ObjectId $_.ObjectId | Select-Object -ExpandProperty StrongAuthenticationRequirements
if ($mfa.Count -eq 0) { $status = 'Disabled' } else { $status = $mfa[0].State }
# output an object to be collected in variable $result
[PsCustomObject]#{
'UserName' = $_.DisplayName
'EmailAddress' = $_.EmailAddress
'MFA_Status' = $status
}
}
}
# display on screen
$result | Format-Table -AutoSize
#output to a CSV file
$result | Export-Csv -Path 'X:\CompanyAdministrators.csv' -NoTypeInformation -Force
Related
I'm trying to create kind of a solution to create thousands of accounts in AD add them to specific group or for service accounts add them to specific OU. Keep a log of what was done and what the errors are.
The script ingest a csv file with the following headers.
SamAccountName,name,password,ou,domain,isAdded
$Domain = [system.directoryservices.activedirectory.domain]::GetCurrentDomain().Name
$NewUserADGroup = 'Print Operators'
$NewUsersList = Import-Csv .\bulk_user1.csv | Where-Object{$_.domain -like "$Domain"}
$NewUsersList | ForEach-Object{
$NewUserAttributes = #{
SamAccountName = $_.SamAccountName
name = $_.name
#path = $_.parentou
#UserPrincipalName = $_."samAccountName" + "#lovely.Local"
AccountPassword = (convertto-securestring "$NewUsersList.password" -AsPlainText -Force)
Enabled = $true
#Server = $dcname
#isAdded = $Issue
}
try{
#Create new User and add to specific group
New-ADUser $NewUserAttributes
Add-ADGroupMember -Identity $NewUserADGroup -Members $_.SamAccountName
#Delete Specific User
#Remove-ADUser -Identity $_.SamAccountName
}catch{
Write-Warning $_
$Issue = $_.ToString()
}
$count = $count + 1
Write-Host $_.SamAccountName " " $_.Name " " $_.SamAccountName.Enabled " Total:" $NewUsersList.Count + "Processed:" $count
$NewUserAttributes| Select-Object -Property SamAccountName,name,AccountPassword,Enabled,isAdded | Export-Csv ".\$Domain.NewAccountsCreatedStatus.csv"
}
I'm getting the following error:
WARNING: The name provided is not a properly formed account name
When I look at the variable
$NewUserAttributes
I do see the name and the value:
Name Value
---- -----
Enabled True
name bfmbsngfilexfer2
AccountPassword System.Security.SecureString
SamAccountName bfmbsngfilexfer2
As promised, below a rewrite of your code.
I have inserted comments to hopefully explain what the code does:
$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
$NewUserADGroup = 'Print Operators'
$successCount = 0
$NewUsersList = Import-Csv .\bulk_user1.csv | Where-Object { $_.domain -eq $Domain } | ForEach-Object {
# capture the human readable password for output use
$password = $_.password
$userParams = #{
SamAccountName = $_.SamAccountName
Name = $_.name
Path = $_.parentou
UserPrincipalName = '{0}#lovely.Local' -f $_.SamAccountName
AccountPassword = ConvertTo-SecureString $_.password -AsPlainText -Force
Enabled = $true
#Server = $dcname
}
try{
# Create new User and add to specific group
$user = New-ADUser #userParams -PassThru -ErrorAction Stop
Add-ADGroupMember -Identity $NewUserADGroup -Members $user -ErrorAction Stop
# add the 'isAdded' element to the $userParams hashtable
$userParams['isAdded'] = $true
$successCount++
}
catch{
Write-Warning $_.Exception.Message
$userParams['isAdded'] = $false
}
# output a PsCustomObject with values taken from the Hashtable
# AccountPassword is a SecureString, which will be of no use to you..
# Output the human readable password instead so you can inform the new users.
[PsCustomObject]$userParams | Select-Object SamAccountName, Name,
#{Name = 'Password'; Expression = {$password}},
Enabled, isAdded
}
# output
# use '#($NewUsersList)' to force it as array, so the Count property is accurate
if (#($NewUsersList).Count) {
Write-Host ('Processed: {0} Succeeded: {1}' -f $NewUsersList.Count, $successCount) -ForegroundColor Green
$NewUsersList | Export-Csv ".\$Domain.NewAccountsCreatedStatus.csv" -NoTypeInformation
}
else {
Write-Host 'No users successfully processed!' -ForegroundColor Red
}
I don't know how to add expressions in property declaration.
I created a script to get local admin members on servers and it works fine.
