So Here is my code. Essentially this code will be used by a domain admin to run on our terminal server. I lists all of the currently logged in users, and check their individual group membership and then counts members. Easy Peasy.
99% of this works as expected but I am not a code guru by far. I'm having problems getting a proper list of names from Line 4 which uses quser. If I switch to using Line 5 as text the code works as expected.
I can't for the life of me get the output from line 4 into a format I can use in the rest of the code.
Import-Module ActiveDirectory
$calgary = 0
$edmonton = 0
$users = (quser) -replace '\s{2,}', ',' | ConvertFrom-Csv | Select-Object USERNAME
$usersold = "Thomas", "Scott", "jeremy"
$groups = 'Domain Admins'
foreach ($user in $users) {
foreach ($group in $groups) {
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SamAccountName
If ($members -contains $user) {
$calgary = $calgary + 1
Write-Host "$user is a member of $group"
Write-Host "$group has $calgary logged in users"
} Else {
Write-Host "$user is not a member of $group"
}
}
}
$users.GetType() returns an Array of elements of type PSCustomObject, so this is an object with properties, rather than just a list of strings.
When you do ($user in $users) then each $user is an object with the USERNAME property. So you have two options:
Access the USERNAME in the loop
When you need the username inside the loop, use $user.USERNAME
Get a list of strings rather than objects
Replace line 4 with:
$users = $((quser) -replace '\s{2,}', ',' | ConvertFrom-Csv | Select-Object USERNAME).USERNAME
On line 4, try using:
$users = ((quser) -replace '\s{2,}', ',' | ConvertFrom-Csv | Select-Object USERNAME).username
I think a better way to get a list of logged on users is to use Get-CimInstance to gather the sessions, filter for LogonType 3 (remote logon), and then get the users associated with those logon IDs. Then, since it looks like you want to be able to check multiple groups, I would get the members for each group, and just note if each user is a member of each group. At the end I would output a table of all sessions, including which groups each user is a member of, and how many users each group has logged on.
$LoggedOn = gcim Win32_LoggedOnUser
$GroupNames = 'pkiadmins'
$Groups = #{}
$GroupNames | ForEach-Object { $Groups.Add($_,(Get-ADGroupMember -Identity $_ -Recursive | Select -Expand SamAccountName)) }
$Sessions = gcim Win32_LogonSession -PipelineVariable Session|?{$_.LogonType -eq 3}|%{
$SesUser = $LoggedOn|?{$_.Dependent.LogonId -eq $Session.LogonId}
$SessionOut = [PSCustomObject]#{
Domain = $SesUser.Antecedent.Domain
User = $SesUser.Antecedent.Name
}
ForEach($Group in $GroupNames){
Add-Member -InputObject $SessionOut -NotePropertyName $Group -NotePropertyValue ($SessionOut.User -in $Groups[$Group])
}
If($SessionOut.User -notmatch '\$$'){$SessionOut} #skip computer accounts
}
$Sessions|FT -Auto
ForEach($Group in $GroupNames){
"Group '{0}' has {1} logged in user(s)" -f $Group,([array]($Sessions|?{$_.$Group})).Count
}
Related
Hope all is well.
Trying to see if this possible.
Task: I have list of AD group that I need find members of each group. Only get the list active users.
Issue: I wanted to see if I can put the name of the group as Column name and Group Members under each column. Not sure if this possible. So far. I was only able to use Write-Output - Group and add extra line in way to difference each group.
$data = Import-Csv -Path C:\Source\Listofusers.csv
$results = Foreach ($datauser in $data)
{
$getadgroupmember = Get-ADGroupMember -Identity $datauser.ADGroups -Recursive | ? {$_.objectclass -eq "user"}
write-output "`n"
write-output $datauser.ADGroups
write-output "-----------------------------------------------------------------"
foreach ($activeanddisabledusers in $getadgroupmember)
{
Get-ADUser -Identity $activeanddisabledusers -Properties enabled | Where-Object {$_.Enabled -eq 'true'} | Select-Object -ExpandProperty SamAccountName}
}
I am beginner in powershell and trying to create a script.
I have list of users, for them I need to know in which DLs they are added.
The problem I am facing is, it shows the list of DLs only, is there any way I can get DLs under the usernames? or a better way to accomplish this.
Note: we name all our DLs in capital letter thats why I have used "\b[A-Z0-9_]+\b" in where-object.
