Export all users NOT in AAD security group with PowerShell? - powershell

I need to export all users who are not a member of a certain security group to a CSV file, using PowerShell.
Pretty straight forward, I know, but I can only find methods of exporting users who do meet certain criteria, not methods of exporting users who don't. I found one method that works but only with Active Directory.
I'm currently using this to pull all users:
Get-MSOLUser -all | Where-Object { $_.isLicensed -eq "True"} | Select-Object UserPrincipalName | Export-Csv C:\365\users.csv
And am aiming to get something like this:
Get-MSOLUser -all | Where-Object { $_.isLicensed -eq "True", isNotMemberofGroup ""} | Select-Object UserPrincipalName | Export-Csv C:\365\users.csv
I am unsure how to add an additional condition that only pulls members that are not in a certain security group, using the following logic - dump upn to csv if user is licensed, and if user is not member of group xxx.

Related

List out enabled users who are members of certain security groups

I'm trying to get a list of all enabled users in a particular Security group. Seems simple but i cannot manage to get the correct output.
Thanks
If you are using Active Directory:
Get-ADGroupMember "PUT_HERE_ADGROUP_NAME" -Recursive | Get-ADUser | Where-Object {$_.Enabled -eq $True} | Select-Object -ExpandProperty Name
If you want to see local users use Get-LocalGroupMember and Get-LocalUser with same filter

Export Distribution Group Members, include forwardingsmtpaddress

Is there a way I can export Distribution group members but also get the forwardingsmtpaddress included?
Right now I'm using two exports and having to setup vlookup in order to get forwarding addresses.
Here is the command I'm using to export the members I want.
Get-DistributionGroupMember -Identity "groupname#domain.com" | Sort -Property EmailAddress | Export-Csv –Path C:\admin\groupname.csv
Here's the command I use to export the forwarding addresses:
get-mailbox | select UserPrincipalName,ForwardingAddress,ForwardingSmtpAddress,DeliverToMailboxAndForward | Export-Csv –Path C:\admin\Forwardingemails.csv
The "get-distributiongroupmember" command pulls in a ton of info but nothing on my members forwarding addresses.

Is there a way to tell if automapping is enabled for mailbox permissions in Office 365 via Powershell?

I tried the PowerShell command below to extract a report for all Shared Mailboxes to our tenant. It was successful but it didn't provide the information I need. I would like to know as well if the automapping is set as "True" or "False" for each member of a Shared Mailbox. TIA!
Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | Get-MailboxPermission | Select-Object Identity,User,AccessRights,IsInherited | Where-Object {($_.user -like '*#*')} | Export-Csv C:\Users\xxxxx\Downloads\xxxxx.csv -NoTypeInformation
based on this sentence
There is a way for on-prem and for hybrid. Are you in a hybrid setup? If automapping is NOT being utilized by a user, the user who has access to the mailbox does not appear in the msExchDelegateListLink attribute on the shared mailbox AD user object. If automapping IS being utilized by a user, you'll see the user DN within the attribute. For onprem, its just this one attribute. There is a second attribute for hybrid called msExchDelegateListBL.
i found this
Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize:Unlimited | % {get-aduser -identity $_.distinguishedname -properties msExchDelegateListLink, msExchDelegateListBL}
what do u think ? this command really works ?

PowerShell to Get Disabled AD Users Still Licensed in O365

I'm trying to run a report, to get all the users who are disabled in AD, but still have a license assigned in Office 365.
I've found a couple of scripts on various sites, and they work if just run within the PowerShell console, but the moment I try to export to a CSV, it loses the license assignment information.
The script I'm currently using is:
Get-MsolUser -All | where {$_.isLicensed -eq $true -and $_.BlockCredential -eq $true} | select userprincipalname,islicensed,Licenses,UsageLocation
This works, and shows the below
UserPrincipalName IsLicensed Licenses UsageLocation
----------------- ---------- -------- -------------
joe.bloggs#domain.com True
{tennent:ENTERPRISEPACK} US
However, the moment I add:
| Export-Csv -Path C:\LicenseReport.csv
The report changes to:
UserPrincipalName IsLicensed Licenses UsageLocation
joe.bloggs#domain.com
TRUE System.Collections.Generic.List`1[Microsoft.Online.Administration.UserLicense] US
I've tried a number of other select properties for the license, such as
$_.licenses.accountskuid
#{n="Licenses
Type";e={$_.Licenses.AccountSKUid}} $($license.AccountSKUid)
But none work. How do I get the report to export with the License details?
This is the command I use & it works:
Get-MsolUser -All | ?{$_.isLicensed-eq "TRUE"} | Select DisplayName, SignInName, #{n="LicensesType";e={$_.Licenses.AccountSKUid}} | Export-Csv -Path C:\output.csv -NoTypeInformation
Be aware though, the MSOnline module is no longer developed. You should consider moving to the AzureAD PowerShell module.
Here is the syntax for that:
Get-AzureADUser -All 1 | ?{($_.AssignedLicenses | ?{$_.SkuId -eq $license.SkuId})} | SELECT DisplayName, UserPrincipalName, #{l="License";e={$license.SkuPartNumber}}
Try this:
Get-MsolUser -All | where {$_.isLicensed -eq $true -and $_.BlockCredential -eq $true} |
select userprincipalname,islicensed,#{N="Licenses";E={$_.Licenses.AccountSkuId}},UsageLocation
and that's in case you have only one license, but if you have more, you need to join them with commas so it will be a string compatible for the csv export, for example:
Change this:
#{N="Licenses";E={$_.Licenses.AccountSkuId}}
To This:
#{N="Licenses";E={$_.Licenses.AccountSkuId -join ','}}

powershell script Ad script group

I have the below ps script to Import users details from a domain/ forest from a domain local group, everything is working, but i need to include two more details, user mail is and user domain in the excel. How can I do this?
Get-ADGroupMember "test" | Select-Object samaccountname, name, distinguishedname | Export-CSV -path "c:\test.csv" -notypeinformation
Some properties are not included in the default property set of a user object. In that case you need to query the user with the additional (or all) properties, e.g.:
Get-ADGroupMember "test" `
| Get-ADUser -Properties * `
| select samaccountname, name, distinguishedname, mail `
| Export-CSV "C:\test.csv" -NoTypeInformation
AFAIK the (DNS) domain name is not an AD attribute, but you could derive it from the distinguished name:
(Get-ADUser "name").distinguishedName -replace '^.*?,dc=' -replace ',dc=', '.'
so you could add another property in the select statement like this:
#{n="domain";e={$_.distinguishedName -replace '^.*?,dc=' -replace ',dc=', '.'}}
As for the referral error: the group seems to be containing members from another domain. AFAIK all of the following requirements must be met to be able to run AD PowerShell cmdlets against other domains in the same forest:
The Active Directory Web Services must be running on at least one of the DCs of the remote domain, and the port must be accessible from the local domain.
Your account must have admin privileges on the remote DCs (e.g. by being a member of the Enterprise Admins group).