<#
Run the Script On Active Directory to remove disabled users from All Groups and Set description what user was member of group if you have all the disable users in an OU.
Just add -SearchBase "OU=disabled,DC=domain,DC=com" after -filter 'enabled -eq $false'
#>
import-module activedirectory
$users=get-aduser -filter 'enabled -eq $false' -SearchBase "OU=Lockdown,DC=home,DC=ac,DC=uk" -Properties samaccountname,memberof |select samaccountname, #{n=’MemberOf’; e= { ( $_.memberof | % { (Get-ADObject $_).Name }) -join “,” }}
#set description
Foreach ($user in $users)
{ Set-ADUser $user.samaccountname -Replace #{info="Was a member of :- $($user.memberof)"}
# Export the list to csv
$Groups = (Get-ADPrincipalGroupMembership -Identity $user.SamAccountName | Select-Object -ExpandProperty name) -join ','
get-aduser $user.SamAccountName -properties memberof,samaccountname,givenname,surname | select samaccountname, #{name="Groups";expression={$Groups}} | export-csv "C:\Users\Administrator\Desktop\grpsss.csv" -Delimiter ";"
# Remove From all the Groups
Get-ADGroup -Filter {name -notlike "*domain users*"} | Remove-ADGroupMember -Members $user.samaccountname -Confirm:$False
}
$total = ($users).count
Write-Host "$total accounts have been processed..." -ForegroundColor Green
This script Removes all the groups from Disabled Users (From Disabled OU), It adds the names of those groups to Information Field along with an export of csv with the same information.
Porblem is that the csv is only populated with one user's groupmembership when there are many users in Disabled OU. question is, how do i export all the user and their group membership in a csv format. so i have a list of all the users that have been processed.
I always thought that export-csv will export eveything that powershell processes?
Thanks for your help in advance.
Your script attempts to export a csv for each user:
Foreach ($user in $users) {
...
get-aduser $user.SamAccountName -properties memberof,samaccountname,givenname,surname |
select samaccountname, #{name="Groups";expression={$Groups}} |
export-csv "C:\Users\Administrator\Desktop\grpsss.csv" -Delimiter ";"
...
}
However, this will mean that only the last user run in this foreach block will have its data written out to a .csv file.
This is because Export-Csv will overwrite the contents of an existing .csv file by default. So every user in your foreach block will overwrite the user before it.
To fix this, add the parameter switch -Append to the end of your Export-Csv command. This will add on each users data to the end of the file rather than overwrite it e.g.
Foreach ($user in $users) {
...
get-aduser $user.SamAccountName -properties memberof,samaccountname,givenname,surname |
select samaccountname, #{name="Groups";expression={$Groups}} |
export-csv "C:\Users\Administrator\Desktop\grpsss.csv" -Delimiter ";" -Append
...
}
Related
Was wondering if you could help me with script.
This script would search a specific OU (let's say Disabled Users OU) and display all the AD groups
all users are part of, the output to a CSV file showing Usernames and AD group names.
I have got a command that will display all AD groups of a user but I have to keep changing the username:
Get-ADPrincipalGroupMembership username_withoutdomain | select name
I have a script that requires the username entered and will display the AD group membership.
do {
write-host -NoNewline "Type username: "
$user = read-host
if ($user -eq "") { break }
(get-aduser $user -Properties memberof).memberof |
get-adgroup |
select -exp name
} while ($true)
I also know it is possible to do this via command prompt:
net userusername
Thanks for all assistance.
You can query all users under an OU by using the -SearchBase parameter, from there you can enumerate each user and then enumerate each group the user is a memberOf to generate your report:
$base = 'OU=disabledUsers,DC=domain,DC=com'
Get-ADUser -Filter * -SearchBase $base -Properties memberOf |
ForEach-Object {
foreach($group in $_.memberOf) {
[pscustomobject]#{
User = $_.Name
SamAccountName = $_.SamAccountName
MemberOf = $group -replace '^CN=|(?<!\\),.+'
}
}
} | Export-Csv path\to\report.csv -NoTypeInformation
As Santiago already stated you can query your OU with the -SearchBase.
