List all users that have mailboxes but are not in a group called Metalogix*. I need a PowerShell script that will check whether specific user is a part of certain group or not and if the user is part of any of those groups.
I already have working script:
Import-Module ActiveDirectory
$Users = Get-Mailbox -ResultSize "unlimited"
$Group = "Metalogix*"
foreach ($user in $Users) {
$Check = Get-ADPrincipalGroupMembership -Identity $User.sAMAccountName |
? { $_.Name -like $Group }
if ($Check -eq $null) {
Write-Output "$User.sAMAccountName is NOT part of this group"
} else {
$Results = Get-Mailbox -Identity $User.sAMAccountName |
select Name, sAMAccountName, PrimarySmtpAddress, Database |
Export-csv "c:\results1.csv" -NTI -Append
}
}
But script doesn't list groups recursively, e.g tester4-6 are members of 'Test Group 2', which is a member of 'Test Group 1'. The rest are direct. Just I can see direct membership, not recursive membership.
2nd question : I want to get all users with samaccountname that begins with "STR" prefix.
Test Group 1
tester1
tester2
-> Test Group 2
tester4
tester6
I'd probably use a recursive function. Something like this:
function Test-GroupMembership {
Param(
[Parameter(Mandatory=$true)]
[string]$Identity,
[Parameter(Mandatory=$true)]
[string]$Name
)
$groups = Get-ADPrincipalGroupMembership -Identity $Identity
if ($groups | Where-Object { $_.Name -like $Name }) {
return $true
} elseif ($groups -ne $null) {
foreach ($g in $groups) {
if (Test-GroupMembership -Identity $g -Name $Name) {
return $true
}
}
}
return $false
}
Get-ADPrincipalGroupMembership isn't recursive, but Get-ADGroupMember is.
$Users = Get-Mailbox -ResultSize "unlimited"
$Group = 'Metalogix*'
$GroupMembers = Get-ADGroupMember -Identity $Group | Get-ADGroupMember -Recursive | Select-Object -ExpandProperty samAccountName
foreach ($User in $Users) {
if ($User -in $GroupMembers) {
Write-Output "User $User is in group $Group."
}
else {
Write-Output "User $User is not in group $Group."
}
}
This is also more efficient because you're only fetching group membership once.
I'm away from my servers, so treat the above as pseudocode.
Related
In our organization we have job title groups for multiple reasons and I'm trying to find which users have no group assigned. The groups and users are stored in the same OU in AD. There are groups for the departments containing "department" in the title, so I'm excluding those, as they are nesting all the job title groups for a department, and there are no users, which are direct members. This is what I came up with so far, but sometimes I receive duplicate results like the function is running several times against the same entry and I don't understand why.
cls
$SearchBase = "OU DN"
$ErrorActionPreference = "Continue"
$Groups = Get-ADGroup -SearchBase $SearchBase -Filter 'Name -notlike "*department*"' | Select -ExpandProperty Name
$Users = Get-ADUser -SearchBase $SearchBase -Filter * | Select -ExpandProperty Name | sort
$TotalItems = $Users.Count
$CurrentItem = 0
$PercentComplete = 0
function Get-JTGroups($User) {
foreach ($Group in $Groups) {
$int = 0
Try {
$Members = Get-ADGroupMember -Identity "$Group" -Recursive | Select -ExpandProperty Name -ErrorAction Stop
}
Catch {
Write-Host $_.Exception.Message
}
if ($Members -contains $User) {
$int = 1
Write-Host "$User has JT group"
}
}
if ($int = 0) {
Write-Host "$User has no JT group"
}
}
foreach ($User in $Users) {
Write-Progress -Activity "Checking JT Groups members, hold on." -Status "$PercentComplete% Complete:" -PercentComplete $PercentComplete
Get-JTGroups $User
$CurrentItem++
$PercentComplete = [int](($CurrentItem / $TotalItems) * 100)
}
Is there a way to avoid duplicated entries and can this code be optimized?