Now i want to add another property which should check if user specified in "Administrators" property is enabled or not, so i added property, "User Enabled" but it doesn't show anything
Foreach ($server in $servers){
Try{
$admins = Gwmi win32_groupuser –computer $server -Erroraction Stop
$admins = $admins |? {$_.groupcomponent –like '*"Administrators"'}
$admins = $admins |% { $_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$” > $nul
$matches[1].trim('"') + “\” + $matches[2].trim('"') | Where-Object {$_ -like "$domain*" -and $_ -notlike "*Domain Admins*"}}
foreach ($admin in $admins){
# remove domain name
$username = $admin.Split('\')[1]
# Create properties
$administratorProperties = #{
"Administrators" = $admin
"Local Admin type" = "Domain users"
"Machine name" = $server
# check if local admin is enabled or not in AD
Label ="User Enabled" ; expression = {(Get-AdUser -Filter "SamAccountName -eq '$userName'").Enabled}
}
$adm += New-Object psobject -Property $administratorProperties
}
$adm | Select "Machine Name", "Administrators", "Local Admin type", "User Enabled" | Export-CSV "C:\Temp\LOcalAdmins.CSV" –NoTypeInformation
}
catch [Exception]
{
if ($_.Exception.GetType().Name -like "*COMException*") {
Write-Verbose -Message ('{0} is unreachable' -f $server) -Verbose
}
else{
Write-Warning $Error[0]
}
}
}
Machine name : MACHINE
Administrators : DOMAIN\User1
Label : User Enabled
Local Admin type : Domain users
expression : (Get-AdUser -Filter "SamAccountName -eq '$userName'").Enabled
Is it possible to check if user in $username variable is enabled or not.
Property expressions are for calculating a property value dynamically - you don't need that since you're constructing the object with all its property values known up front, so all you need to do is assign the property value to the relevant key in the hashtable as-is:
$administratorProperties = #{
"Administrators" = $admin
"Local Admin type" = "Domain users"
"Machine name" = $server
# check if local admin is enabled or not in AD
"User Enabled" = (Get-AdUser -Filter "SamAccountName -eq '$userName'").Enabled
}
$adm += New-Object psobject -Property $administratorProperties
I am trying to add an AD group into user profiles based on an OU
I had a similar script working, so tried to modify it and failed. I am guessing it's the " -Identity $_" it maybe, but I am not good enough to debug.
#Create a new class to hold the info for our CSV entry
Class CSVEntry{
[String]$UserName
[String]$GroupName
[String]$TimeStamp
}
#Creating a list to hold the CSV entries
$Results = New-Object 'System.Collections.Generic.List[PSObject]'
#Defined the name of the group here
$GroupName = 'GROUPS NAME'
$ou = 'ou=XX,ou=XX,ou=XX,dc=XX,dc=local'
Get-ADUser -Filter * -SearchBase $ou | ForEach-Object{
#Add the user to the group here
Add-ADPrincipalGroupMembership -MemberOf $GroupName Identity $_
#Write-Host $_.Name - $groupName
#Build a custom CSVEntry object and add it to the list
$newRecord = [CSVEntry]::new()
$newRecord.UserName = $_.Name
$newRecord.GroupName = $groupName
$newRecord.TimeStamp = Get-Date
#Add the new record to the list
$Results.Add($newRecord)
}
#Export the list of CSV entries
$Results | Export-Csv C:\PS\AddADGroupToUsers.csv
errors:
Add-ADPrincipalGroupMembership : A positional parameter cannot be found that accepts argument 'CN=NAME,OU=XX,OU=XX,OU=XX,OU=XX,DC=XX,DC=LOCAL'.
At line:18 char:5
+ Add-ADPrincipalGroupMembership -MemberOf $GroupName Identity $_
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Add-ADPrincipalGroupMembership], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.ActiveDirectory.Management.Commands.AddADPrincipal
GroupMembership
EDIT:
So, the script doesn't actually do any changes, the group doesn't get added to the users. the output on screen is:
WARNING: User is already a member of group XYZ
WARNING: User is already a member of group XYZ
WARNING: User is already a member of group XYZ
UserName GroupName TimeStamp
-------- --------- ---------
shows ok XYZ 14/10/2019 14:50:23
shows ok XYZ 14/10/2019 14:50:23
shows ok XYZ 14/10/2019 14:50:23
All I have changed is the group name to XYZ and username shows ok in the second half. But, shows blank in the top, and I assure you that a) the user isn't already in the group and b) the script isn't adding them
Current tweaked code, warts and all but sanitised:
$groupName = 'GROUP'
$ou = 'setcorrectly'
$cred = Get-Credential -credential dom\usr
$results = Get-ADUser -Filter * -SearchBase $ou -Credential $cred | ForEach-Object {
#Add the user to the group here
try {
Add-ADGroupMember -Identity $groupName -Members $_.DistinguishedName -Credential $cred -ErrorAction Stop
}
catch {
Write-Warning "User $($_.Name) is already a member of group $groupName"
}
# output a PsCustomObject that gets collected in the $results variable
[PsCustomObject]#{
'UserName' = $_.Name
'GroupName' = $groupName
'TimeStamp' = Get-Date
}
}
# output on console
$results | Format-Table -AutoSize
# Export to CSV file
$results | Export-Csv C:\PS\AddADGroupToUsers.csv -NoTypeInformation
Read-Host -Prompt "Press Enter to exit"
CSV output shows the second half of the screen output only, and doesn't say anything is already a member
Below uses Add-ADGroupMember to add user(s) to 1 group instead of Add-ADPrincipalGroupMembership which is used to add 1 user to multiple groups.