And because the user and the group membership can not be queried with one command you have to create a table as Santiago points with [pscustomobject]#{...}
When I was running a daily report on users and their group membership I was running the script:
function Get-ADUserGroups{
#$Domain = 'Domain_name'
$users= Get-AdUser -Filter * -Properties SamAccountName, DisplayName, Description -ResultPageSize 500 |
select SamAccountName, DisplayName, Description
$users|
ForEach-Object{
$p=[ordered]#{
UserName=$_.SamAccountName
FullName=$_.DisplayName
User_Description=$_.Description
GroupName=$null
Group_Description=$null
}
Get-ADPrincipalGroupMembership $_.SamAccountName |
ForEach-Object{
$p.GroupName=$_.Name
Get-ADGroup $_ -Properties description |
ForEach-Object{
New-Object PsObject -Property $p
}
}
}
}
Get-ADUserGroups | Export-Csv -Path "Your_Path\Groups.csv" -Delimiter "|" -Encoding UTF8 -NoTypeInformation
I am able to export the disabled users, but then from that .csv I want to check if they have active accounts in AD, containing their samaccount name + -adm or -tst. The script runs but the second export is blank.
$users = import-csv C:\Users\....csv
$OU = 'OU=Disabled users ...'
Get-ADUser -Property Enabled -filter * -SearchBase $OU | Where {$_.Enabled -like "False"} | Select #{Name="samaccountname";Expression={$_.SamAccountName}} | Export-Csv C:\Users\... -notypeinformation -encoding UTF8
$data = foreach($line in $users){
$user = $line.samaccountname
Get-ADUser -Filter {(samaccountname -like $user) -and (samaccountname -like "*-adm") -and (samaccountname -like "*-tst")} -Properties Enabled | Where {$_.Enabled -like "True"} | select #{Name="SAPID";Expression={$_.samaccountname}}
} $data | export-csv C:\Users\... -notypeinformation -encoding UTF8
If I understand correctly, you're looking to find all those Enabled Accounts ending in -adm OR -tst AND containing the SamAccountName of ANY disabled user found in $OU.
If my assumption is correct, one way to approach the problem is to first query all the Disabled users in $OU and have them in memory (Note that there is no need to export them to CSV and then import them back again - see inline comments).
Once we have the list of Disabled users, we can loop over them to construct an LDAP Filter which will be used to query all users at once, and lastly export to CSV if any user was found.
$users = Import-Csv C:\Users\....csv
$OU = 'OU=Disabled users ...'
# Hold disabled Users under `$OU` in memory, no reason to import the data from CSV
$disabledUsers = Get-ADUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)" -SearchBase $OU |
Select-Object SamAccountName
# Export Disabled Users
$disabledUsers | Export-Csv C:\Users\... -NoTypeInformation -Encoding utf8
# Construct an LDAP Filter to query al users at once
$filters = foreach($user in $disabledUsers) {
'(samAccountName=*{0}*-adm)(samAccountName=*{0}*-tst)' -f $user.SamAccountName
}
$ldapFilter = "(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(|$(-join $filters)))"
# Query the users
$enabledUsers = Get-ADUser -LDAPFilter $ldapFilter
# Check if any user could be found
if(-not $enabledUsers) {
'No Enabled -adm or -tst Account Could be found...'
}
else {
$enabledUsers | Select-Object #{ N = "SAPID"; E = { $_.SamAccountName} } |
Export-Csv C:\Users\... -NoTypeInformation -Encoding utf8
}
This is an example of how the filter would look like, having user0 and user1 as example SamAccountName:
(&
(!userAccountControl:1.2.840.113556.1.4.803:=2)
(|
(samAccountName=*user0*-adm)
(samAccountName=*user0*-tst)
(samAccountName=*user1*-adm)
(samAccountName=*user1*-tst)
)
)
I had a list of 50 users with the Active Directory extensionAttribute12 sent to me, I was told that extensionAttribute13 was mixed up. So far, as I go through and check in AD, I don't see this to be so.