Thanks in advance
I believe this task would be easier, faster and more efficient by leveraging the filtering capabilities of Active Directory. Your current code as is will be tremendously slow because you're getting the recursive membership of all the groups in $groups for each user in $users. Instead you can ask AD to find all users who are not a recursive member of any of the groups in $groups.
$filter = '(&'
Get-ADGroup -SearchBase $SearchBase -Filter 'Name -notlike "*department*"' | ForEach-Object {
$filter += '(!memberOf:1.2.840.113556.1.4.1941:={0})' -f $_.DistinguishedName
}
$filter += ')'
$allUsersNotRecursiveMemberofGroups = Get-ADUser -LDAPFilter $filter
For details on LDAP Filter see Active Directory: LDAP Syntax Filters.
I'm looking to export users with their groups in Active Directory through powershell, but I can't seem to get the pipe to work for some reason the powershell script I'm using right now is
`
$groups = get-adgroup -filter *
foreach ($group in $groups) {
$naam = $group.name
$members = Get-ADGroupMember -identity $group
write-host “Group: $naam”
write-host “————————————-”
foreach ($member in $members) {
$memnaam = $member.samaccountname
write-host “$naammem”
}`
I just can't seem to figure this out any recommendations?
`
$groups = get-adgroup -filter *
foreach ($group in $groups) {
$naam = $group.name
$members = Get-ADGroupMember -identity $group
write-host “Group: $naam”
write-host “————————————-”
foreach ($member in $members) {
$memnaam = $member.samaccountname
write-host “$naammem”
} | Export-CSV c:\FileName.csv`
Check for typos in variable names (you have one) and that you've closed all parentheses and braces. Even better, don't use variables where not needed:
$groups = get-adgroup -Filter *
# If you save your search as an object you won't need to re-run it multiple times to use the data
Write-Host "Processing groups"
$SearchResult = $Groups | ForEach-Object {
$GroupName = $_.Name
# Some simple error trapping
Try {
# Writing to host for informational only
Write-Host "$GroupName..." -NoNewline
$Members = (Get-ADGroupMember -Identity $_ -ErrorAction Stop).SamAccountName
}
Catch {
$Members = $_
}
# Output results as an object
[pscustomobject]#{
Group = $GroupName
Members = $Members
}
Write-Host "Done"
}
Write-Host "Processing complete"
# If you want to display it in console
$SearchResult | Format-List
# Or a GridView
$SearchResult | Out-GridView
The below PowerShell script iterates through the groups listed in the test.csv file.
It pulls samAccountName and distinguishedName from each user in the various groups. However, when I try to pull groupName the output is "Microsoft.ActiveDirectory.Management.ADPropertyValueCollection". Not sure how to fix this-
$groups = Get-Content test.csv
$domains = (Get-ADForest).Domains
foreach ($group in $groups)
{
foreach ($domain in $domains)
{
if (Get-ADGroup $group -Server $domain)
{
Get-ADGroupMember $group -Server $domain | select groupName, samAccountName, distinguishedName | Export-Csv c:\temp\file.csv -notypeinformation -append
}
}
}
I have tried the below, but it just outputs an empty column instead:
$groups = Get-Content test.csv
$domains = (Get-ADForest).Domains
foreach ($group in $groups)
{
foreach ($domain in $domains)
{
if (Get-ADGroup $group -Server $domain)
{
Get-ADGroupMember $group -Server $domain | select samAccountName, distinguishedName |
Get-ADUser #{name = ‘MemberOf’;’expression={$_.MemberOf -join “;”}} |
Export-Csv c:\temp\file.csv -notypeinformation
}
}
}
Try this, I added some optimization to your code :)
Note, try {...} catch {...} is more or less needed here because both cmdlets Get-ADGroup and Get-ADGroupMember will throw if the object is not found.