It also uses [PsCustomObject]s to output the results, so you don't need to use the Class CSVEntry.
# Define the name of the group here.
# can be either:
# A distinguished name
# A GUID (objectGUID)
# A security identifier (objectSid)
# A Security Account Manager account name (sAMAccountName)
$groupName = '<NAME OF THE GROUP>'
$ou = 'ou=XX,ou=XX,ou=XX,dc=XX,dc=local'
$results = Get-ADUser -Filter * -SearchBase $ou | ForEach-Object {
#Add the user to the group here
$userName = $_.Name
try {
Add-ADGroupMember -Identity $groupName -Members $_.DistinghuishedName -ErrorAction Stop
# output a PsCustomObject that gets collected in the $results variable
[PsCustomObject]#{
'UserName' = $_.Name
'GroupName' = $groupName
'TimeStamp' = Get-Date
}
}
catch {
Write-Warning "User $userName is already a member of group $groupName"
}
}
# output on console
$results | Format-Table -AutoSize
# Export to CSV file
$results | Export-Csv C:\PS\AddADGroupToUsers.csv -NoTypeInformation
Edit
If you want the $results variable to ALSO contain users that are already a member of the group, you could simply move the creation of the [PsCustomObject] below the catch{..} block:
$results = Get-ADUser -Filter * -SearchBase $ou | ForEach-Object {
#Add the user to the group here
$userName = $_.Name
try {
Add-ADGroupMember -Identity $groupName -Members $_.DistinghuishedName -ErrorAction Stop
$status = "User added successfully"
}
catch {
Write-Warning "User $userName is already a member of group $groupName"
$status = "User is already a member"
}
# output a PsCustomObject that gets collected in the $results variable
[PsCustomObject]#{
'UserName' = $userName
'GroupName' = $groupName
'TimeStamp' = Get-Date
'Status' = $status
}
}
Hope that helps
I have been given the task of creating a school's worth of users (UK Secondary). The PS to create the users from a CSV, what I need to do is add the newly created users to various groups at the same time.
The code I am using is as follows
$DCName = '<DC FQDN>'
Import-Csv -Path "D:\Import.csv" |
ForEach-Object {
$Displayname = $_.'FirstName' + " " + $_.'LastName'
$UPN = $_.'UPN'
$GroupName = $_.'GroupName'
$Prop = #{
Name = $Displayname
DisplayName = $_.'FirstName' + " " + $_.'LastName'
GivenName = $_.'FirstName'
Surname = $_.'LastName'
UserPrincipalName = $UPN
EmailAddress = $UPN
SamAccountName = $_.'SAM'
AccountPassword = (ConvertTo-SecureString $_.'Password' -AsPlainText -Force)
Enabled = $true
Path = $_.'OU'
ChangePasswordAtLogon = $false
Title = $_.'JobTitle'
StreetAddress = $_.'Street'
City = $_.'Town'
State = $_.'County'
PostalCode = $_.'PostCode'
OfficePhone = $_.'Telephone'
Company = $_.'Company'
Department = $_.'Department'
HomeDrive = $_.'HomeDrive'
HomeDirectory = $_.'Home-Directory'
OtherAttributes = #{
'extensionAttribute1'= $_.'ExtendedAttribute1';
'extensionAttribute2'= $_.'ExtendedAttribute2';
'extensionAttribute14'= $_.'ExtendedAttribute14';
'extensionAttribute15'= $_.'ExtendedAttribute15';
'proxyAddresses' = "SMTP:" + $UPN;}
Server = $DCName
}
New-ADUser #prop
Add-ADGroupMember -Identity $GroupName -Members $_.'SAM'
}
The user gets created with all properties correctly set. It fails with the following error
Add-ADGroupMember : Cannot find an object with identity: 'Test.User' under: 'DC=AD,DC=example,DC=uk'.
