I want to make a script that deletes bulk users, instead of using SAMACCOUNTNAME I want to use the first and last name, is that possible?
Import-Module ActiveDirectory
$ADusers = Import-csv C:\TEST\Delete.CSV
Foreach ($user in $ADusers) {
#Confirming the identity
$users = Get-ADUser -Identity $user -Properties | Select-Object Givenname, Surename
#Removing the user
Remove-ADUser -Identity $user.samAccountName -Confirm:$false
}
I like Ambiguous Name Resolution when searching for users in AD:
Get-ADUser -LDAPFilter "(anr=Jim Smith)"
This will search for all objects where any of the naming attributes (see link above for list) start with the string "jim smith", plus all objects where (givenName=jim*) and (sn=smith*), plus objects where (givenName=smith*) and (sn=jim*).
This is useful when 'Jims' account uses his fully name of 'Jimmy', this would be returned by ANR but not by a direct givenName/sn filter.
You can have multiple users with the same First/Last name, so you will need to deal with the situation of multiple users being returned.
SAMAccoutName, however is unique to a single account
EDIT:
If you've got a csv with the two columns GivenName & Surname:
foreach ($user in $ADusers) {
$firstname = $user.GivenName
$lastname = $user.Surname
Get-ADUser -LDAPFilter "(anr=$firstname $lastname)"
}
The above just lists the users returned from Get-ADUser, to remove them just pipe to Remove-ADUser. I'm using WhatIf to test, remove to actually delete the users:
Get-ADUser -LDAPFilter "(anr=$firstname $lastname)" | Remove-ADUser -WhatIf
Yes it is.
Get-ADUser -Filter {GivenName -eq "Max" -and sn -eq "Muller"} | Remove-ADUser
You need to alter your script accordingly.
Related
Recently completed an Azure AD provisioning integration between SuccessFactors and On-Prem AD.
In order for some of our existing users to get 'scoped in' to the Update provisioning, they first need to match on employee id (we currently do not use the Create functionality).
There are about 400 users that we've identified need to be matched, and our HR team has provided us with a csv with the following attributes (Full Name, EmployeeID). I need to somehow compare this file with all users in AD who have no employee id, and if not, update EmployeeId with the contents from the HR provided file.
I'm a bit stuck on how to attack this. Need a Big Brain :)
#import HR file with required attributes "Formal Name, EmployeeId"
#returns ~6500 entries
$SFUsers = Import-Csv Z:\ExportsFromProd\Global_ActiveHeadcountReport_08292022.csv
#returns ~1400 entries
#some accounts never get an employee id
$users = Get-ADUser -Filter "*" -Properties EmployeeID | Where-Object {$_.employeeID -eq $null}
foreach ($account in $users) {
$accountName = $account.name
get-aduser -Filter {Name -eq $accountName} -Properties * | Select-Object samaccountname, displayName
#this is where i need help:
<#
try {
Lookup $SFUser.'Formal Name' in $SFUsers array???
Get $SFUser.'EmployeeID' | set-aduser $account -employeeId $SFUser.'EmployeeId'
}
catch {
}
finally {
}
#>
}
'''
You can use the faster -Filter or LDAPFilter parameters of Get-ADUser to find only users where the EmployeeID property is unset.
Also, your code could be done by using Get-ADUser only once:
#import HR file with required attributes "Formal Name, EmployeeId"
#returns ~6500 entries
$SFUsers = Import-Csv -Path 'Z:\ExportsFromProd\Global_ActiveHeadcountReport_08292022.csv'
#returns ~1400 entries
#some accounts never get an employee id
$users = Get-ADUser -Filter "employeeid -notlike '*'" -Properties DisplayName, EmployeeID
# or use LDAPFilter
# $users = Get-ADUser -LDAPFilter "(!employeeID=*)" -Properties DisplayName, EmployeeID
foreach ($account in $users) {
# try and find this user in the csv file either by .Name or .DisplayName property
$HRUser = $SFUsers | Where-Object { $_.'Formal Name' -eq $account.Name -or
$_.'Formal Name' -eq $account.DisplayName}
if ($HRUser) {
$account | Set-ADUser -EmployeeID $HRUser.EmployeeId
}
else {
Write-Warning "AD user $($account.Name) not found in the CSV file.."
