Is there a way to do the above? I've managed to follow the below link successfully but we're looking to set different limits based on the user's role.
The aforementioned link
Where is says :
Additional filters can be applied to the Get-Mailbox cmdlet or to the Get-User cmdlet to control the users for whom the change is applied. The following is an example in which three cmdlets are used to filter the command to the sales department of an organization:
Get-User | where {$_.Department -eq "Sales"} | Get-Mailbox | Set-Mailbox -ProhibitSendQuota < Value > -ProhibitSendReceiveQuota < Value > -IssueWarningQuota < Value >
Kinda got me confused as to where it's pulling the "Sales" group from?
Probably being a muppet here but any help appreciated.
You could do this, using the Active Directory PowerShell module:
Get-ADUser -Filter * -Properties Department | Where-Object { $_.Department -eq "Sales" } | [...]
But that's just pulling everybody and looking at the Department field from Active Directory. That's the example the article gives, but it doesn't answer your question about assigning quotas based on groups.
I suspect what you'll want based on your problem is this:
Get-ADGroupMember -Identity $GroupName | Get-ADUser | Get-MailBox | Set-ProhibitSendQuota [...]
I don't know if you need Get-ADUser there or if the output of Get-ADGroupMember can be piped directly to Get-MailBox. I no longer administer Exchange, so I don't have access to those cmdlets anymore. $GroupName can be the group's name, distinguished name, or even the SID, IIRC.
Related
I would like to write a script that searches for users and if those users are not members of both Group A and B then they get added to Group B. I have found a lot of conditionals for adding a member to one group if it does not exist in another, but not two groups.
You can just join two condition using -and operator:
get-aduser -filter * -searchbase "dc=domain,dc=local" | where-object {((get-aduser $_.samaccountname -properties memberof).memberof -ne "A") -and ((get-aduser $_.samaccountname -properties memberof).memberof -ne "A")} | ForEach {add-adgroupmember -identity "B" -member $_.samaccountname}
You've identified your use case/goals.
This a common task.
What you are asking, os covered in the PowerShell help files and the examples for the cmdlets:
Get-ADGroupMember (activedirectory) | Microsoft Docs,
Add-ADGroupMember - learn.microsoft.com,
... this is a simple if/then and you can see plenty of examples of this use case online. Search for it on the web and Youtube, 'Powershell AD group management'
Your question is really a duplicate of these stackoverflow Q&A's
Check if a group exists in AD using PowerShell
Check if the user is a member of a list of AD groups
I need to do an AD export with the info below:
- all enable users NOT present in a specific group
- email address
- account name
and export everything into a csv file
Can u help me please?
Thanks!!!!
You could do something like the following:
$group = 'my group name'
$GroupMembers = Get-ADGroupMember $group -Recursive
Get-ADUser -Filter "Enabled -eq '$true'" -Properties Mail |
Where-Object { $_.SamAccountName -notin $GroupMembers.SamAccountName } |
Select-Object SamAccountName,Mail |
Export-Csv Output.csv -NoType
Get-ADGroupMember with the -Recursive switch will recursively retrieve AD objects that are a member of $group.
Get-ADUser utilizes a filter to only query enabled users. Notice that you must add the Mail property because email address attributes are not in the default display. You can tweak this filter to make the query faster. If you are willing to add a little complexity and do performance testing, it may be faster to build separate Get-ADUser -Filter ... queries than relying on Where-Object. Performance will depend on your AD size and how many members are in the target group.
I'm an IT intern tasked with performing an audit of users on our domain and I'm having some trouble finding the info I need without all of the extra stuff. Is there a way to pull all of this info in one command? If not, can you recommend commands to pull users, usernames, and login info separately in a manner that I can copy-paste in the format I need?
I previously used get-adgroup -filter * and wrote to a file. Are there some options I can add for this filter? I also used a script to get all users, and all groups and their user permissions on separate occasions.
You could try something like:
Get-ADGroup -Filter "Name -like '*Accounting*'" |
Get-ADGroupMember |
Select-Object name, SamAccountName
Or if you need more fields from the user object, then try something like:
Get-ADGroup -Filter "Name -like '*Accounting*'" |
Get-ADGroupMember |
Get-ADUser -Properties Enabled |
Select-Object Name, SamAccountName, UserPrincipalName, Enabled
You'll probably want to export to a spreadsheet, so use Export-Csv for that.
I'm writing a script which is supposed to show me security groups by matching an input e.g. 'marketing'.
Afterwards I want to add a user to this security group. Since the exchange-powershell can search for user via -anr it's much easier to find the right person.
Here is the part of my script:
$grparray = get-adgroup -filter * | where { $_.name -match "marketing" -and $_.GroupCategory -eq 'Security' }
$potentarray = get-mailbox -anr Julia | select SamAccoutName
$grparray[1] | add-adgroupmember -members $potentarray[1]
But I get the error:
CannotConvertArgumentNoMessage,Microsoft.AcitveDirectory.Management.Commands.AddAdGroupMember
Seems like the ad-modules can't handle the Exchange input.
Does anyone know how I can solve this issue, or got another idea how to?
Ambiguous Name Resolution is available with Get-ADUser, this is preferable over Get-Mailbox as it returns an AD Object which can be used as an input for Add-ADGroupmember.
Try $potentarray = Get-ADUser -LDAPFilter "(anr=Julia)" instead of Get-Mailbox.
I'm trying to write a script to find disabled users that is member of one or more groups in a specific OU in AD. It will then remove all the groups for all the disabled users. I found this script which removes all groups from users in a csv file, but as i'm looking to run this as a scheduled task I prefer not to process users that already had their groups removed without having to move them to a different OU.
Import-Csv $csvFile | ForEach-Object {
# Disable the account
Disable-ADAccount -Identity $_.samAccountName
# Retrieve the user object and MemberOf property
$user = Get-ADUser -Identity $_.samAccountName -Properties MemberOf
# Remove all group memberships (will leave Domain Users as this is NOT in the MemberOf property returned by Get-ADUser)
foreach ($group in ($user | Select-Object -ExpandProperty MemberOf))
{
Remove-ADGroupMember -Identity $group -Members $user -Confirm:$false
}
}
Any idea on how to filter out the users with more then one group?
I'm using this script to export disabled users that has not logged on for 60 days:
Get-QADUser -searchRoot $OuDomain -searchScope OneLevel -InactiveFor 61 -NotLoggedOnFor 61 -disabled -sizelimit 0
Thx
You seem to have filter by ou part down which is good. You have some thoughts in the beginning of you post but the only actual question is how to filter out the users with more then one group. Not sure if that is a typo or not but I read that as checking the count of groups a user has. A more realistic interpretation of that is filter users that could have at least one of a list of groups. I'm going to cover both.
The Count
I'm sure this is not what you want but just want to cover the base. The following would also work in a Where-Object clause
If((get-aduser $user -Properties MemberOf).MemberOf.Count -gt 0){Process...}
Multiple Groups
I'm sure this was your intention. Locate users that could contain one of serveral groups. This is best handled with regex.
$groupsFilter = "citrix_GateKeeper","barracuda_spam_alerts"
$groupsFilter = "($($groupsFilter -join '|'))"
# $groupsFilter in this example is: (citrix_GateKeeper|barracuda_spam_alerts)
If(((Get-ADUser $user -Properties MemberOf).MemberOf) -match $groupsFilter){Process....}
Create a regex match string based on a string array of multiple groups. If $user is a member of either of those groups then true would be returned.
If nothing here is of any use to you then I would suggest making your question clearer. Hopefully this helps.