Search AD with PowerShell without using AD module (RSAT) - powershell

ActiveDirectory module comes with Remote Server Administration Tools (RSAT). I would like to avoid the installation of RSAT on PC client. Is there a way to retrieve members of AD group without using Active Directory module?

You could use [ADSI] to do an LDAP lookup:
$Group = [ADSI]"LDAP://CN=DistinguishedNameofGroup,DC=Example,DC=com"
$Group.Member
Alternatively you could use the DirectoryServices.DirectorySearcher class:
$Search = New-Object DirectoryServices.DirectorySearcher("(&(objectCategory=group)(name=ExampleGroupName))")
$Results = $Search.FindAll()
$Results.Properties["Member"]
#As a one liner
([System.DirectoryServices.DirectorySearcher]"(&(objectCategory=group)(name=ExampleGroupName))").FindAll().Properties["Member"]

I had a similar problem recently. I knew that the .Net Framework has everything for this! So I made a small ADNAM PowerShell module, maybe it will be useful to someone.

Related

PowerShell - ActiveDirectory Module

I need the ability to have users run a script that requires the ActiveDirectory module. I copied over the following:
"C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory", "Microsoft.ActiveDirectory.Management.resources.dll", "Microsoft.ActiveDirectory.Management.dll".
The script runs two Get-ADUser commands, 1 without the -Server parameter and the other with. The issue is that the former is working but the latter is not.
Is there another module that I need to copy over?
I don't like the idea of installing administrative tools for non-admins. Even if you could get away with copying files and not doing the full-blown RSAT installation. Not the least of reasons is you are dramatically increasing the attack surface for malicious actors. The better solution is (Just Enough Administration) JEA, or a philosophically similar approach.
JEA / Contrained endpoints can get complicated, but a summary of what you can do looks something like this:
New-PSSessionConfigurationFile -Path 'C:\PSSessionConfigs\DemoPSEndpointConfig.pssc' -ModulesToImport ActiveDirectory -VisibleCmdlets "Get-ADUser"
Register-PSSessionConfiguration -Path 'C:\PSSessionConfigs\DemoPSEndpointConfig.pssc' -ShowSecurityDescriptorUI -Name DemoPSEndPoint
Run these commands on a system that has the ActiveDirectory module (likely the whole RSAT component) installed, it doesn't need to be a Domain Controller. It will create a new PowerShell remoting endpoint configuration that exposes only the commands you wish. The Register-PSSessionConfiguration command will display a security dialog where you can permission which users you want to allow to connect, you want to grant them read & execute permission. Once that's done, you can get the results with an Invoke-Command command like this:
Invoke-Command -ComputerName <ServerName> -ConfigurationName DemoPSEndPoint -ScriptBlock { Get-ADUser <UserName> }
You can add the -Server parameter in the command without issue. You can expand the cmdlets you are allowing in the New-PSSessionConfiguration command.
Again this is very much a summary of a more complex topic but should be enough to get what you want.
Personally, I don't use configuration files as much as I use startup scripts. I think the latter is more flexible. You can get some information about that here. If you really want to dig into this there are references at the end of the article including a link to the PowerShell JEA documentation. There's also a link to some of the MVP articles I used to develop my own endpoints.
The ActiveDirectory module is dependent on the RSAT (remote server administration tool). This is avalible to install/activate through powershell: https://mikefrobbins.com/2018/10/03/use-powershell-to-install-the-remote-server-administration-tools-rsat-on-windows-10-version-1809/
With this installed you automatically also get the Activedirectory module installed.

i'am trying to remove a user from a local group throught AD (powershell)

i'm trying to develop a script that remove a domain user from local administrators group (i can use computer management from ad but its a graphical interface i need to do it with commands) for now i'm using invoke command to remotely connect to machines and remove their users from local admins group .
im using this command : Invoke-Command -ComputerName $line2.split(";")[0] -ScriptBlock { net localgroup "administrators" $using:notadmin /DELETE } -Credential $Cred
the problem here if a the machine is not online i need to wait until it will be online , i'm searching how to remove users from local group (administrators for example ) through ad
is there a command to do that ?
I see two approaches:
If you would like to use Group Policy, you may check for: Restricted groups.
https://www.petri.com/manage-local-active-directory-groups-using-group-policy-restricted-groups
Another option would be to incoroporate Test-Connection in your script, validating if computer is online. If it is - execute the script, if it is not, store it in another list with offline machines.
Then later run the script against the offline machine list ... and so on until all the computers are being covered.
P.S. And yes, as suggested in the commments, consider using remove-localgroupmember, if your powershell version support it.
Again, depends of the case.
Hope it helps!
$RemoteComputer = "yourComputer"
$Computer = [ADSI]("WinNT://$RemoteComputer,computer")
$Group = $Computer.PSBase.Children.Find("Administrators")
ForEach ($User in (Get-Content
"c:\users\administrator.domain\desktop\localadmin.txt"))
{ $Group.Remove("WinNT://$User")
}
i tired this code and it really helped me thnx for help