$users = import-csv C:\Test\users.csv | ForEach-Object {$_.users = $_.users.Trim(); $_} | Select-Object -ExpandProperty users
foreach ( $user in $users)
{get-ADPrincipalGroupMembership $user | select name |
Where-Object { $_.name -cmatch "\b[A-Z0-9_]+\b"} | Export-CSV "C:\test\output_file.csv" -NoTypeInformation -Append
}
Now I get the following outcome:
Group1
Group2
Group3
Group2
Group3
Group4
My ideal out put would be something along the lines of:
User MemberOf
---- --------
Bob Group1, Group2, Group3....
Jim Group2, Group3, Group4....
Thanks alot.
Assuming you're looking for Distribution Lists, you can tell if a group is a Security Group or a Distribution List by looking at the GroupCategory property of an ADGroup object.
Instead of looking at the user's memberOf attribute and finding out which ones are Distribution you can search for ADGroups that are GroupCategory -eq 'Distribution' where each user is a member:
$users = (Import-CSV C:\Test\users.csv | ForEach-Object {
$_.users.Trim()
}).users
$result = foreach ($user in $users)
{
$userDN = (Get-ADUser $user).DistinguishedName
$groups = Get-ADGroup -Filter "member -eq '$userDN' -and groupCategory -eq 'Distribution'"
[pscustomobject]#{
User = $user
MemberOf = $groups.Name -join ', '
}
}
$result | Export-CSV "C:\test\output_file.csv" -NoTypeInformation
If you want to use the code you already have, with this minor update you should be getting the result you are looking for:
$users = (Import-CSV C:\Test\users.csv | ForEach-Object {
$_.users.Trim()
}).users
$result = foreach ($user in $users)
{
$membership = Get-ADPrincipalGroupMembership $user |
Where-Object {
$_.name -cmatch "\b[A-Z0-9_]+\b"
}
[pscustomobject]#{
User = $user
MemberOf = $membership.Name -join ', '
}
}
$result | Export-CSV "C:\test\output_file.csv" -NoTypeInformation
I have the below working script that checks if a large list of users in a CSV file are a member of an AD group and writes the results to results.csv.
Not sure how to convert the script so I can change $group = "InfraLite" to $group = DC .\List_Of_AD_Groups.CSV.
So the script doesn't just return matches for one AD group but so it returns matches for the 80 AD groups contained in the List_of_AD_groups.csv also. Writing a YES/NO for each AD group in a new column in the CSV (or if that's not possible creating a seperate .csv file for each group with results would do also.
I could do this manually by changing the value of $group and export file name, and re-running the script 80 times but must be a quick was with PS to do this?
e.g. results.csv:
NAME AD_GROUP1 AD_GROUP2 AD_GROUP80 etc etc.
user1 yes no yes
user2 no no yes
user3 no yes no
echo "UserName`InfraLite" >> results.csv
$users = GC .\user_list.csv
$group = "InfraLite"
$members = Get-ADGroupMember -Identity $group -Recursive |
Select -ExpandProperty SAMAccountName
foreach ($user in $users) {
if ($members -contains $user) {
echo "$user $group`tYes" >> results.csv
} else {
echo "$user`tNo" >> results.csv
}
}
I played with this for a while, and I think I found a way to get you exactly what you were after.
I think Ansgar was on the right path, but I couldn't quite get it to do what you were after. He mentioned that he didn't access to an AD environment at the time of writing.
Here is what I came up with:
$UserArray = Get-Content 'C:\Temp\Users.txt'
$GroupArray = Get-Content 'C:\Temp\Groups.txt'
$OutputFile = 'C:\Temp\Something.csv'
# Setting up a hashtable for later use
$UserHash = New-Object -TypeName System.Collections.Hashtable
# Outer loop to add users and membership to UserHash
$UserArray | ForEach-Object{
$UserInfo = Get-ADUser $_ -Properties MemberOf
# Strips the LPAP syntax to just the SAMAccountName of the group
$Memberships = $UserInfo.MemberOf | ForEach-Object{
($_.Split(',')[0]).replace('CN=','')
}
#Adding the User=Membership pair to the Hash
$UserHash.Add($_,$Memberships)
}
# Outer loop to create an object per user
$Results = $UserArray | ForEach-Object{
# First create a simple object
$User = New-Object -TypeName PSCustomObject -Property #{
Name = $_
}
# Dynamically add members to the object, based on the $GroupArray
$GroupArray | ForEach-Object {
#Checking $UserHash to see if group shows up in user's membership list
$UserIsMember = $UserHash.($User.Name) -contains $_
#Adding property to object, and value
$User | Add-Member -MemberType NoteProperty -Name $_ -Value $UserIsMember
}
#Returning the object to the variable
Return $User
}
#Convert the objects to a CSV, then output them
$Results | ConvertTo-CSV -NoTypeInformation | Out-File $OutputFile
Hopefully that all makes sense. I commented as much of it as I could. It would be very simple to convert to using ADSI if you didn't have RSAT installed on whatever machine you're running this on. If you need that let me know, and I'll make some quick modifications.