$ErrorActionPreference = 'Stop'
$groups = Get-Content test.csv
$domains = (Get-ADForest).Domains
$result = foreach ($group in $groups)
{
foreach ($domain in $domains)
{
try
{
$adGroup = Get-ADGroup $group -Server $domain
$members = (Get-ADGroupMember $adGroup -Server $domain).where({
# Here, I assume your looking only for user objects
# since you're next cmdlet is Get-ADUser
$_.ObjectClass -eq 'user'
})
foreach($user in $members)
{
# !!! $adUser = Get-ADUser $user >> This is not needed,
# Get-ADGroupMember already brings you the samAccountName of
# each object
# Here you can cast the result, I assume
# you want your CSV to have the Name of the Group and
# the samAccountName and distinguishedName of each user
[pscustomobject]#{
GroupName = $adGroup.Name
samAccountName = $user.samAccountName
distinguishedName = $user.distinguishedName
}
}
}
catch
{
Write-Warning $_
}
}
}
$result | Export-Csv c:\temp\file.csv -NoTypeInformation
If you change your select statement to:
select-object #{n='groupName';expression={$group}}, samAccountName, distinguishedName
It should output the $group input of Get-ADGroupMember for that column.
I'm using Exchange 2010 and Powershell.
I'm looking to export all 'nested' distribution groups that a exchange contact is a part of.
For example, if a contact is a memberOf two DG, A and B. And group A is also a memberOf Group C. I'd like a list the show all three groups.
Group C
----|-----------|
Group A Group B
|
Contact
Here is my very noob attempt at this. I guess it needs to be done recursively?
$contact = get-contact email#domain.com.au
$members = Get-ADObject -Identity $contact.Guid -Properties 'MemberOf'
foreach ($group in $members.MemberOf) {
foreach ($_ in $group.memberof ){
get-distributiongroup $_
}
}
Must be able to do this for a 'contact', not a user.
Thanks in advance!
You don't really need Exchange to get distribution groups.
Here's my example to retrieve names of groups assuming your contact is AD user with mail property filled:
function Get-GroupsRec
{
[CmdletBinding()]
param(
[Parameter(ValueFromPipeline=$true)]
$Identity
)
BEGIN {}
PROCESS{
if($Identity -eq $null){return}
Write-Output $Identity | select -ExpandProperty samaccountname
$Identity | Get-ADPrincipalGroupMembership | ?{$_.GroupCategory -eq "Distribution"} | Get-GroupsRec}
END{}
}
Get-ADUser -Filter {mail -eq 'email#domain.com.au'} | Get-ADPrincipalGroupMembership | ?{$_.GroupCategory -eq "Distribution"} | Get-GroupsRec
But as long as you can retrieve AD user, this solution is valid.
UPDATE:
Version basing on Get-ADObject only. (Same structure, only different selectors. Left ObjectClass in filter for readability):
function Get-GroupsRec
{
[CmdletBinding()]
param(
[Parameter(ValueFromPipeline=$true)]
$Identity
)
BEGIN {}
PROCESS{
if($Identity -eq $null){return}
Write-Output $Identity | select -ExpandProperty Name
$Identity | select -ExpandProperty MemberOf | Get-ADObject -Properties GroupType,MemberOf |?{$_.GroupType -gt 0 -and $_.ObjectClass -eq 'group'} | Get-GroupsRec }
END{}
}
Get-ADObject -Filter {mail -eq 'email#domain.com.au'} -Properties MemberOf | select -ExpandProperty MemberOf | Get-ADObject -Properties GroupType,MemberOf |?{$_.GroupType -gt 0 -and $_.ObjectClass -eq 'group'} | Get-GroupsRec
If you want restrict group type to a specific type, you may modify GroupType in code to any value with -band operator. The enumerator values are available at: https://msdn.microsoft.com/en-us/library/aa772263(v=vs.85).aspx
You are on the right track. You indeed need recursion for this. I quickly put something together which should recusively resvolves membership. Hope this helps!
