I have some users in AD that have the UPN address set like User#this.org. I want to change those users so their UPN looks like that User#that.com.
I have written a PS line to find me such users:
Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(userPrincipalName=*#this.org))" -SearchBase "OU=this,DC=that" | Select SamAccountName
But how do I update those users. I know about Set-AdUser command, but I can't figure out how to feed the result of the Get-Aduser into it.
Just pipe it to Set-ADUser:
Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(userPrincipalName=*#this.org))" -SearchBase "OU=this,DC=that" | % {Set-ADUser $_ -UserPrincipalName "that"}
Just a heads up, use -Whatif during testing before you crash you whole AD.
Explanation:
% - Alias for foreach
$_ - Equals each object of the foreach (each User found in the Get-ADuser)
-UserPrincipalName "that" - Set the UPN of the given User to that
Related
Get-Aduser -identity $User -Properties Memberof -filter {Memberof Name -Notlike "Domain Users" | ForEach-Object { $_.Memberof | Remove-ADGroupMember -Members $User -Confirm:$false}}
Hey Yall,
Im trying to remove folks from their AD Groups except for the Domain Users Group in AD (Our company is holding on to AD accounts, idk why, but they want to remove their general accesses.
When I use the above code to remove them it says: "Get-ADUser : Parameter set cannot be resolved using the specified named parameters."
Im not sure what way is a better way to do this.
Still learning Powershell for AD and i have one question that is bothering me. Have to change AD properties for multiple users in AD within specific location, for example we have in same OU people from Berlin and from Washington, and cities are set in each profile, but im wondering if i need to get also properties before changing address for one of those locations like this
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' -Properties StreetAddress, PostalCode | % {Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}}
or if it would work also without doing -Properties and just pipe filter City results to Set-ADUser
Thank you.
You do not need to specify -Properties unless you want to see them in the output. You also don't need the foreach, simply piping to Set-ADUser is sufficient.
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' |
Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}
This will update those values just fine. The same is true for filtering. The following command will filter on the postalcode but it will not be included in the output unless you add -Properties postalcode
Get-ADUser -Filter "PostalCode -eq '221202XX'"
Thank you for answer, i have left out -Properties and that seems fine, also tried but this won't work without foreach as i guess Set-ADUser does not know which of those users that are filtered out needs to be updated. So i had to use
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' | % {Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}}
while if i use without foreach
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' | Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}
i get error
Set-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the
argument, and then try running the command again.
but anyway, seems to be OK without -Properties which was my main concern
I want to use the Get-ADUser cmdlet to determine who's accounts are disabled.
The "Description" attribute in any user's account is not showing up.
Is it only the attributes that you get when you do Get-ADUser [username], as listed here:
DistinguishedName
Enabled
GivenName
Name
ObjectClass
ObjectGUID
SamAccountName
SID
Surname
UserPrincipalName
We list the employeeID number in the description of the user account and that's helpful when we have duplicate names and need to figure out who's who. The command I'm using is:
Get-ADUser -SearchBase "OU=ou,OU=ou,OU=ou,DC=dc,DC=dc,DC=dc" -Filter {Enabled -eq $false} | FT SamAccountName,Name,Description
and the results for one person would look like this:
SamAccountName Name Description
------------------------- -------- ---------------
john.doe John Doe
Just a blank spot, not even <> like if you listed something that doesn't exist.
That tells me the Powershell command acknowledges the attribute exists, just won't grab it from the AD Account's info.
Sounds like it is not one of the default properties that get-aduser displays. Hence in order to get this information you have to explicitly tell it to display the description property. Hence:
Get-ADUser -Properties description -SearchBase "OU=ou,OU=ou,OU=ou,DC=dc,DC=dc,DC=dc" -Filter {Enabled -eq $false} | FT SamAccountName,Name,Description
I am a beginner to power shell . I need to write a command for getting the email addresses from samccountname from active directory . I have stored all the samaccountnames in Users.txt file.
$users=Get-content .\desktop\users.txt
get-aduser -filter{samaccountname -eq $users} -properties mail | Select -expandproperty mail
Kindly suggest me how to go forward with this. What is the thing i am doing wrong here.
After reading it in from the file, $Users becomes a collection of users. You can't pass that entire collection in to the filter, you need to handle it one user at a time. You can do this with a ForEach loop:
$users = Get-Content .\desktop\users.txt
ForEach ($User in $Users) {
Get-ADUser -Identity $user -properties mail | Select -expandproperty mail
}
This will output each users email address to the screen.
Per the comments, its also unnecessary to use a -filter for this, per the above you can just send the samaccountname directly to the -Identity parameter instead.
If you want to send the output on to another command (such as export-csv) you could use ForEach-Object instead:
$users = Get-Content .\desktop\users.txt
$users | ForEach-Object {
Get-ADUser -Identity $_ -properties mail | Select samaccountname,mail
} | Export-CSV user-emails.txt
In this example we use $_ to represent the current item in the pipeline (e.g the user) and then we pipe the output of the command on to Export-CSV. I thought you might also want this kind of output to have both samaccountname and mail so that you could cross-reference.
As a process to disable users, I have a CSV where users are identified by employeeID and not username. I need to loop through and compare the CSV to AD users, and any AD user not in the CSV needs to be disabled. This is what I have so far, but it's not working. I'll admit I'm still fairly new to powershell scripting, so any help would be much appreciated.
Import-Module ActiveDirectory
Import-Csv -Path c:\ADTerm.csv | foreach {Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Identity $_.employeeID} | Where {$_ -ne $null} | Disable-ADAccount -Identity $_.employeeID
I cant really fit this all in a comment without it looking horrible so lets start with this.
You are combining -Filter and -Identity which most likely wont net the results you are looking for. Use Identity to get one specific user or filter to get one to many. Looking at TechNet for Get-AdUser you will see Identity only matches values to:
DistinguishedName
objectGUID
objectSid
sAMAccountName
In that regard I see you have a column for EmployeeID. I'm guessing that those are not SamAccountName which is one of the values that -Identity supports. I feel that you could do with the following changes.
$IDs = Import-Csv -Path c:\ADTerm.csv | Select-object -ExpandProperty EmployeeID
Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Properties EmployeeID |
Where-Object{$_.EmployeeID -and ($IDs -notcontains $_.EmployeeID)} | Disable-ADAccount
Update the get-aduser to get all users in that OU. Get-Aduser does not return the EmployeeID by default so we use -Properties to specify it. Filter all those users that have employeeID but not one in the list. Disable-ADAccount will take the output of Get-AdUser nicely so there is not need to specify the account again.
Depending you might be storing this value as EmployeeNumber in AD. This is also dependent on your having a csv file with a column for EmployeeNumber