I found this MS script to extract admin users from AD. It gets the roles with $AzureADRoles = #(Get-AzureADDirectoryRole -ErrorAction Stop), iterates over them, and gets the users using $RoleMembers = #(Get-AzureADDirectoryRoleMember -ObjectId $AzureADRole.ObjectId).
It works great, only I need to access the description field on these users. Unfortunately, the $RoleMembers don't have a description attribute, even though the $AzureADRoles do!
Is there some way I can get the description field for the users, perhaps with a similar command? I see some commands that would do the trick if I wanted to traverse group members, but I'm looking for something role-based.
Thanks!!!
I found the answer here. I just had to add $Admin = Get-ADUser -Identity $RoleMember.DisplayName -Properties Description before constructing $ObjectProperties in a try/catch block, then get the description from $Admin and grab everything else just like before.
Related
We have a few groups that we are playing with. We'll call it Group1 Group2 Group3. We then have a custom AD Attribute called "team". We need to take all the users of Group1 and change their AD Attribute to "Group1" etc etc. I've looked at a few ways to do this but am drawing up a blank. Any suggestion is greatly appreciated.
There are a few functions to work with here, and this will require that you have the AD module installed for PowerShell.
First, you'll need to get all of the members of the group, and you likely want to do it recursively. So that's:
Get-ADGroupMember -Identity "Group A" -Recursive
Running that on its own should give you all the members. But now you want to do something with what you got back from that function, so you want to loop over them
Get-ADGroupMember | ForEach-Object {
# You'll do something with each member here.
}
And what you want to do it set the AD attribute, which you can do with Set-ADUser. While most attributes can be set easily as they're all properties of the function, yours appears to be custom so you need to use -replace. That looks like this:
Get-ADGroupMember | ForEach-Object {
Set-ADUser -Identity $_ -Replace #{"Team"="Group A"} -WhatIf
}
The -WhatIf on the end makes the function tell you what it would do, but it doesn't actually do it. I've left it there so you don't accidentally run the code without testing it out first. When you want this to actually do something, remove that text.
You should try this on a small group with one or two people to make sure it works the way you want, and then when you're ready, hit the larger group
I've seen multiple examples on adding a user to a group after creation, but not at the time of creation. Is that possible? Currently, I have something like this: (most attributes removed for simplicity)
$user = New-ADUser -Name "person" -Path "OU=test,OU=myorg" -Office "home" -samAccountName "snuffy.john" -PassThru
if ($user){
Add-ADGroupMember -Identity mygroup -Members $user.samAccountName
}
This causes two calls to the ldap server for each user added and I'm trying to prevent that as I have many thousands of users and the script takes a long time to run. I've checked MS docs but didn't see anything. If it's not possible, it is what it is. Thought I'd try asking at least. I also just started using powershell last week.
You may turn your thinking. with thousands of users I would do it like this.
First create all users.
Then get them by Get-ADUser -Filter * -SearchBase "OU=test,OU=myorg" (or maybe Filter the CreatedDate Attribute to get all new users)
After getting the users try to filter them for the groups you want to put them into and use the Add-ADGroupMember cmdlet, which accepts an array of ADPrincipals for parameter "-members".
This will speed up your code.
It might look silly but I'm struggling with finding user with Powershell by providing his full name and his manager full name. Purpose of script is to get SamAccountName and Email Address by using mentioned values which are provided by other team (these are the only unique values I get - getting user by Full Name is not any kind of problem, but it's possible that it'll return multiple results, and that's why Manager Full Name would determine appropriate result).
First I was using simple command
Get-ADUser -server $gc -Filter { (CN -eq $uFullName) -and (extensionAttribute4 -eq $mFullName) }
It worked great, but unfortunately I noticed that not all accounts use extensionAttribute4 to hold manager full name. I thought of using Filter on manager property but when I tried to use (Manager -like "*value*") it returned that like operator isn't supported by this attribute.
I'm still trying to find solution for this but maybe someone will have some solution to this situation.
Thank you in advance.
I am a beginner in PowerShell, so I have been tinkering around it to learn more about its uses. Currently I have a task that requires me to remove a list of chosen groups from a user.
The user is in a different domain, hence I have used LDAP.
I am able to find that user and bind it to an object using the command below:
[ADSI]$user = "LDAP://CN=xxx,OU=xxx,DC=xxx"*
so I am able to display whatever information required from $user e.g. $user.sAMAccountName, $user.DisplayName it works. Except for the users groups...
I try the command to remove the groups listed in the user based on sAMAccountName; as all the users in that domain is identified easier by sAMAccountName, it doesnt work.
this command was used just to see if I can remove one group first; if $user can be found and read by the command; it doesnt work
remove-adgroupmember "GroupName" $user.sAMAccountName
or when I tried to display the groups instead to see if $user can be read, it also doesnt work,
Get-ADPrincipalGroupMembership [ADSI]$user = "LDAP://CN=xxx,OU=xxx,DC=xxx" |
select name
I have tried to search regarding this issue, but almost all the tips does not involve different domains or used ldap for other domains, it uses the primary domain instead, and I am not sure on how to edit that part.
If anyone can advice me I would be very grateful, thank you =)
So I have an interesting script I am trying to figure out, basically I need to change a custom attribute value to a new one. The problem is its for both users and computers and not specific to the groups. So for instance the value might be Billing1 for several users in an OU and this need to be Billing2. So I need to find any instance of the Value of Billing1 and change it to Billing2 not knowing the user or computer object. I can successfully change one at a time if I know who the user is by using Set-ADUser, Set-ADComputer and even with Set-AdObject but I need to figure out a Find and replace function.
I have searched for this and I have found examples of where I can use CSV for users and computers but again I don't know who has what since the value in the attribute can vary and also changes if a reorg happens.
got the correct script...
Get-ADComputer -Properties enterattributename -Filter {enterattributename -like "value to search" } |Set-ADComputer –replace #{ enterattributename =”value to change”}
this also can be applied to Get-ADUser and Get-ADObject