Function Get-Groups {
Param(
[string]$Identity
)
$members = Get-ADObject -Identity $Identity -Properties "MemberOf"
$members.MemberOf | % {
if($(Get-ADObject $_ -Properties "GroupType").grouptype -gt 0) {
Write-Host $_
}
Get-Nestedmember $_ "->"
}
}
Function Get-Nestedmember {
Param(
[String]$Identity,
[string]$Depth
)
$members = (Get-ADobject -Identity $Identity -Properties "MemberOf").memberof
$count = $members | measure
if($count -ne 0) {
$members | % {
if($(Get-ADObject $_ -Properties "GroupType").grouptype -gt 0) {
Write-host "$Depth $_"
}
Get-Nestedmember $_ "-$Depth"
}
}
}
Get-Groups -Identity '<Your Identity goes here>'
It gets a MemberOf relationships and does that again for the resulting set. If MemberOf returns 0 that means there are no more MemberOf relationships so we stop.
I've created a form to create new AD Accounts. Part of the script determines which groups the new user will be added to based on their role (Doctor, Nurse, Admin or Other) which is captured in the following code in the form of a drop down pick box:
Write-Host "Based on this information" $FFN "has been added to the following Active Directory Groups:"
Write-Host
$ADGroup01 = Get-ADGroup "_XA_App_XenApp" |select -expandproperty name -first 1
Write-Host $ADGroup01
$ADGroup02 = Get-ADGroup "Web Proxy Users" |select -expandproperty name -first 1
Write-Host $ADGroup02
if($RadioButton1.Checked -eq $true)
{
$ADGroup03 = Get-ADGroup "allrot" |select -expandproperty name -first 1
Write-Host $ADGroup03
}
Else
{
$ADGroup03 = Get-ADGroup "alltpo" |select -expandproperty name -first 1
Write-Host $ADGroup03
}
if ($Role -eq "Doctor" -Or $Role -eq "Nurse")
{
$ADGroup04 = Get-ADGroup "PACS Web Access" |select -expandproperty name -first 1
Write-Host $ADGroup04
}
if ($Role -eq "Doctor")
{
$ADGroup05 = Get-ADGroup "CH-MFD" |select -expandproperty name -first 1
Write-Host $ADGroup05
$ADGroup06 = Get-ADGroup "ED-MFP" |select -expandproperty name -first 1
Write-Host $ADGroup06
$ADGroup07 = Get-ADGroup "SU-MFD" |select -expandproperty name -first 1
Write-Host $ADGroup07
}
Write-Host
Further on in the script this piece of code is called during the actual account creation process:
Add-ADPrincipalGroupMembership -Identity $UN -memberof $ADGroup01, $ADGroup02, $ADGroup03, $ADGroup04, $ADGroup05, $ADGroup06, $ADGroup07
The issue I'm facing is that if the user selects Nurse, Admin or Other I get the following error:
"Add-ADPrincipalGroupMembership : Cannot validate argument on parameter 'MemberO
f'. The argument is null, empty, or an element of the argument collection conta
ins a null value. Supply a collection that does not contain any null values and
then try the command again."
I know this is because there are no values being captured in the last $ADGroup[x] and short of creating a bunch of if statements to check if each $ADGroup contains data I'm wondering if there is a more elegant solution.
As always, thank you for taking the time review and happy to provide more information if required.
UPDATE - As per #Martin's advice I've implemented the following code into my script
$UN = "zooz"
$Role = "Nurse"
$Department = "Surgical"
If ($Role -eq "Doctor" -and $Department -eq "Surgical")
{
$ADGroups = #(
"PACS Web Access"
"CH-MFD"
"ED-MFP"
"SU-MFD"
)
}
If ($Role -eq "Nurse" -and $Department -eq "Surgical")
{
$ADGroups = #(
"_XA_App_XenApp"
"Web Proxy Users"
"allrot"
)
}
for ($i=0; $i -lt $ADGroups.length; $i++) {
Add-ADPrincipalGroupMembership -Identity $UN -memberof $adgroups[$i]
}
Make an object $adgroups and add your desired groups to it.
$adgroups = #()
At the end use a foreach Loop:
$adgroups | Add-ADPrincipalGroupMembership -Identity $UN or (weather or not the cmdlet likes pipelined Input)
$adgroups | % { Add-ADPrincipalGroupMembership -Identity $UN -memberof $_ }