Citrix Get-Brokerapplication from specific server

On XenApp 6.x servers, there was a cmdlet like this:
GET-XAApplication -ServerName servername
I used to open a PSSession on the adminserver, then got all servers with GET-XAServer and then I simply did the Application command in a foreach loop, where the ServerName parameter was the servername from XAServer. Now I want to do the same on Version 7, but I can't figure out how it works.
I installed all new cmdlets for the newer Version. I found out I can get the Applications with GET-Brokerapplication - but I can't pass a parameter to tell the command from which server I want to grab them, so I can only grab them from my admin server.
Maybe someone can help me? I've already looked at the documentation (https://docs.citrix.com/de-de/xenapp-and-xendesktop/7-6/cds-sdk-wrapper-rho/xad-commands/citrix-broker-admin-v2-wrapper-xd76/get-brokerapplication-xd76.html) but I can't find a parameter who allows me to do what I want. MaybeI'm looking at the wrong cmdlet?
I would be really happy if someone has a advise for me.
In XenApp 6.x there were Worker Groups and you should have been publishing applications for Worker Groups instead of individual servers. Then you can enumerate Worker Groups and Applications:
$wgs = Get-XAWorkerGroup
foreach ($group in $wgs) {
$apps = Get-XAApplication -WorkerGroupName $group
}
In XenApp 7.x WorkerGroups are replaced by Delivery Groups and you can enumerate them and associated applications:
$groups = Get-BrokerDesktopGroup
foreach ($group in $groups) {
$apps = Get-BrokerApplication -AssociatedDesktopGroupUid $group.UID
}

Having trouble binding to Active Directory with specified credentials

As part of my current role, I frequently find myself having to work with objects in one of my organisation's resource forests. At the moment in order to do that, I use an RDP session connected to a server within that forest, and authenticate to it with a specific "Admin" account in that forest.
I'm starting to find this tedious, and so I've been trying to come up with a nice profile.ps1 which will get me a DirectoryEntry for the resource forest that I can work on with Powershell (v2.0) on my local workstation instead, and save me the tedium of constantly re-establishing RDP sessions.
So I've got some code in my profile.ps1 which looks like this:
$resforest = "LDAP://DC=ldap,DC=path,DC=details"
$creds = Get-Credential -credential "RESOURCE_FOREST\my_admin_account"
$username = $creds.username
$password = $creds.GetNetworkCredential().password
$directoryentry = New-Object System.DirectoryServices.DirectoryEntry($resforest,$username,$password)
All of this proceeds fine, however, when I come to actually use the entry thus:
$search = New-Object DirectoryServices.DirectorySearcher($directoryentry)
$search.filter = "(&(anr=something_to_look_for))"
$search.findall()
I get a logon failure.
Now, I know the credentials are fine, I can map drives with them from my workstation to machines in the resource forest - and that works fine - so what am I ballsing up here?
PS - Please don't ask me to do anything with Quest's AD cmdlets - they're not allowed here.
Turns out the issue was with the serverless binding I was attempting to do.
If I modify the LDAP path to "LDAP://ldap.path.details/DC=ldap,DC=path,DC=details" then everything works.
Thanks for everyone who at least looked at the question ;)

Create local user with PowerShell (Windows Vista)

I've installed PowerShell recently and one of the first things I started looking for was how to create a new user. After looking for some time I still haven't found this.
I have a little experience in bash on linux and find it very effective. Creating users there is trivial.
Is there an easy\built-in way to create a local user with PowerShell?
Thank you.
You can use the localhost's ADSI:
function create-account ([string]$accountName = "testuser") {
$hostname = hostname
$comp = [adsi] "WinNT://$hostname"
$user = $comp.Create("User", $accountName)
$user.SetPassword("Password1")
$user.SetInfo()
}
you can also use
net user /add
this command isn't limited to powershell.