get-adgroup -filter "SID -like '*-512'" - powershell

I have been wanting to figure out how to use -filter to get what I want. What I am trying to do is find the Domain Admins group by a -like statement of *-512 against the SID property using the following:
get-adgroup -filter "SID -like '*-512'"
It works if I put the actual SID
get-adgroup -filter "SID -eq 'S-1-5-21domain-512'"
I know doing it this way will work
get-adgroup -filter * | ? {$_.SID -like '*-512'}
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

As BenH comments, you cannot partially filter on SIDs in LDAP queries, because of the way SID values are stored in the directory. The SID string you see is an SDDL representation of an underlying byte array.
I assume your motivation for attempting wildcard matching against a well-known RID is that you don't know the domain SID in advance. You can easily obtain that with the Get-ADDomain cmdlet:
$DomainSID = (Get-ADDomain).DomainSID
$DomainAdminsSid = New-Object System.Security.Principal.SecurityIdentifier ([System.Security.Principal.WellKnownSidType]::AccountDomainAdminsSid,$DomainSID)
Get-ADGroup -Filter {SID -eq $DomainAdminsSid}

Related

Replacing a string with a variable in Get-ADGroup

I'm trying to use PowerShell to search AD for Group Names.
Why don't either of these work, the param or the Read-Host? Both are passing strings, but the results are empty. However, if I replace the variable $ADGroup in the command with an actual Group Name (a string) and run the command Get-ADGroup... results are provided as expected. I tried to replace the double quotes with single quotes and I get the same results, the command works alone but neither Read-Host or param provide information. I can't figure out why the string isn't being passed when it's a variable ($ADGroup). Thanks.
param(
[Parameter(Mandatory=$true)]
[string]$ADGroup
)
# One or the other param or Read-Host
$ADGroup = Read-Host "Enter Group Name"
PS \> Get-ADGroup -Filter {name -like "*$ADGroup*"} -Properties * | Select-Object -Property Name
Get-ADGroup -Filter {name -like '*GroupName*'} -Properties * | Select-Object -Property Name
Name
----
Results
Results
Results
Results
Results
This is one of the reasons why using a script block based filter (-Filter {...}) on the cmdlets of the ActiveDirectory Module is not recommended.
The -Filter on the Parameter section of the Get-* cmdlets from ActiveDirectory Module states the following:
-Filter
Specifies a query string that retrieves Active Directory objects. This string uses the PowerShell Expression Language syntax. The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter. The syntax uses an in-order representation, which means that the operator is placed between the operand and the value.
Query String:
Get-ADGroup -Filter "name -like '*$ADGroup*'"
LDAP Query String:
Get-ADGroup -LDAPFilter "(name=*$ADGroup*)"
Recommended Documentations for efficient Filtering:
about_ActiveDirectory_Filter
Active Directory: LDAP Syntax Filters
Note: Worth mentioning, when querying Active Directory you will want to retrieve only the needed attributes from the AD Objects, specially when querying big Domains / Forests. Using -Properties * is a bad practice and also very inefficient, this will slow down your query as it is retrieving all available attributes of the objects being queried.
maybe it doesn't recognize it as a string or the filter is not correct.
param(
[Parameter(Mandatory=$true)]
[string]$ADGroup
)
#one or the other param or read-host
$ADGroup = Read-Host "enter group name"
$ADGroup = $ADGroup.ToString()
Get-ADGroup -Filter {name -like "*$ADGroup*"} -Properties * | select -Property Name
or this should do it..
$ADGroup = $ADGroup.ToString()
Get-ADGroup -Filter {name -like "*$ADGroup*"} -Properties * | Select-Object -expandProperty Name

Powershell change multiple users AD properties

Still learning Powershell for AD and i have one question that is bothering me. Have to change AD properties for multiple users in AD within specific location, for example we have in same OU people from Berlin and from Washington, and cities are set in each profile, but im wondering if i need to get also properties before changing address for one of those locations like this
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' -Properties StreetAddress, PostalCode | % {Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}}
or if it would work also without doing -Properties and just pipe filter City results to Set-ADUser
Thank you.
You do not need to specify -Properties unless you want to see them in the output. You also don't need the foreach, simply piping to Set-ADUser is sufficient.
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' |
Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}
This will update those values just fine. The same is true for filtering. The following command will filter on the postalcode but it will not be included in the output unless you add -Properties postalcode
Get-ADUser -Filter "PostalCode -eq '221202XX'"
Thank you for answer, i have left out -Properties and that seems fine, also tried but this won't work without foreach as i guess Set-ADUser does not know which of those users that are filtered out needs to be updated. So i had to use
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' | % {Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}}
while if i use without foreach
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' | Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}
i get error
Set-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the
argument, and then try running the command again.
but anyway, seems to be OK without -Properties which was my main concern

