How to retrieve only enabled users from the Active Directory - powershell

I'm trying to retrieve only enabled users in the AD. When I run this code line it returns the error. I tried using a filter as well to filter only enabled users for the requested info but it returns ALL users from every domain instead of just the single id.
Get-ADUser : A positional parameter cannot be found that accepts argument 'enabled -eq 'true''.
This is my code that is throwing the error.
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter '*' | Get-ADUser Where "enabled -eq 'true'" | Get-ADUser -Properties ('Mail')
This one returns ALL users from every domain
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter "enabled -eq'true'" | Get-ADUser -Properties ('Mail')
Is my syntax wrong on both of them? If I just want to return values from say "Animal shop A" and then "Animal Shop B"

.. or a little bit shorter this way:
Get-ADUser -Filter 'enabled -eq $true' -Properties mail |
Select-Object -Property Name,samaccountname,mail
Besides this I would recommend to use a -SearchBase. That's less stressful for the AD. ;-)

Get-ADUser -Filter * -Properties mail | Where { $_.Enabled -eq $True} | Select Name,samaccountname,mail
That will get all enabled users in your target domain that are enabled and display the name, username, and mail properties

Important to know for both commands:
You must work with an elevated powershell process.
Otherwise the result may not be complete.

get-aduser -filter 'enabled -eq "true"' -ResultSetSize $Null

simply try below commands in powershell as administrator permission.
As a guide, the first part will filter users, second part filtered enabled users and last part will give you export of results.
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like “false”} | Export-Csv -Path C:\eport.csv -Encoding ascii -NoTypeInformation
hope to be useful for you.

Related

Get all groups of AD users with filter - Powershell

I'm trying to get all groups that start with the following string from a user "DIR-*". With the following command I get all the groups of the user.
Get-ADUser -Identity $username -Properties memberof | Select-Object -ExpandProperty memberof
I then tried to filter with this, but that doesn't work because the list remains empty.
Get-ADUser -Identity $username -Properties memberof | Select-Object -ExpandProperty memberof | Where-Object {$_.CN -like "DIR-*"}
Unfortunately, I am still a complete beginner when it comes to Powershell, but I need the command promptly.
I thank you for any help.

Powershell: finding by mail all accounts that are managed by one person

Can you help me with this oneliner? I've tried a different syntax, but to no avail. I want to find all user accounts that have one specific manager and the manager needs to be specified by mail.
Get-ADUser -Filter {manager -eq ((Get-ADUser -Filter {mail -eq "name#company.com"}).DistinguishedName)} -Properties AccountExpirationDate | select samaccountname, AccountExpirationDate
Adam.
There might be more elegant ways of solving this but the following should work.
Edit after you added more info.
I assume you want all the "service accounts" under that manager and not that the manager itself is assumed to be a service account?
Get-ADUser -Filter "manager -eq '$($(Get-ADUser -Filter 'mail -eq "name#company.com"').DistinguishedName)' -and extensionAttribute8 -eq 'service account'" -Properties AccountExpirationDate | select SamAccountName, AccountExpirationDate
Furthermore - mklement0 has an excellent answer with quite extensive information on the Filter-parameter and how it ought to be used, despite the ActiveDirectory module allowing for a different approach.
This one should work :
Get-ADUser -Filter "manager -eq `"$((Get-ADUser -Filter `"mail -eq 'name#company.com'`").DistinguishedName)`"" -Properties AccountExpirationDate | select samaccountname, AccountExpirationDate
I prefer double quotes for Filter parameter. The equal test need to be passed as a string. So, you need to escape the double quote inside the main filter.
Both answers works, I am sorry but I need to change a desired commend:
as i changed your commands they look like
Get-ADUser -Filter "manager -eq `"$((Get-ADUser -Filter `"mail -eq 'name#company.com'` -and extensionattribut8 -eq "service account"").DistinguishedName)`"" -Properties AccountExpirationDate | select samaccountname, AccountExpirationDate
Get-ADUser -Filter "manager -eq '$($(Get-ADUser -Filter 'mail -eq "name#company.com" -and extensionattribut8 -eq "service account"").DistinguishedName')" -Properties AccountExpirationDate | select SamAccountName, AccountExpirationDate
and it doesn't work. Get i get more of your help? Changed: 2 conditions is the filter.

