I'm trying to run a script that gets a user info from the AD. After the employee ID was provided the script gets all the user's groups and prints it as a list. After that it gets more attributes such as SamAccountName, LockedOut etc. Then it checks if the user is member of an "eTips" group.
My problem is that for some reason the output of the scripts shows not in the order that the scripts is written.
This is the code:
$EmpID = Read-Host "Enter Employee ID"
$ShowMemberOf = Read-Host "Want to see all the groups he members of (takes time...)? (y/n)"
if ($ShowMemberOf -eq "y" -or $ShowMemberOf -eq "yes") {
$User = get-aduser -Filter {EmployeeID -like $EmpID} | Select-Object -ExpandProperty SamAccountName
Write-Host "Group list:"
Get-ADPrincipalGroupMembership $User | select name
Write-Host "The rest of the user's info:"
get-aduser -Filter {EmployeeID -like $EmpID} -Properties * | Select-Object SamAccountName, PasswordExpired,
PasswordLastSet, OfficePhone, LockedOut, Enabled, CN
$MemberOfEtips = get-aduser -Filter {EmployeeID -like $EmpID} -Properties MemberOf | Select-Object -ExpandProperty MemberOf | Select-String -Pattern "etips"
if ($?) {
write-host "Member of an eTips group"
}
else {
write-host "NOT member of eTips group"
}
}
else {
Write-Host "The rest of the user's info:"
get-aduser -Filter {EmployeeID -like $EmpID} -Properties * | Select-Object SamAccountName, PasswordExpired,
PasswordLastSet, OfficePhone, LockedOut, Enabled, CN
$MemberOfEtips = get-aduser -Filter {EmployeeID -like $EmpID} -Properties MemberOf | Select-Object -ExpandProperty MemberOf | Select-String -Pattern "etips"
if ($?) {
"Member of an eTips group"
}
else {
"NOT member of eTips group"
}
}
This is the output:
Enter Employee ID: 4449871
Want to see all the groups he members of (takes time...)? (y/n): y
Group list:
The rest of the user's info:
name
----
Domain Users
SMS_USERS
dg_computingl
ManagerUsers
eTips
Member of an eTips group
As you can see the script continues to run even though the "Get-ADPrincipalGroupMembership" cmdlet wasn't complete yet. So the result is I'm getting the group list under the rest of 'the rest of the user's info' instead of under the 'Group list:'.
The second weird this is that because of that, it even doesn't run this part:
get-aduser -Filter {EmployeeID -like $EmpID} -Properties * | Select-Object SamAccountName, PasswordExpired,
PasswordLastSet, OfficePhone, LockedOut, Enabled, CN
It just skips to the part where it checks of the user is part of eTips group.
Please explain what I'm doing wrong here.
Remove Write-Host everywhere you used it, the other commands you use behave like Write-Output, this is why the order looks weird. Just put the strings you want to output on a line of their own, to have the same behavior and appropriate display.
The second Get-ADUser command does run, but I guess it simply does not produce any output, you should check it separately.
I'd rather run the if against $MemberOfEtips than $?, but that may only be a pattern unknown to me.
By default, a majority of PowerShell cmdlets are synchronous (there are specific exceptions, like jobs).
Related
$UserInfo = Get-ADUser -Filter { mail -eq $email } -properties mail, title, manager, SamAccountName, distinguishedName | Select-Object SamAccountName, distinguishedName, title, manager
$UserSam = $UserInfo.SamAccountName
$ADGroups = Get-ADPrincipalGroupMembership -Identity $UserSam | Select-Object distinguishedName, name | Where-Object { ($_.distinguishedName -ne 'CN=Domain Users,CN=Users,DC=Corp,DC=Domain,DC=com') -and ($_.distinguishedName -ne 'CN=Google-Users,OU=Security Groups,OU=Groups,DC=Domain,DC=com') }
I visually confirm the user has AD groups besides the two and the samaccountname is right. There is no error except that $ADGroups is empty. The odd thing is sometimes it works and sometimes not.
Thoughts?
Turns out the domain is not syncing correctly. The command I am running is correct as far as I can tell.
Just can't for the life of me figure this out. What I am trying to do is get a list of all the groups that a user is a member of. Then I would like to pass those along and grab the specific groups that I am looking for.
