I have a PowerShell script, which fills the Usrid custom attribute with EMP$ID value. $ID is a continuous number, which is normally stored in a text file and continuously written after setting the ID and set it one up. First I get with Get-ADUser all users without a ID, then will set the ID into Usrid attribute.
My problem is: I want to check if the ID or value exists.
If ID exists → $ID++
else → set ID from File and write it to file again
The if part in the script looks like this:
# I'm calling the content or the last ID
$lastid = Get-Content "C:\startid.txt"
# Convert the content into a decimal string
$Usrid = [System.Decimal]::Parse($lastid)
# Find out all userProxyFull Object without an ID
Get-ADObject -Filter {(objectClass -eq "userProxyFull") -and (-not(Userid -like "*"))} -Searchbase "DC=MY,DC=SEARCHBASE" -Searchscope subtree -Server myIP |
ForEach-Object {
# Then the problem part here, see description above
if ({Usrid -eq "EMP$ID"}) {
$ID++
Set-ADObject $_ -Partition "DC=my,DC=partition" -Add #{Usrid="EMP$ID"}
} else {
Set-ADObject $_ -Partition "DC=my,DC=partition" -Add #{Usrid="EMP$ID"}
}
}
But the script doesn't check. Or how can I check the highest ID and set the highest ID into Usrid attribute?
Assuming that Usrid needs to be unique you need to compare your input value against the already existing attribute values.
$existing = #{}
Get-ADUser -LDAPFilter '(UserId=*)' -Property Usrid | ForEach-Object {
$existing[$_.Usrid] = $true
}
while ($existing.ContainsKey("EMP$ID") {
$ID++
}
At this point you have a $ID where none of the existing accounts has a Usrid attribute with the value EMP$ID. Then you can go ahead and assign the attribute on all account objects where it doesn't have a value yet while incrementing $ID after each assignment:
Get-ADObject ... | ForEach {
Set-ADObject $_ -Partition "DC=my,DC=partition" -Add #{Usrid="EMP$ID"}
$ID++
}
Note, however, that the above is assuming that there are no gaps in your numbering (i.e. you don't have a situation where you have attribute values ..., EMP25, EMP26, EMP28, ...). If that assumption doesn't apply you're better off determining the next available ID by getting the highest already assigned ID and incrementing that value by 1:
$ID = Get-ADUser -LDAPFilter '(Userid=*)' -Property Usrid |
ForEach-Object { [int]($_.Usrid -replace '^EMP') } |
Sort-Object |
Select-Object -Last 1
$ID++
Related
I'm trying to get the password expiration date in active directory using powershell for users with hyphenated names (IE firstname.last-name) and on the hyphenated names it gives an invalid cmdlet error. How do I query the hyphenated names?
The current command I have is
net user $username /DOMAIN | find "Password expires"
Maybe use the ActiveDirectory module instead of the net commands:
$MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
Get-ADUser -Filter { Name -like "*-*" } -Properties 'PasswordLastSet', 'DisplayName' |
Select-Object Name,DisplayName,
#{ Name = 'PasswordExpires'; Expression = { $_.PasswordLastSet.AddDays( $MaxPwdAge ) } }
If needed You can change the filter to look at DisplayName instead -Filter { DisplayName -like "*-*" }
You may need to adjust the properties you're retrieving depending on what you want to include in the output. This is just an example but it works, and can be used to plot a path forward. It does seem like you have to calculate the expiration date. But I can work on that and see if there's a better way.
If you want to Query for a specific user:
Get-ADUser Name-Name -Properties 'PasswordLastSet',DisplayName |
Select-Object Name,DisplayName,
#{ Name = 'PasswordExpires'; Expression = { $_.PasswordLastSet.AddDays( $MaxPwdAge ) } }
This assumes the Hyphenated name is a samAccountName. If you need to search by DisplayName you'll have to resort back to filter, even if you are looking for only the one user.
Get-ADUser -Filter { DisplayName -eq "Name-Name" } -Properties 'PasswordLastSet',DisplayName |
Select-Object Name,DisplayName,
#{ Name = 'PasswordExpires'; Expression = { $_.PasswordLastSet.AddDays( $MaxPwdAge ) } }
Note: That you have to change the "Name-Name". Also in the last example I changed to using the -eq operator instead of -like. Obviously this assumes you know exactly what you're looking for. Though you can use -Like with DisplayName or even the surName attribute if you like.
I using the following POWER SHELL script, to extract ( to csv ) managers name , from a "Manager" user attribute.
#This script, , Exports the Manager name of the employee`s in the TXT file.
# users.txt file - contains a simply list of user names ( samaccount-names )
Get-Content D:\powershell\permmisions\Users.txt | Foreach-Object {
Get-ADUser -Identity $_ -Properties Manager | Select-Object name, Manager | Export-Csv D:\Powershell\ADuserinformation\Export-Managers-of-specific-users.csv
-Append
}
The challenge i am facing, is when is on the exported CSV file,
the list "SKIPS" blank value-fields,In case there is no manager set for the user.
