Just getting started with Powershell and I've run into a roadblock. I'm trying to iterate through AD and get a list of all OU's. From there I'm trying to get user account info for each user in each OU. To test I've been able to get the DN for all OU's and output to console but when I try and pass those values to the get-aduser cmdlt it fails.
Here's my code:
import-module activedirectory
$SearchBase = get-adorganizationalunit -filter * -searchbase "ou=users,ou=myUsers,dc=company,dc=local" -Properties CanonicalName | select-object -Property distinguishedName
foreach ($ou in $SearchBase) {
get-aduser -filter * -searchbase $ou -Properties givenName,sn,mail
}
I'm getting the following error message: "The supplied distinguishedName must belong to one of the following partitions..."
I think the issue is that when passing $ou to the get-aduser cmdlt the distinguished name must be enclosed in quotes after -searchbase correct? If so not sure how to go about that. Any help is appreciated.
The issue you are having is you need to expand the property you are selecting. You will notice if you run:
get-adorganizationalunit -filter * -searchbase "ou=users,ou=myUsers,dc=company,dc=local" -Properties CanonicalName | select-object -Property distinguishedName
It will show the parent property:
There are two ways to fix this:
Expand the property in your select statement:
$SearchBase = get-adorganizationalunit -filter * -searchbase "ou=users,ou=myUsers,dc=company,dc=local" -Properties CanonicalName | select-object -ExpandProperty distinguishedName
OR Call the Property in your foreach:
foreach ($ou in $SearchBase) {
get-aduser -filter * -searchbase $ou.distinguishedName -Properties givenName,sn,mail
}
Related
Current powershell script being used is in this format:
Get-ADUser -Filter * -Properties EmailAddress, DisplayName -SearchBase "OU=USERS, OU=Site, OU=$_, DC=domain" -Server ServerName | Select DisplayNAme, EmailAddress
My problem is that the OU users, and site are buried in different folders one level up, and I can't figure out how to make the powershell script look thru all the folders above (OU=$_). Using OU=* doesn't work either (bad syntax error).
The -SearchBase parameter doesn't allow wildcards, if I understand correctly, you're looking for all parents OUs having OU=USERS, OU=Site as child OU, in which case, you can first filter for all OUs with Name Users then filter again for those OUs where their DistinguishedName contains OU=USERS, OU=Site and lastly feed these OUs to Get-ADUser -SearchBase:
(Get-ADOrganizationalUnit -LDAPFilter "(name=users)").DistinguishedName | ForEach-Object {
if($_ -notlike "OU=USERS, OU=Site*") { return }
Get-ADUser -Filter * -Properties EmailAddress, DisplayName -SearchBase $_ -Server ServerName
} | Select DisplayName, EmailAddress
I am trying to run the get-aduser query below and I keep getting the error Get-AdUser Cannot convert to the type system.string. Any idea what might be the problem? TIA
$Base = (Get-ADOrganizationalUnit -Filter {(Name -like "Department")}).DistinguishedName
Get-ADUser -Filter * -SearchBase $Base -Properties Name
I tested this, and I can confirm that if your call to Get-ADOrganizationalUnit returns more than one OU, then the DistinguishedName property will be an array rather than a plain string. So you will need to change your call to Get-ADOrganizationalUnit so that it returns only one.
You can do that by either using the -ResultSetSize parameter to only use the first result:
$Base = (Get-ADOrganizationalUnit -Filter {(Name -like "Department")} -ResultSetSize 1).DistinguishedName
Or change the Filter so that it matches only one OU. I assume you're using -like because you're using a wildcard in your actual code, so you probably just have to be more specific.
Update: If you want users from all the matched OUs, then you can use ForEach-Object:
Get-ADOrganizationalUnit -Filter {(Name -like "Department")} |
ForEach {
Get-ADUser -Filter * -SearchBase $_.DistinguishedName -Properties Name
}
Domain→OU=Client Computers→OU=Location
Each computers has an extensionAttribute1 value.
I need to get each computer's extensionAttribute1 and export to a CSV file.
I ran below code, but was unable to get it right. Tried few variation with no success.
I ran this first (no error here):
$Computers = Get-ADComputer -Filter * -SearchBase "OU=Location,OU=Client Computers,DC=ABC,DC=ABC1" -Properties *
Then I ran this:
foreach ($Computer in $Computers) {
Get-ADComputer $Computer -Filter * -Properties extensionAttribute5 |
Export-Csv C:\computer_users.csv
}
and got the following error:
Get-ADComputer : A positional parameter cannot be found that accepts
argument
I tried with parenthesis, commas, single quotes, double quotes, … just can't figure it out.
Get-ADComputer $Computer -Filter * ...
is the same as
Get-ADComputer -Identity $Computer -Filter * ...