I would like to use PowerShell to check the list he gave me and export to my own list without going one by one.
I have this and when I runs it seems to export all users, but in my list, I only have 1 user. Later, I would like to run on the list of 50. I don't understand why I get all of the users.
Import-Module ActiveDirectory
$UserList=Import-Csv C:\Users\RHyman\Documents\ExListTest.csv
FOREACH ($Person in $UserList)
{
Import-Csv C:\Users\rhyman\Documents\ExListTest.csv | ForEach {
Get-ADUser -Filter * -Properties UserPrincipalName, extensionAttribute12, emailAddress, SAMAccountName | `
Select UserPrincipalName, extensionAttribute12, extensionAttribute13 | `
Export-CSV c:\allinfo.csv -NoTypeInformation
}
}
I've done some editing, this is what I have now:
Import-Module ActiveDirectory
$UserList=Import-Csv C:\Users\RHyman\Documents\ExListTest.csv
FOREACH ($Person in $UserList)
{
Get-ADUser -Identity "$UserList" -Properties UserPrincipalName, extensionAttribute12, emailAddress, SAMAccountName |
Select UserPrincipalName, extensionAttribute12, extensionAttribute13 |
Export-CSV C:\Users\RHyman\Documents\allinfo.csv -NoTypeInformation
}
What I'm most concerned with is that the Get-Aduser has error:
Cannot find an object with identity: '#{UserPrincipalName=first.last#x.x.gov
It sees the name on the list but I may have to go to the csv file and change the way the list displays the names.
Revised script: Only thing now exported csv is empty
Import-Module ActiveDirectory
$UserList=Import-Csv C:\Users\RHyman\Documents\ExListTest.csv
FOREACH ($Person in $UserList)
{
Get-ADUser -Filter {(mail -eq "$UserList")} -Properties
UserPrincipalName, extensionAttribute12, emailAddress, SAMAccountName |
Select UserPrincipalName, extensionAttribute12, extensionAttribute13 |
Export-CSV C:\Users\RHyman\Documents\allinfo.csv -NoTypeInformation
}
Finally got what I was looking for and it does what I wanted
This is what I needed and used Get-Content
Get-ADUser -Filter {mail -like $_}
Thanks for all the help!
You are passing entire csv [Get-ADUser -Identity "$UserList"] into Identity use below instead.
$UserList=Import-Csv C:\Users\RHyman\Documents\ExListTest.csv
FOREACH ($Person in $UserList)
{
Get-ADUser -Identity $UserList.UserPrincipalName
I want to replace AD attribute "userPrincipalName" value according to CSV file header value
here is what csv file(group.csv) contains
sAMAccountName
--------------
test.user1
test.user2
below the script
$data = Import-Csv -Path .\group.csv -Header 'sAMAccountName'
foreach($user in $data){
Get-ADUser -Filter {sAMAccountName -eq "$($user.sAMAccountName)"} | Set-ADUser -Replace #{userPrincipalName="$($user.sAMAccountName)#RES.GROUP"}
}
here I want to replace AD attribute "userPrincipalName" with the value of sAMAccountName from csv file, something like sAMAccountName#RES.GROUP
this script does not work, can anyone please correct it?
Ok, since your comment shows the CSV file indeed does not have a header, I would suggest changing the code to:
$data = Import-Csv -Path .\group.csv -Header 'sAMAccountName'
foreach($user in $data) {
$adUser = Get-ADUser -Filter "SamAccountName -eq '$($user.sAMAccountName)'" -ErrorAction SilentlyContinue
if ($adUser) {
$newUPN = '{0}#res.group' -f $user.sAMAccountName
$adUser | Set-ADUser -UserPrincipalName $newUPN
}
else {
Write-Warning "No user with SamAccountName '$($user.sAMAccountName)' could be found.."
