Users in ADGroup with direct reports - powershell

I want a list of users in ATL Users that have direct reports.
Part 1: Group Membership
I can get the users in a group.
Get-ADGroupMember "ATL Users" | Where objectClass -eq "user"
Part 2: Filter for Direct Reports
I can get a list of users with direct reports, but very slowly (scans entire tree).
Get-ADUser -Filter "DirectReports -like '*'"
Question
How can I get the list of users in ATL Users then -Filter those users by if they have direct reports?

This is readily done with an LDAP filter using memberOf. If this is a one-off query and you know the group's distinguished name (cn=ATL Users,ou=groups,dc=domain,dc=gTLD in this example), you can use:
get-aduser -LDAPFilter "(&(memberOf=cn=ATL Users,ou=groups,dc=domain,dc=gTLD)(directReports=*)(objectClass=user))"
If you will be running this query repeatedly, it would be best to get the group object from a search so directory restructuring won't break your query.
PS> $groupFQDN = (get-adgroup -identity "ATL Users").distinguishedName
PS> $groupFQDN
CN=ATL Users,OU=NewGroupsOU,DC=company,DC=gTLD
PS> get-aduser -LDAPFilter "(&(memberOf=$groupFQDN)(directReports=*)(objectClass=user))"

You can just pipe a foreach into Get-ADUser -filter after Get-ADGroupMember
Example:
Get-ADGroupMember "ATL Users" | Where-Object {$_.ObjectClass -eq "user"} | foreach {Get-ADUser $_.samaccountname -properties Name, DirectReports | Where-Object {$_.DirectReports -like "*"} |Select Name, DirectReports}

Related

Get all groups of AD users with filter - Powershell

I'm trying to get all groups that start with the following string from a user "DIR-*". With the following command I get all the groups of the user.
Get-ADUser -Identity $username -Properties memberof | Select-Object -ExpandProperty memberof
I then tried to filter with this, but that doesn't work because the list remains empty.
Get-ADUser -Identity $username -Properties memberof | Select-Object -ExpandProperty memberof | Where-Object {$_.CN -like "DIR-*"}
Unfortunately, I am still a complete beginner when it comes to Powershell, but I need the command promptly.
I thank you for any help.

exporting AD users displayName for selected groups only - powershell

I am new to powershell so please excuse me if the answer is quite simple. I am trying to get user list sorted by selected AD groups and export that to table or csv at least. Due to the fact that:
Get-ADGroupMember -Identity "TestGroupName"
... gives me only user IDs for my AD, I used below:
Get-ADGroupMember -Identity "TestGroupName" | Get-ADObject -Properties displayName
This works perfectly but I do not want to type manually each group there so I decided to first export groups that I need which are beginning with "Test":
Get-ADGroup -Filter "name -like 'Test*'" |Select-Object Name | Export-csv -path \Groups.csv
Now I want to use information from Groups.csv to list all user displayName for groups listed in Groups.csv so I tried something like that:
Import-Csv -Path .\Groups.csv | Get-ADGroupMember ForEach($Name in $Groups) | Get-ADObject -Properties displayName | Export-csv -path \UsersByGroups.csv
unfortunately it does not work properly maybe because I still do not get exactly how to use ForEach
Can someone with more experience have a look and help?
Thanks!
Maciej
Just pipe the groups output by Get-ADGroup -Filter ... directly to Get-ADGroupMember:
Get-ADGroup -Filter "name -like 'Test*'" |Get-ADGroupMember |Get-ADObject -Properties displayName

Powershell - Populate list of AD users in large security group that are in a particular OU

I'm trying to get an AD Security Group down to a manageable size, but due to display limits in Powershell, this is proving difficult for me. The group is down to 47,720 now after removing all disabled AD accounts. Now I'm trying to filter it down to Enabled users that live in this particular OU. Below is what I've used with success in the console.
Get-ADGroup "very_large_secgroup" -properties Member | Select-Object -expandproperty member | get-aduser -Filter * -SearchBase "OU=PurgeStudents,OU=DisabledAccounts,DC=contoso,DC=com" | Select-Object SamAccountName,DistinguishedName
When I try to count this, or pipe it via Out-File though, I get:
get-aduser : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that
take pipeline input.
At line:1 char:92
+ ... ty member | get-aduser -Filter * -SearchBase "OU=PurgeStudents,OU=Dis ...
Any assistance would be greatly appreciated, as I am a novice in Powershell magic.
Instead of using -Filter *, you could filter for all previous retrieved users. And there is a cmdlet to get the members of a group:
Get-ADGroupMember -Identity "very_large_secgroup" -Recursive | Foreach-Object {Get-ADUser -Filter "Name -like $_.Name" -SearchBase "OU=PurgeStudents,OU=DisabledAccounts,DC=contoso,DC=com" | Select-Object -Properties SamAccountName, DistinguishedName}

Joining user to groups based on template user strange behaviour

I'm writing a script in PowerShell that creates users. This script adds the user to groups based on a template user with the department name. When used in my script like so:
Get-ADUser -Filter {name -eq "Temp$($Department.LookupValue)"} -Properties memberof |
Select-Object -ExpandProperty memberof |
Add-ADGroupMember -Members $sAMAccountName
this unfortunately doesn't work, nor does it give any errors.
However, when I run just the line of code it works just fine
Get-ADUser -Filter {name -eq "TempICT"} -Properties memberof |
Select-Object -ExpandProperty memberof |
Add-ADGroupMember -Members usern
As noted in the comments, you can cycle through the group names with foreach-object using Add-ADGroupMember, but this is going to result in a call to AD for every group the user needs to be added to. It may be more efficient to use the Add-ADPrincipalGroupMemebership cmdlet, which will add the user to multiple groups in a single operation:
$Groups = Get-ADUser -Filter {name -eq "TempICT"} -Properties memberof |
Select-Object -ExpandProperty memberof
Add-ADPrincipalGroupMembership -Identity $sAMAccountname -MemberOf $Groups
The following line of code does work, I guess the problem was with the filter not being able to process the dot notation. Get-ADUser "Temp$departmentsn" -Properties memberof | Select-Object -ExpandProperty memberof | Add-ADGroupMember -Members $gebruiker
It's not 100% how I wanted it since I now search for the netbiosname instead of the name property but it works. Because of the 20 character limitation for netbiosnames I had to make a substring to make it work for all my departments.

Make all users within the domain a member of a security group

Using either Powershell or VBS, how can I make all of the users within my domain who have an email address a member of a specific security group?
import ActiveDirectory
$Group = Get-ADGroup -filter {Name -eq "GroupName"}
Get-ADUser -filter {EmailAddress -like "*"} | % {Add-ADGroupMember $Group $_}