}
}
I am trying to get only AD Objects of type user and then iterate over all them and change AD user object name. So I have done below:
$Users = Get-ADObject -Filter {(ObjectClass -eq "user")} # OR Get-ADObject -Filter 'ObjectClass -eq "user"'
$Users | foreach
{
# Here code to create name based on conditions ($newUserObjectName)
Rename-ADObject -Identity $_ -NewName $newUserObjectName
}
The problem is that Get-ADObject is returning not only users but also computer objects.... I only want user object classes. Also I am not sure If below line of code is correct by setting identity to $_ in order to update the current user in the iteration:
Rename-ADObject -Identity $_ -NewName $newUserObjectName
Why not use Get-ADUser instead of Get-ADObject and just return the DistinguishedName? Obviously, DON'T just run this code :)
$users = (Get-ADUser -Filter *).DistinguishedName #This gets all the users in AD
Foreach($user in $users){
Rename-ADObject -Identity $user -NewName $newUserObjectName
}
The Computer objectClass is derived from the User objectClass. Hence, queries for user class will return both Computers and Users. If you want to filter for Users only, you have to specify ObjectCategory as Person
$Users = Get-ADObject -Filter {(Objectclass -eq "user") -and (objectCategory -eq "Person")}
Use that or you can use the goodole Get-ADuser
Use Get-ADUser and Set-ADUser:
$Users = Get-ADUser -Filter *
$Users | foreach {
# Naming code
Set-ADUser -Identity $_.SamAccountName -SamAccountName $newName
}
This replaces all user's identities to $newName.
Note you can replace -SamAccountName with any other property of an ADUser. for example if you want to replace the display name instead, you would use -Name $newName
If I have a list of users where the samAccountName for all the users are all numerical Example, 745744, 745746, etc…. I was looking for a powershell script that could accomplish the following:
Put an “XX” without quotes in front of the users first name/givenname
Have the script import the list of users from the csv file if I have a list of all the users samAccountName.
Is having only one column in excel with the samAccountName sufficient for the csv, or do i need to also have all of the users givenName as well inside of the csv?? Example column A samAccountName, column B Firstname??
Example givenName is, JOAQUIN, I would need the first name to be XXJOAQUIN. I have about 500 users that I would have to do this for, and we are doing it manually right now, So the only thing that I need changed is adding the “XX” before the users givenNames….
Thanks everyone in advance.
If you have a CSV with samAccountName as the first column, you can do something like this.
$Users = Import-CSV "Users.csv"
Foreach($User in $Users){
$ADUser = Get-ADUser $User.samAccountName
$ADUser.GivenName = "XX$($ADUser.GivenName)"
Set-ADUser -Instance $ADUser
}
If you are searching for numerical users, you can look up in the documentation to use Get-ADUser to get all your users, and use a foreach loop to evaluate if it is numerical, and set the account.
If your CSV file just contains a header with the samAccountName followed by the samAccountNames like this:
samAccountName
745744
745746
Then you can use the following piece of code, change the path to the path of the csv file with your users.
This could be made shorter and use the pipeline better to make it less code, but this will work just fine.
$users = Import-Csv -Path .\users.csv
foreach($user in $users) {
$obj = Get-ADUser -Identity $user.samAccountName
Set-ADUser -Identity $user.samAccountName -GivenName ("xx" + $obj.GivenName)
}
You can also pipe the output directly from Get-ADUser to Set-ADUser like this:
$users = Import-Csv -Path .\users.csv
foreach($user in $users) {
Get-ADUser -Identity $user.SamAccountName | % {Set-ADUser -Identity $_.SamAccountName -GivenName ("xx" + $_.GivenName)}
}
Another way would be:
$users = Import-Csv -Path .\users.csv
foreach($user in $users) {
Set-ADUser -Identity $user.SamAccountName -GivenName ("xx" + $(Get-ADuser -Identity $user.SamAccountName).GivenName)
}
I am trying to update users AD attributes through their EmployeeID, not their SAMAccountName. I've tried using Set-ADUser, but it did not work because the list I am given does not contain the accounts sAMAccountName as it comes from HR who do not have access to this information.
Is there a way to update the AD users attributes through their unique employeeID?
My source data .csv file contains this:
EmployeeID;company;department;title;country;postalCode;city;streetAddress;manager
2828;TEST1;TEST2;TestXENUser;DE;12345;MUE;Miller Street 6;chrtest
My script looks like this:
$Users = Import-CSV C:\05042017\data.csv
$Users | ForEach-Object {
$EmpID = $_.EmployeeID
Get-ADUser -Filter "*" -Property EmployeeID | Where {$_.EmployeeID -eq $EmpID} | Set-ADUser -company $EmployeeID.company -department $EmployeeID.department –title $EmployeeID.title –country $EmployeeID.country –postalCode $EmployeeID.postalCode –city $EmployeeID.city –streetAddress $EmployeeID.streetAddress –manager $EmployeeID.manager -WhatIf
}
I dont think that I have made the connection to the attributes after the Set-ADUser command properly. I tested things out a bit on my own, but I cannot seem to get it working.