At C:\Scripts\NewUserFromCSV2.ps1:47 char:10
+ Add-ADGroupMember -Identity $GroupName -Members $_.'SAM'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Test.USer:ADPrincipal) [Add-ADGroupMember], ADIdentityNotFoundException
+ FullyQualifiedErrorId : SetADGroupMember.ValidateMembersParameter,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
It looks like the Add-ADGroupMember command can't find the user that has just been created, however, if that is the case I don't understand why.
Also at the moment, my CSV has only one group in the 'GroupName', what would be the best way to add the user to multiple groups? e.g. School-All-Staff, Teaching-Staff, Science-Teachers etc.
Thanks in advance for any help received.
As it's a bulk operation, I would just split the user creation from the group membership.
Create all the users first, then add them to the groups:
$DCName = '<DC FQDN>'
$Users = Import-Csv -Path "D:\Import.csv"
$Users | ForEach-Object {
$Displayname = $_.'FirstName' + " " + $_.'LastName'
$UPN = $_.'UPN'
$Prop = #{
## properties as per original code ##
}
New-ADUser #prop
}
$Users | ForEach-Object {
$GroupName = $_.'GroupName'
Add-ADGroupMember -Identity $GroupName -Members $_.'SAM'
}
The to add the users to multiple groups:
If you've got a semicolon separated list of the groups in GroupName eg
School-All-Staff;Teaching-Staff;Science-Teachers
Split will convert this to an array then you can loop through them:
$_.'GroupName' -split ';' | ForEach-Object {
Add-ADGroupMember $_ –Member $user.'SAM'
}
(edit: updated to semicolon as you have a csv source)
I got it working as a combined script in the end and added in error checking for pre-existing users, existing staff often move to the new school that is being added to the Trust prior to its addition to our AD and get included in the list of users to create.
Also added log file creation to record newly created users and list those whose SAMAccount name already exists so we can check to see if the user does need creating or if they need moving from another School OU.
This is my final code:
#Get deafult variables to tidy up created variables at the end
$ExistingVariables = Get-Variable | Select-Object -ExpandProperty Name
#New User Code Starts Here>
#Variables not set by CSV
#Set DC name to update - prevents errors due to replication delay
$DCName = '<DC FQDN>'
#Create log files
"Users Exist in AD" | Out-File -FilePath "D:\Logs\ExistingUsers-$(get-date -f yyyyMMdd).txt" -Append
"New Users Created" | Out-File -FilePath "D:\Logs\NewUsers-$(get-date -f yyyyMMdd).txt" -Append
#Specify path and file to import
Import-Csv -Path "D:\Import.csv" |
#Iterate through each row in the CSV
ForEach-Object {
#Set per object variables from fields in the CSV
$DisplayName = $_.'FirstName' + " " + $_.'LastName'
$UPN = $_.'UPN'
$GroupName1 = $_.'GroupName1'
$GroupName2 = $_.'GroupName2'
$GroupName3 = $_.'GroupName3'
$GroupName4 = $_.'GroupName4'
$SAM = $_.'SAM'
$Password = $_.'Password'
$SAMTest = Get-ADUser -Filter {(sAMAccountName -eq $SAM)} -Server $DCName
#Splatting Hash Table holds all user attribute properties set in the CSV
$Prop = #{
Name = $DisplayName
DisplayName = $DisplayName
GivenName = $_.'FirstName'
Surname = $_.'LastName'
UserPrincipalName = $UPN
EmailAddress = $UPN
SamAccountName = $_.'SAM'
AccountPassword = (ConvertTo-SecureString $_.'Password' -AsPlainText -Force)
Enabled = $true
Path = $_.'OU'
ChangePasswordAtLogon = $false
Title = $_.'JobTitle'
StreetAddress = $_.'Street'
City = $_.'Town'
State = $_.'County'
PostalCode = $_.'PostCode'
OfficePhone = $_.'Telephone'
Company = $_.'Company'
Department = $_.'Department'
OtherAttributes = #{
'extensionAttribute1'= $_.'ExtendedAttribute1';
'extensionAttribute2'= $_.'ExtendedAttribute2';
'extensionAttribute14'= $_.'ExtendedAttribute14';
'extensionAttribute15'= $_.'ExtendedAttribute15';
'proxyAddresses' = "SMTP:" + $UPN;}
Server = $DCName
}
#Check if SAMAccount name exists in AD and skip existing users