Below is what I have so far:
(Get-ADUser $user -Properties MemberOf ).MemberOf | Where-Object {$_.Name -contains 'Part of Group Name'}
This returns nothing. I have a feeling that I am not referencing the right property in my Where-Object but I am having a hard time finding what that is. I know the results of (Get-ADUser $user -Properties MemberOf ).MemberOf are:
CN=App - dyn_readuser_prod_WeblogicApps_NS,OU=Groups,OU=USCC,DC=int,DC=usc,DC=local
CN=App - dyn_readuser_prod_osb_NS,OU=Groups,OU=USCC,DC=int,DC=usc,DC=local
CN=App - dyn_readuser_prod_openshift_NS,OU=Groups,OU=USCC,DC=int,DC=usc,DC=local
CN=App - dyn_readuser_nonprod_WeblogicApps_NS,OU=Groups,OU=USCC,DC=int,DC=usc,DC=local
CN=App - dyn_readuser_nonprod_osb_NS,OU=Groups,OU=USCC,DC=int,DC=usc,DC=local
CN=App - dyn_readuser_nonprod_openshift_NS,OU=Groups,OU=USCC,DC=int,DC=usc,DC=local
I just can't figure out how to reference "CN".
Try it this way:
(Get-ADUser $user -Properties memberOf).memberOf |
Where-Object { $_ -like 'CN=*Part of Group Name*,*' }
The (...).memberOf syntax in PowerShell v3 and later is functionally equivalent to piping to Select-Object -ExpandProperty memberOf, so you could also write it this way:
Get-ADUser $user -Properties memberOf |
Select-Object -ExpandProperty memberOf |
Where-Object { $_ -like 'CN=*part of group name*,*' }
(The second variation would be required in PowerShell v2 which doesn't support the (...).memberOf "syntactic sugar.")
There's a cmdlet that works well for grabbing the group membership of a user. Try the following:
Get-ADPrincipalGroupMembership -Identity $user | Select -ExpandProperty Name | Select-String -Pattern 'Part of Group Name'
I have a list of displaynames and I need to get their AD informations.
Get-Content "C:\displaynames.txt" |
foreach {
$givenname,$surname = $_ -split ' '
if (Get-ADUser -Filter "surname -eq '$surname' -and givenname -eq '$givenname'"){
Get-ADUser -Filter { displayName -match $_} -Properties EmailAddress, Manager | Select Givenname, Surname, SamAccountName, EmailAddress, Manager}
else {Get-ADUser -Filter { displayName -like "AD Test"} -Properties EmailAddress, Manager | Select Givenname, Surname, SamAccountName, EmailAddress, Manager}
} | Export-Csv -Path C:\result.csv
This works fine, but only if users have no middle names ex. John Moore
If the user has a middle name, it doesn't pick it up.
How can I change the script so it picks up users with middle names ex. John Roger Moore?
As Mathias R. Jessen already commented, you can use the -Filter on property DisplayName directly.
The Filter should be a string, not a scriptblock.
Using -Filter also has the advantage that you can suppress exceptions being thrown, so I would build in a step to confirm that we indeed did find a user with that displayname:
Get-Content "C:\displaynames.txt" | ForEach-Object {
$user = Get-ADUSer -Filter "DisplayName -eq '$_'" -Properties DisplayName, EmailAddress, Manager -ErrorAction SilentlyContinue
if ($user) {
# output the wanted properties as **object**
$user | Select-Object Givenname, Surname, SamAccountName, EmailAddress, Manager
}
else {
# nobody in this domain with a displayname like that..
Write-Warning "User '$_' could not be found.."
}
} | Export-Csv -Path 'C:\result.csv' -NoTypeInformation
Note that the Manager property is in the form of the managers DistinguishedName. If you want to get other properties for the manager, like his/her name, you will have to use Get-ADUser -Identity $user.Manager to get the wanted property there too
The basic question here is how to account for middle names.
PowerShell 5 has some AI-powered cmdlets.
Here, I will quote an example from the documentation.
Example 2: Simplify format of a string
$composers = #("Johann Sebastian Bach", "Wolfgang Amadeus Mozart", "Frederic Francois Chopin", "Johannes Brahms")
$composers | Convert-String -Example "first middle last=last, first"
Bach, Johann
Mozart, Wolfgang
Chopin, Frederic
Brahms, Johannes
The first command creates an array that contains first, middle and last names. Note that the last entry has no middle name.