If you take a look at the documentation you'll see that the parameters -Identity and -Filter are mutually exclusive. Besides, you don't need the loop and the second Get-ADComputer call anyway. Simply select the properties you want from your first Get-ADComputer call and pipe the result to Export-Csv:
$ou = 'OU=Location,OU=Client Computers,DC=ABC,DC=ABC1'
Get-ADComputer -Filter * -SearchBase $ou -Properties extensionAttribute1 |
Select-Object Name, extensionAttribute1, ... |
Export-Csv 'C:\computer_users.csv' -NoType
I am trying to get a list of AD user who does not have picture. I am on QBC.CAN domain and trying to get information from KOBAL domain. The KOBAL domain looks like this KOBAL.COM. There is OU called SALES AND sub OU called NORTHWEST.
My job is the get a list of users with name, title, email, where Picture is not present. thumbnailPhoto is the ldap-display name. I tried few queries but it doesn't give me what I need and keep getting error.
Get-ADUser -Filter * -Server "ADCP12WSDC54X01.KOBAL.COM" -properties thumbnailPhoto | ? {!$_.thumbnailPhoto} | select Name
This code works but I don't need the entire list. I only need OU=SALES,OU=NORTHWEST. If I change the script to following I get an error
Get-ADUser -Filter * -SearchBase "OU=NORTHWEST, OU=SALES ,DC=KOBAL,DC=COM" -properties thumbnailPhoto | ? {!$_.thumbnailPhoto} | select Name
Get-ADUser : The supplied distinguishedName must belong to one of the following
partition(s): 'DC=QBC,DC=CAN , CN=Configuration,DC=QBC,DC=CAN , cN=Schema,CN=Configuration,DC=QBC,DC=CAN , DC=DomainDnsZones,DC=QBC,DC=CAN, DC=ForestDnsZones,DC=QBC,DC=CAN'.
Here's what I would use:
$SearchBase = 'OU=NORTHWEST,OU=SALES,DC=KOBAL,DC=COM';
$LdapServer = 'YourLDAPServerName';
$UsersWithoutPhotos = Get-ADUser -Filter 'thumbnailPhoto -notlike "*"' -SearchBase $SearchBase -SearchScope 'Subtree' -Server $LdapServer | Select-Object 'Name'
The filter here removes the need for piping to a Where-Object. It will return any user in the target OU or below that doesn't have a thumbnailPhoto attribute. You don't need -Properties thumbnailPhoto now since you're not using it for anything anymore, so you won't be returning all that data.
Edit to add:
By default, the only properties returned by Get-ADUser are DistinguishedName, Enabled, GivenName, Name, ObjectClass, ObjectGUID, SamAccountName, SID, Surname, UserPrincipalName. If you want access to anything else, you'll need to include the -Properties parameter again with Get-ADUser to tell that command to fetch that data, too. All the Select-Object command does is eliminate fields that you don't want to see.
This should work for you:
$UsersWithoutPhotos = Get-ADUser -Filter 'thumbnailPhoto -notlike "*"' -SearchBase $SearchBase -SearchScope 'Subtree' -Server $LdapServer -Properties 'title', 'displayName';
You can then restrict it to just the fields you want:
$UsersWithoutPhotos = $UsersWithoutPhotos | Select-Object 'Name','title', 'displayName';
Or sort it by a field:
$UsersWithoutPhotos = $UsersWithoutPhotos | Sort-Object 'displayName';
And display it:
$UsersWithoutPhotos | Format-Table -AutoSize;
Or:
$UsersWithoutPhotos | Out-GridView;
Of course, you can do all that on one line, too, and just keep piping.
I would like to compare two organizational units users.
I can get my user list with this command:
OU_NUMBER_1:
Get-ADUser -filter * -SearchBase "OU=OU_NUMBER_1,OU=OU-SNE_SharePoint,DC=vf,DC=local" | Select sAMAccountName
OU_NUMBER_2:
Get-ADUser -filter * -SearchBase "OU=OU_NUMBER_2,OU=OU-SNE_SharePoint,DC=vf,DC=local" | Select sAMAccountName
I would like to get homonymous from these lists. Do I have to put my users in some lists and compare them ? Or anyone get a better idea ?
To summary, I would like to get a list with homonymous of my OU's.
/Update
Try
$UserGroup1 = Get-ADUser -filter * -SearchBase "OU=OU_NUMBER_1,OU=OU-SNE_SharePoint,DC=vf,DC=local" | select sAMAccountName
$UserGroup2 = Get-ADUser -filter * -SearchBase "OU=OU_NUMBER_2,OU=OU-SNE_SharePoint,DC=vf,DC=local" | Select sAMAccountName
$UserInBothOU = Compare-Object $UserGroup1 $UserGroup2 -IncludeEqual
Be aware that the Array $UserInBothOU contains PowerShell Objects.
When you want the sAMAccountName, then you must do something like that:
foreach($User in $UserInBothOU)
{
Write-host $User.sAMAccountName
}
Because sAMAccountName is only an attribute.
$OLDGroup = Get-ADUser -filter * -SearchBase "OU=InactiveObjects,DC=gov,DC=au" -server "gov.au" | select sAMAccountName
$NEWGroup = Get-ADUser -filter * -SearchBase "OU=StandardUsers,OU=Users,DC=nsw,DC=gov,DC=au" -server "nsw.gov.au" | Select sAMAccountName
compare-object $OLDGroup $NEWGroup -Property 'SamAccountName' -IncludeEqual