if ($SAMTest -ne $Null)
{
#Get UPN property of the pre-existing user
$Exist = Get-ADUser -Filter {(sAMAccountName -eq $SAM)} -Properties 'userprincipalname'
#write UPN value to variable
$ExistUPN = $Exist.userprincipalname
#Update log of pre-existing users
"$DisplayName exists with email $ExistUPN" | Out-File -FilePath "D:\Logs\ExistingUsers-$(get-date -f yyyyMMdd).txt" -Append
#Write to screen
Write-Host "$DisplayName already exists in AD" -ForegroundColor Red
}
else
{
#Create new user with the attribute properties collected above
New-ADUser #prop
#Check if group fields in CSV were populated, if true add user to group, if false skip
if ($_.'GroupName1'){Add-ADGroupMember -Identity $_.'GroupName1' -Members $_.'SAM' -Server $DCName}
if ($_.'GroupName2'){Add-ADGroupMember -Identity $_.'GroupName2' -Members $_.'SAM' -Server $DCName}
if ($_.'GroupName3'){Add-ADGroupMember -Identity $_.'GroupName3' -Members $_.'SAM' -Server $DCName}
if ($_.'GroupName4'){Add-ADGroupMember -Identity $_.'GroupName4' -Members $_.'SAM' -Server $DCName}
#Update New user log
"$UPN" | Out-File -FilePath "D:\Logs\NewUsers-$(get-date -f yyyyMMdd).txt" -Append
#Write to screen
Write-Host "User $SAM created at $((Get-Date).ToString('hh:mm'))" -ForegroundColor Green
}
}
#End Of New User Code
#Remove variables set by script - keeps PS memory space tidy
$NewVariables = Get-Variable | Select-Object -ExpandProperty Name | Where-Object {$ExistingVariables -notcontains $_ -and $_ -ne "ExistingVariables"}
if ($NewVariables)
{
Write-Host "Removing the following variables:`n`n$NewVariables"
Remove-Variable $NewVariables
}
else
{
Write-Host "No new variables to remove!"
}
I used the bit about clearing up variables because the values seemed to persist if the PowerShell session remained open and it was causing odd things to happen. I also removed the home drive attributes because the file server specified hasn't been implemented yet but management still wants the users in AD now.
For reference my import.csv looks like this
FirstName,LastName,UPN,SAM,Password,OU,JobTitle,Street,Town,County,PostCode,Telephone,Company,Department,ExtendedAttribute1,ExtendedAttribute2,ExtendedAttribute14,ExtendedAttribute15,GroupName1,GroupName2,GroupName3,GroupName4
Test,User,Test.Users#domain.uk,Test.User,,"OU=Admin Staff,OU=User Resources,OU=School,OU=Trust Schools,DC=AD,DC=Trust,DC=org",,Street Name,TownName,County,AA11 1AA,116123,Name Of School,Name Of Trust,,Staff,,,AllStaffGroup,AdminStaffGroup,SpecialPermissionsGroup,Group4
I need to Export User Disclaimer From Exchange 2010 With Exchange Management Shell. Is that possible? Example of Disclaimer:
Kathleen Mayer
Sales Department
Contoso
www.contoso.com
kathleen#contoso.com
cell: 111-222-1234
I tried this script but its result didnt contain disclaimer :
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
try {
Import-Module ActiveDirectory -ErrorAction Stop
}
catch {
Write-Host "Unable to load Active Directory module, is RSAT installed?"
Exit
}
$Results = foreach ($User in (Get-ADUser -Filter * -Properties Department, Mail)) {
$Mailbox = Get-Mailbox $User.Name -ErrorAction SilentlyContinue
if ($Mailbox) {
$Mail = $Mailbox | Get-MailboxStatistics -ErrorAction SilentlyContinue
if ($Mail.TotalItemSize.Value -eq $null) {
$TotalSize = 0
} else {
$TotalSize = $Mail.TotalItemSize.Value.ToBytes()
}
New-Object PSObject -Property #{
Name = $User.Name
SamAccountName = $User.SamAccountName
Email = $User.Mail
Department = $User.Department
MailboxSize = $TotalSize
IssueWarningQuota = $Mailbox.IssueWarningQuota
ProhibitSendQuota = $Mailbox.ProhibitSendQuota
ProhibitSendReceiveQuota = $Mailbox.ProhibitSendReceiveQuota
}
}
}
$Results |
Select Name, SamAccountName, Email, `
Department, MailboxSize, IssueWarningQuota, `
ProhibitSendQuota, ProhibitSendReceiveQuota |
Export-Csv c:\MailboxSizeByDepartment.csv -NoTypeInformation
Please see this link : https://technet.microsoft.com/en-us/library/dn600437%28v=exchg.150%29.aspx