The second command formats the names according to the example. It puts the last name first in the output, followed by the first name. All middle names removed; entry without middle name is handled correctly.
Convert-String (Microsoft.PowerShell.Utility) - PowerShell | Microsoft Docs
I've been looking online for ways of doing this and I'm at a loss here. I'm looking for a way to look up a particular user within a particular group in AD through powershell. Here's what I've tried.
(Get-ADUser userName –Properties MemberOf).MemberOf
I get a bunch of groups
(Get-ADGroupMember "groupname").name
I get a bunch of usernames
I tried this command but it's taking forever to get results.
(Get-ADGroupMember 'groupname' | Get-ADUser -Property DisplayName | Where-Object { $_.Name -eq 'username'})
Is there a way where I can get a command that both fast and efficient. I'm also looking for their email address and surname and last name.
Thanks in advance
As commented, it is best not use the Name property, but if you have it use the SamAccountName or DistinguishedName of the user you seek to rule out ambiguous names.
$user = Get-ADGroupMember -Identity 'GroupName' |
Where-Object { $_.objectClass -eq 'user' -and $_.SamAccountName -eq 'userSamAccountName' } |
Get-ADUser -Properties DisplayName, EmailAddress, GivenName, Surname # add more properties if you need them
# display the user object on screen
$user
Or do this way:
$user = $null
$member = Get-ADGroupMember -Identity 'TheGroupName' |
Where-Object { $_.objectClass -eq 'user' -and $_.SamAccountName -eq 'TheuserSamAccountName' }
if ($member) {
# add more properties if you need them
$user = Get-ADUser -Identity $member.DistinguishedName -Properties DisplayName, EmailAddress, GivenName, Surname
}
else {
Write-Host "User 'TheuserSamAccountName' is not a member of group 'TheGroupName'"
}
# display the user object on screen
$user
The resulting $user object will also contain these properties:
DistinguishedName, Enabled, Name, ObjectClass, ObjectGUID, SamAccountName, SID, UserPrincipalName
If you don't need all of these properties simply filter them out using
$user | Select-Object DisplayName, EmailAddress, GivenName, Surname
i'm trying to find all users that belong to the group "Windows".
i want to display their id, last name, first name.
desired output format:
Windows Users,1234567,John,Doe
Windows Administators,7654321,Jane,Doe
this one-liner does do more less what i want but i need to modify the parameter identity everytime from "Windows Users" to "Windows PowerUsers" to "Windows Administrators" etc.
example:
Get-ADGroupMember -identity "Windows Users" -Recursive | Get-ADUser | select SamAccountName, Surname, GivenName
so i attempted to put it all together by but it's giving me errors.
$ADGroups = Get-ADGroup -Filter {name -like "Windows*"}
foreach ($ADGroup in $ADGroups) {
Get-ADGroup -filter {Name -eq $ADGroup.Name} | Get-ADGroupMember -identity
$ADGroup.Name -Recursive | Get-ADUser | select SamAccountName, Surname, GivenName
}
any ideas will be greatly appreciated. i can't figure out how to capture all users that belong to the group Windows* such as "Windows Users" to "Windows PowerUsers" to "Windows Administrators" etc
note: i looked into this but it's not quite what i'm looking for Powershell script to display all Users in a Group AD
thank you.
Your example is a good start.
Try this one. It should do the job:
Get-ADGroup -Filter {name -like "Windows*"} | foreach {
$currentGroup = $_.Name
$_ | Get-ADGroupMember | foreach {
$_ | Get-ADUser | select #{name="Group"; expression={ $currentGroup }}, SamAccountName, Surname, GivenName
}
}
I don't have my access to AD at the moment, but i would give this a try
get-aduser -filter {memberof -like "Windows*"} -property samaccountname,surname,givenname,memberof | select samaccountname,surname,givenname
OR you could try this inside your original foreach loop...
get-adgroup -filter {name -eq $adgroup.name} | select -expand members | get-aduser $_ | select samaccountname,surname,givenname
I can't remember what "members" produces, I believe it is samaccountname if not you could add an ldap filter to get-aduser -filter {whatever -eq $_}