How do i tell the Set-ADUser command to take the attributes from the .csv file ?
I got this working in the past, but it was like this: ForEach $user in $Users and not: ForEach-Object.
You just need to get an object that represents the user in AD by using get-aduser and filtering the results based on EmployeeID and then pipe this to set-aduser. For example:
Get-ADUser -Filter "employeeid -eq '$EmpID'" | Set-ADUser <-Attribute> <Value> -WhatIf
You obviously need to identify the attributes and values and remove the -whatif switch when you're happy it's doing what you expect it to.
Based on your CSV file containing:
EmployeeID; company; department; title; country; postalCode; city; streetAddress; manager
you could do something like this:
$Users = Import-CSV C:\05042017\data.csv -Delimiter ';'
ForEach ($User in $Users) {
Get-ADUser -Filter "employeeid -eq '$($User.EmployeeID)'" | Set-ADUser -company $User.company -department $User.department –title $User.title –country $User.country –postalCode $User.postalCode –city $User.city –streetAddress $User.streetAddress –manager $User.manager -WhatIf
}
In the above example we use a ForEach loop which processes each line in the CSV file (which we've loaded in to $Users) and creates an object of the values as $User. We can then refer to the properties of $User (with the . notation) for the values of the attributes we need in Set-ADUser.
We are looking to create a Powershell script that will automatically sort our user base by Country Code into two AD groups, one for English speakers, and one for French speakers. We are having challenges in getting this to work.
Each account should only be on one list, based on their country. The original source list of members for our list is Staff All, and we are looking into having two groups, one called Staff All EN, and the other called Staff All FR. It should also be able to exclude those in a Disabled OU for accounts that are no longer valid. (see below)
This is what we have so far:
$frenchCC = Get-Content .\CCFrench.txt
$staffAll = "CN=Staff-ALL,OU=Internal,OU=DistributionLists,OU=SFCG,DC=sfcg,DC=org"
$staffAllEn = "CN=Staff ALL EN,OU=Internal,OU=DistributionLists,OU=SFCG,DC=sfcg,DC=org"
$staffAllFr = "CN=Staff ALL FR,OU=Internal,OU=DistributionLists,OU=SFCG,DC=sfcg,DC=org"
$Target = Get-ADGroupMember -Identity $staffAll
We have tried several different approaches. The idea is to populate the French list from the AD based on the country code list. Populate the Staff-EN by copying the Staff-ALL list and then removing everyone in the French list.
And somewhere in the process, Remove everyone who is in HR-Disabled.
foreach ($Person in $Target) {
Add-ADGroupMember -Identity $staffAllEn -Members $Person.distinguishedname -confirm:$false
}
foreach ($Country in $frenchCC) {
Add-ADGroupMember -Identity $staffAllFr -Members (Get-ADUser -Filter '"$country"' -eq '") -confirm:$false
}
foreach ($Country in $frenchCC) {
Remove-ADGroupMember "Staff-ALL-EN" -Members (Get-ADUser -Filter $Country) -confirm:$false
}
$searchOU = Specify the OU where your groups are here (OU=Groups,DC=domain,DC=local)
Get-ADGroupMember Staff-ALL-EN -Properties Disabled | Remove-ADGroupMember Staff-ALL-EN
Get-ADGroupMember Staff-ALL-FR -Properties Disabled | Remove-ADGroupMember Staff-ALL-FR
In the source file for the country code, we have put the country codes in single quotes, double quotes and no quotes. with no difference.
This has really caught us in a pickle. Any suggestions would be appreciated.
I was able to work on the following for Brad, but I am not being able to make it run for each line in the text files (ex: multiple country codes). Anyone know what to change?
$frenchCC = Get-Content .\Countries.txt
$OUs = Get-Content .\OUs.txt
$userListFR = Get-ADUser -Filter {country -eq $frenchCC} -SearchBase $OUs -SearchScope OneLevel
$userListEN = Get-ADUser -Filter {country -ne $frenchCC} -SearchBase $OUs -SearchScope OneLevel
foreach($user in $userListFR) {add-adgroupmember "Staff-ALL-FR" -Members $user}
foreach($user in $userListEN) {add-adgroupmember "Staff-ALL-EN" -Members $user}