Powershell - Populate list of AD users in large security group that are in a particular OU

I'm trying to get an AD Security Group down to a manageable size, but due to display limits in Powershell, this is proving difficult for me. The group is down to 47,720 now after removing all disabled AD accounts. Now I'm trying to filter it down to Enabled users that live in this particular OU. Below is what I've used with success in the console.
Get-ADGroup "very_large_secgroup" -properties Member | Select-Object -expandproperty member | get-aduser -Filter * -SearchBase "OU=PurgeStudents,OU=DisabledAccounts,DC=contoso,DC=com" | Select-Object SamAccountName,DistinguishedName
When I try to count this, or pipe it via Out-File though, I get:
get-aduser : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its properties do not match any of the parameters that
take pipeline input.
At line:1 char:92
+ ... ty member | get-aduser -Filter * -SearchBase "OU=PurgeStudents,OU=Dis ...
Any assistance would be greatly appreciated, as I am a novice in Powershell magic.
Instead of using -Filter *, you could filter for all previous retrieved users. And there is a cmdlet to get the members of a group:
Get-ADGroupMember -Identity "very_large_secgroup" -Recursive | Foreach-Object {Get-ADUser -Filter "Name -like $_.Name" -SearchBase "OU=PurgeStudents,OU=DisabledAccounts,DC=contoso,DC=com" | Select-Object -Properties SamAccountName, DistinguishedName}

Joining user to groups based on template user strange behaviour

I'm writing a script in PowerShell that creates users. This script adds the user to groups based on a template user with the department name. When used in my script like so:
Get-ADUser -Filter {name -eq "Temp$($Department.LookupValue)"} -Properties memberof |
Select-Object -ExpandProperty memberof |
Add-ADGroupMember -Members $sAMAccountName
this unfortunately doesn't work, nor does it give any errors.
However, when I run just the line of code it works just fine
Get-ADUser -Filter {name -eq "TempICT"} -Properties memberof |
Select-Object -ExpandProperty memberof |
Add-ADGroupMember -Members usern
As noted in the comments, you can cycle through the group names with foreach-object using Add-ADGroupMember, but this is going to result in a call to AD for every group the user needs to be added to. It may be more efficient to use the Add-ADPrincipalGroupMemebership cmdlet, which will add the user to multiple groups in a single operation:
$Groups = Get-ADUser -Filter {name -eq "TempICT"} -Properties memberof |
Select-Object -ExpandProperty memberof
Add-ADPrincipalGroupMembership -Identity $sAMAccountname -MemberOf $Groups
The following line of code does work, I guess the problem was with the filter not being able to process the dot notation. Get-ADUser "Temp$departmentsn" -Properties memberof | Select-Object -ExpandProperty memberof | Add-ADGroupMember -Members $gebruiker
It's not 100% how I wanted it since I now search for the netbiosname instead of the name property but it works. Because of the 20 character limitation for netbiosnames I had to make a substring to make it work for all my departments.

Domain Admin Cleanup with Foreach-Object

I'm in the process of cleaning up my inherited Domain Admins group and remove service accounts that are no longer needed. I'm trying to pull the group membership of the Domain Admins group and feed it into a Get-ADUser, with little success.
$name = Get-ADGroupMember "domain admins" | select -ExpandProperty Name
Foreach-Object {
Get-ADUser -Filter { Name -Like "$name"} -Properties * | FT Name, LastLogonDate
}
If I run the Get-ADGroupMember by itself it works. If I run the Get-ADUser with a name from the list (instead of the $name variable) it works. But when I attempt to tie them together it does not work.
I am glad you were able to make it work but I would like to offer some advice. First don't use -Properties * when all you really needed was LastLogonDate. You are pulling more data than you need to. Also you don't even need the ForEach loop since Get-Aduser will accept the pipeline input very nicely.
Get-ADGroupMember "domain admins" | Get-ADUser -Properties LastLogonDate |
Select Name,LastLogonDate
or if you really want console output, as supposed to standard output
Get-ADGroupMember "domain admins" | Get-ADUser -Properties LastLogonDate |
Format-Table Name,LastLogonDate -AutoSize
Thanks #EBGreen, your comment pointed me in the right direction. I am able to get what I need with the following:
Get-ADGroupMember "domain admins" | select -ExpandProperty SamAccountName | % {
$name=$_
Get-ADUser $_ -Properties *
} | FT Name, LastLogonDate -AutoSize