}
}
This way, any mistakes in the file will not make the code quit when a user with that samaccountname cannot be found. Instead, in that case you will see a warning about it and the code will continue with the rest of the data.
It might be worth mentioning that you can use parameter -Server on both the Get-ADUser and Set-ADUser cmdlets to make sure you use the same domain server (DC) to set the new UPN. Otherwise, you can set it on one DC, but are looking at another which doesn't show the change immediately because the servers need time to synchronize..
Now that we have cleared up the question about the CSV and to answer your comment:
If you want to do this as a two-script solution, here's how you can do that
step 1: get all users in the search OU that have a UserPrincipalName ending in '*#test.group'
$searchBase = "OU=Teams,OU=Prod,DC=RES,DC=TEST,DC=GROUP"
Get-ADUser -SearchBase $searchBase -Filter "UserPrincipalName -like '*#test.group'" |
# select ony the SamAccountName and write to CSV with column header
Select-Object SamAccountName | Export-Csv -Path .\group.csv -NoTypeInformation
step 2: read the csv created above and
$searchBase = "OU=Teams,OU=Prod,DC=RES,DC=TEST,DC=GROUP"
$data = Import-Csv -Path .\group.csv
$result = foreach($user in $data) {
$adUser = Get-ADUser -SearchBase $searchBase -Filter "SamAccountName -eq '$($user.sAMAccountName)'" -ErrorAction SilentlyContinue
# if we have a user object AND its UserPrincipalName is not as desired go ahead and change that
if ($adUser) {
if ($adUser.UserPrincipalName -notlike '*#res.test.group') {
$newUPN = '{0}#res.test.group' -f $user.sAMAccountName
$adUser | Set-ADUser -UserPrincipalName $newUPN
# output this user object to be collected in variable $result
$adUser
}
else {
Write-Host "User $($user.sAMAccountName) already has UPN '$($adUser.UserPrincipalName)'"
}
}
else {
Write-Warning "User with SamAccountName '$($user.sAMAccountName)' not found.."
}
}
# now that we have changed some users, create a second csv with all users that were actually changed
if (#($result).Count) {
$result | Select-Object SamAccountName | Export-Csv -Path .\Updatedgroup.csv -NoTypeInformation
}
else {
Write-Host 'No users needed updating'
}
It seems a waste writing only the users SamAccountName property to the csv files.. Especially since Get-ADUser by default already returns these properties: DistinguishedName, Enabled, GivenName, Name, ObjectClass, ObjectGUID, SamAccountName, SID, Surname, UserPrincipalName
I need to search through all users in AD, find their attribute "mail" and in this attribute replace #hell.com to #heaven.com
I'm stuck at exporting and importing to csv...
Import-Module ActiveDirectory
get-aduser -Filter {samaccountname -like "gmaleev"} -properties * | Select-Object SamAccountName,mail | export-csv -NoTypeInformation d:\1.csv
$impfile = "d:\1.csv"
Import-CSV $impFile
foreach ($user in $users)
{
$sam = $user.samaccountname
$email = $user.mail
write-host "User $sam has mail $mail"
}
It doesn't work, why?
The current issue is that you are running a cmdlet to import the data but not saving it. Your ForEach cmdlet is not processing any data so you should have blank output except that of Import-CSV which should be outputing to console.
Also it seems redundant to export the data to import it again. I will presume that you have a reason for exporting it.
Import-Module ActiveDirectory
$impfile = "d:\1.csv"
$results = Get-AdUser -Filter {samaccountname -like "gmaleev"} -properties * | Select-Object SamAccountName,mail
$results | export-csv -NoTypeInformation d:\1.csv
$results | foreach ($user in $users){
$sam = $user.samaccountname
$email = $user.mail
write-host "User $sam has mail $mail"
}
This should address what you are showing. It will get the same data and save it to the variable $results. Export that data and then piping it to the ForEach to process
Your title suggets that you want to change user attributes. To do that you would need to use Set-Aduser. Depending on what your environment is this might not be the best way to manipulate email attributes.