And a ROWS is not created , where MANAGER is missing.
What i would like to do , is the script to enter a charcter ( ~ ) for example, where, value is blank.
That way , a row will be created for the blank MANAGER value, on the CSV file
Please help ,
Thanks all in advance.
Note: At least the Name property should exist on all AD users retrieved, so you would get a row even for users where Manager is empty, but with an empty Manager column. If you do need to deal with possibly not all users named in Users.txt actually existing, see Theo's helpful answer.
The simplest approach is to use a calculated property:
Get-ADUser -Identity $_ -Properties Manager |
Select-Object Name, #{ Name='Manager';
Expression={ if ($_.Manager) { $_.Manager } else { '~' } } }
Note:
It is common to abbreviate the key names of the hashtable that defines the calculated property to n and e.
The if statement takes advantage of the fact that an empty string (or $null) evaluates to $false in a Boolean context; for an overview of PowerShell's implicit to-Boolean conversion, see the bottom section of this answer.
In PowerShell [Core] 7.0 or above, you could additionally take advantage of the ternary operator (<condition> ? <valueIfTrue> : <valueIfFalse>) to further shorten the command:
# PSv7+
Get-ADUser -Identity $_ -Properties Manager |
Select-Object Name, #{ n='Manager'; e={ $_.Manager ? $_.Manager : '~' } }
Note: If $_.Manager were to return $null rather than the empty string ('') if no manager is assigned, you could use ??, the PSv7+ null-coalescing operator instead: $_.Manager ?? '~'
Not concise at all, but this allows you to insert more properties of interest in your report, and does some error-checking if the user listed in your input file does not exist:
$report = foreach ($account in (Get-Content D:\powershell\permmisions\Users.txt)) {
$user = Get-ADUser -Filter "SamAccountName -eq '$account'" -Properties Manager -ErrorAction SilentlyContinue
if ($user) {
if (!$user.Manager) { $mgr = '~' }
else {
# the Manager property is the DistinghuishedName for the manager.
# if you want that in your report, just do
$mgr = $user.Manager
# if you want the Name for instance of that manager in your report,
# comment out the above line and do this instead:
# $mgr = (Get-ADUser -Identity $user.Manager).Name
}
# now output an object
[PsCustomObject]#{
UserName = $user.Name
Manager = $mgr
}
}
else {
Write-Warning "User '$account' does not exist"
}
}
# output on screen
$report | Format-Table -AutoSize
# output to CSV file
$report | Export-Csv -Path 'D:\Powershell\ADuserinformation\Export-Managers-of-specific-users.csv' -NoTypeInformation
I'm trying to remove characters from an expression, without the option to define another integer.
This is the expression I currently have:
Get-ADUser -Identity $PSItem -Properties mail, manager, l, title |
Select-Object -Property Name, SamAccountName, Mail, l, title, #{
Name = "ManagerGID"
Expression = { (Get-Aduser -identity $psitem.manager).samaccountname }
},
#{
Name = "ManagerName"
Expression = { (Get-Aduser -identity $psitem.manager).name }
},
#{
Name = "PicURL"
Expression = {
(ConvertFrom-Json -InputObject (Invoke-WebRequest ('http://picasaweb.google.com/data/entry/api/user/' + $psitem.mail + '?alt=json')) |
Select-Object -ExpandProperty entry |
Select-Object -ExpandProperty 'gphoto$thumbnail')
}
}
For the PicURL option, the results from google for the gphoto$thumbnail will be something similar to this:
#{$t=https://lh3.googleusercontent.com***********.jpg}
I would like to remove the #{$t= and the } in the start and end of the property. Unfortunately, couldn't find a proper way to do that without having to take out this expression from the pipeline, which is not very effective for the rest of the code.
If you're curious, this is for automatic org chart creation from AD, with google profile pics included.
The implication of seeing output #{$t=https://lh3.googleusercontent.com***********.jpg} is that your input object's gphoto$thumbnail property value is a custom object with a single property literally named $t, whose value is the URL of interest.[1]
Therefore, you can simply append another Select-Object call to extract the $t property's value:
... | Select-Object -ExpandProperty '$t'
Note the need to single-quote ('...') property name $t, so that it isn't mistaken for a variable reference, the same way that property name gphoto$thumbnail required single-quoting.
Alternatively, in v3+, consolidate the then-three Select-Object -ExpandProperty calls into a single ForEach-Object call:
... | ForEach-Object { $_.entry.'gphoto$thumbnail'.'$tp' }
[1] This hashtable-like representation is what PowerShell uses to stringify [pscustomobject] instances.
This question already has answers here:
Export hashtable to CSV with the key as the column heading
(2 answers)
Closed 4 years ago.