I've also tossed a slightly modified version of this in a Gist for later reference.
The trivial solution to your problem would be to wrap your existing code in another loop and create an output file for each group:
$groups = Get-Content 'C:\groups.txt'
foreach ($group in $groups) {
$members = Get-ADGroupMember ...
...
}
A more elegant approach would be to create a group mapping template, clone it for each user, and fill the copy with the user's group memberships. Something like this should work:
$template = #{}
Get-Content 'C:\groups.txt' | ForEach-Object {
$template[$_] = $false
}
$groups = #{}
Get-ADGroup -Filter * | ForEach-Object {
$groups[$_.DistinguishedName] = $_.Name
}
Get-ADUser -Filter * -Properties MemberOf | ForEach-Object {
$groupmap = $template.Clone()
$_.MemberOf |
ForEach-Object { $groups[$_] } |
Where-Object { $groupmap.ContainsKey($_) } |
ForEach-Object { $groupmap[$_] = $true }
New-Object -Type PSObject -Property $groupmap
} | Export-Csv 'C:\user_group_mapping.csv' -NoType
I am trying to copy from one ad group to another. However I am having trouble with piping the data and feeding the add-group command with array items please help
Write-Host "You have selected the following group: $SourceGroup"
$SourceGroup = Read-Host
Write-Host "Enter the name of the new group you want the membership of $SourceGroup copied to"
$DestinationGroup = Read-Host
$P1 = Get-ADGroup $SourceGroup -Property member | Select member | Format-Table -HideTableHeaders
$P2 = Foreach ($Member in $P1) { Get-ADUser $Member -Property SamAccountName | Select SamAccountName }
Foreach ($Member in $P1) { Add-ADGroupMember -Identity $DestinationGroup -Member $Member }
You break it by using Format-Table. Formatting is for display, you should not format anything you expect to work with in the shell. By all means format it at the end once you're done.
Anyway, you should be able to simplify it.
Get-ADGroup $SourceGroup | Get-ADGroupMember | ForEach-Object {
Add-ADGroupMember $DestinationGroup -Member $_.DistinguishedName
}
Chris
I have a function that helps me grab over 20k users in our AllUsers group (gets ObjectClass,Name,SamAccountname,DistinguishedName). I'm trying to list anyone who has CBA-* groups, but the loop seems to repeat the output a couple of times per user (after the 1st one), when I only want one iteration (many CBA-* possibilities). Here's what I have. Also, I get errors "Get-ADPrincipalGroupMembership : The server was unable to process the request due to an internal error." Any ideas why that would happen? I'm not sure I can see why my code repeats maybe twice, but then seems to move on to the next user just fine?
ForEach ($User in $Users) {
Get-ADPrincipalGroupMembership -Identity $User.SamAccountName |
Select Name |
Where-Object {$_.Name -like 'CBA-*'} |
ForEach-Object { $User_MemberOf += #($_.Name) }
ForEach ($Group in $User_MemberOf) {
New-Object PSObject -Property #{
SID = $User.SamAccountName
Name = $User.name
Group = $Group
} | Export-Csv -Path $logs -NoTypeInformation -Append
}
}
For each loop iteration, you continue to assign values to $User_MemberOf with the addition operator (+=) meaning that for each new user it gets "sanded" more and more with the previous users' memberships.
Two ways to avoid:
Initialize $User_MemberOf as an empty array at the start of each loop iteration:
foreach($User in $Users){
$User_MemberOf = #()
Get-ADPrincipalGroupMembership -Identity $User.SamAccountName |Select -Expand Name |Where-Object {
$_ -like 'CBA-*'
} |ForEach-Object {
$User_MemberOf += $_
}
foreach($Group in $User_MemberOf){
# export to CSV
}
}
Assign output directly from pipeline:
foreach($User in $Users){
$User_MemberOf = Get-ADPrincipalGroupMembership -Identity $User.SamAccountName |Select -Expand Name |Where-Object {
$_ -like 'CBA-*'
} |ForEach-Object {
$User_MemberOf += $_
}
foreach($Group in $User_MemberOf){
# export to CSV
}
}