Combining PowerShell Commands

I've written two scripts that give me the independent output that I need, but am not sure how to put them together to give me the combined output.
Returns the count of all of the active users in a particular OU
(Get-ADUser -searchbase "OU=OU, DC=domain, DC=com" -filter * |Where {$_.enabled -eq "True"}).count
Returns the OU's underneath the same above OU that have "string" in the description property.
Get-ADOrganizationalUnit -searchbase "OU=OU, DC=domain, DC=com" -filter * -Properties description | where {$_.description -eq "string"}
What I'm trying to accomplish is for the script to give me a count of all of the active users underneath the OU's that have "string" in the description property.
I think this is the easiest way to achieve your goal
$OUs = Get-ADOrganizationalUnit -searchbase "OU=OU, DC=domain, DC=com" -filter * -Properties description | where {$_.description -eq "string"}
ForEach ($OU in $OUs) {
$count = (Get-ADUser -searchbase $OU -filter * | Where {$_.enabled -eq "True"}).count
Write-Host "OU $OU has $count users"
}
the result will be
OU OU=foo,DC=domain,DC=com has 6 users
OU OU=Computers,OU=foo,DC=domain,DC=com has 0 users
OU OU=Users,OU=foo,DC=domain,DC=com has 6 users
OU OU=Groups,OU=foo,DC=domain,DC=com has 0 users
Sergio Tanaka's helpful answer works well; let me complement it with a performance improvement:
You can greatly speed up your command by filtering at the source, by passing the filter criterion as a -Filter argument instead of retrieving all objects first and then filtering them with a separate Where-Object call:
Get-ADOrganizationalUnit -SearchBase 'OU=OU, DC=domain, DC=com' `
-Filter 'Description -eq "string"' -Properties description | #`
ForEach-Object {
$count = (Get-ADUser -SearchBase $_ -Filter 'Enabled -eq $true').Count
}
Note that the -Filter-string syntax of the AD cmdlets resembles PowerShell code, but it differs in many important ways - see Get-Help about_ActiveDirectory_Filter
The general advantages of using -Filter:
On a general note, the same performance improvement can be had with cmdlets for other PowerShell data providers, such as the one for the filesystem (e.g., Get-ChildItem), if they support a -Filter parameter:
A -Filter string is applied at the data source, which means that PowerShell only receives the result of the filtering.
Since providers are are implemented in compiled code (and they have access to lower-level internals), this generally makes for much better performance; additionally, in remoting scenarios performance improves by simply having to transfer less data over the network.
Note that -Filter parameters are always strings with provider-specific syntax, so you must consult the relevant provider/cmdlet documentation.

List all OU with Users

I'm searching a way in PowerShell to list all OU with Users in it.
I tried something with Get-ADUser or Get-ADOrganizationalUnit but it doesn't really work.
One approach would be to get all of the OU's and check to see if they contain any users via -SearchBase. Filter them out with a Where-Object clause
Get-ADOrganizationalUnit -Filter * |
Where-Object {(Get-ADUser -SearchBase $_.DistinguishedName -Filter *).Count -gt 0} |
Select-Object -ExpandProperty DistinguishedName
Simply pull the OU from each user object. Then find unique values.
Get-ADUser -Filter * |
ForEach-Object {$_.DistinguishedName -replace '(^.*?)(OU=.*)','$2'} |
Sort-Object -Unique
Note: this makes the assumption that you are not storing user objects in Containers rather than OUs

How can I compare CSV to AD users and disable users not in CSV?

As a process to disable users, I have a CSV where users are identified by employeeID and not username. I need to loop through and compare the CSV to AD users, and any AD user not in the CSV needs to be disabled. This is what I have so far, but it's not working. I'll admit I'm still fairly new to powershell scripting, so any help would be much appreciated.
Import-Module ActiveDirectory
Import-Csv -Path c:\ADTerm.csv | foreach {Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Identity $_.employeeID} | Where {$_ -ne $null} | Disable-ADAccount -Identity $_.employeeID
I cant really fit this all in a comment without it looking horrible so lets start with this.
You are combining -Filter and -Identity which most likely wont net the results you are looking for. Use Identity to get one specific user or filter to get one to many. Looking at TechNet for Get-AdUser you will see Identity only matches values to:
DistinguishedName
objectGUID
objectSid
sAMAccountName
In that regard I see you have a column for EmployeeID. I'm guessing that those are not SamAccountName which is one of the values that -Identity supports. I feel that you could do with the following changes.
$IDs = Import-Csv -Path c:\ADTerm.csv | Select-object -ExpandProperty EmployeeID
Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Properties EmployeeID |
Where-Object{$_.EmployeeID -and ($IDs -notcontains $_.EmployeeID)} | Disable-ADAccount
Update the get-aduser to get all users in that OU. Get-Aduser does not return the EmployeeID by default so we use -Properties to specify it. Filter all those users that have employeeID but not one in the list. Disable-ADAccount will take the output of Get-AdUser nicely so there is not need to specify the account again.
Depending you might be storing this value as EmployeeNumber in AD. This is also dependent on your having a csv file with a column for EmployeeNumber