I'm trying to list all ad group memberships of specific users. The input would be a string of logins split with a comma 'login1,login2'.
So I go over each user and list their memberships with the username as title. Somehow it only shows the first entry. Also it shows the user groups in one row and I don't know how to change that.
Code below:
$users = $logon -split ','
$q = #()
foreach ($user in $users) {
$usernm = Get-ADUser -Filter 'samAccountName -like $user' | select Name
$useraccess = Get-ADPrincipalGroupMembership $user | Select-Object Name
$userobj = New-Object PSObject
$userobj | Add-Member Noteproperty $usernm.Name $useraccess.Name
$q += $userobj
}
Expected output would be something like:
fullnameuser1 fullnameuser2 list of users goes on...
------------- ------------- ------------------------
adgroup1 adgroup3 ...
adgroup2 adgroup4
... ...
In principle this would also mean that if i typed $q.'fullnameuser1' output would be:
fullnameuser1
-------------
adgroup1
adgroup2
...
Whenever the code is ran, it will only ever add the first user's access, also returning all groups on one row. So somehow I need to go over all the group memberships and add a row for each one.
First and foremost, PowerShell does not expand variables in single-quoted strings. Because of that Get-ADUser will never find a match unless you have a user with the literal account name $user. Also, using the -like operator without wildcards produces the same results as the -eq operator. If you're looking for an exact match use the latter. You probably also need to add nested quotes.
Get-ADUser -Filter "samAccountName -eq '${user}'"
Correction: Get-ADUser seems to resolve variables in filter strings by itself. I verified and the statement
Get-ADUser -Filter 'samAccountName -eq $user'
does indeed return the user object for $user despite the string being in single quotes.
If you want a fuzzy match it's better to use ambiguous name resolution.
Get-ADUser -LDAPFilter "(anr=${user})"
You may also want to avoid appending to an array in a loop, and adding members to custom objects after creation. Both are slow operations. Collect the loop output in a variable, and specify the object properties directly upon object creation.
$q = foreach ($user in $users) {
...
New-Object -Type PSObject -Property {
$usernm.Name = $useraccess.Name
}
}
Lastly, I'd consider using the user's name as the property name bad design. That would be okay if you were building a hashtable (which is mapping unique keys to values), but for custom objects the property names should be identical for all objects of the same variety.
New-Object -Type PSObject -Property {
Name = $usernm.Name
Group = $useraccess.Name
}
Basily query all the users and store it in $users, example:
Get-ADUser -Filter * -SearchBase "dc=domain,dc=local"
And then you can export the results as csv or a table.
To Export as CSV :
Get-ADPrincipalGroupMembership <Username> | select name, groupcategory, groupscope | export-CSV C:\data\ADUserGroups.csv`
To Format the result as Table in the console itslef :
Get-ADPrincipalGroupMembership <Username> | select name, groupcategory, groupscope | Format-Table
I'm trying to use PowerShell to search the AD attribute otherTelephone, and if the value is null then add the next number in the sequence.
For instance, if I add a new user called John, I'd like PowerShell to check AD and see that the last otherTelephone number used was 999 so it'll auto add 1000 for John.
So far I've managed to export a list of users in AD along with their respective otherTelephone numbers:
Get-ADUser -Filter * -Properties otherTelephone |
select name, #{L='otherTelephone'; E={$_.otherTelephone[0]}}, |
Export-Csv c:\aduser.csv -NoTypeInformation
but I'm not sure how to proceed from there.
As #Paul suggested in the comments to your question: read the phone numbers from AD, get the highest number, and increment it.
$nextPhoneNumber = Get-ADUser -Filter * -Properties otherTelephone |
? { $_.otherTelephone } |
select -Expand otherTelephone |
% { [int]$_ } | sort -Desc | select -First 1
$nextPhoneNumber++
Explanation:
? { $_.otherTelephone }: Ensure that only objects with a non-empty attribute are processed.
select -Expand otherTelephone: Expand the attribute so that you get a stream of phone numbers. This also takes care of multiple numbers assigned to a user (the attribute is multi-valued).
% { [int]$_ }: Convert each telephone number from a string to an integer, so they can be sorted numerically.
sort -Desc: Sort the list in descending order (first number is highest).
select -First 1: Select the first number from the list and discard the rest.
$nextPhoneNumber++: increment the number by 1.
If you need to do this for all existing users that don't already have the otherTelephone attribute populated, you could do something like this:
$users = Get-ADUser -Filter * -Properties otherTelephone
$nextPhoneNumber = $users | ? { $_.otherTelephone } |
select -Expand otherTelephone |
% { [int]$_ } | sort -Desc | select -First 1
$users | ? { -not $_.otherTelephone } | % {
$nextPhoneNumber++
Set-ADUser -Identity $_.DistinguishedName -Replace #{
'otherTelephone' = $nextPhoneNumber
}
}