My code:
Get-ADUser -Filter {Name -eq "James Kent"} -Properties Description | where {$_.Description -Notlike "Services User"} | select Name
I tried the code above and it still display both account. So I have users with 2 accounts. One account being a regular account and one being a services account. I only want to display the regular account.
Your code looks fine, and works for me (with changed account variable). That means you should check the account and the "Services User". Break down the pipeline step-by-step to verify things work.
Get-ADUser -Filter {Name -eq "James Kent"} -Properties Description
This should output the two accounts, along with their description as headers. According to your errors, this part is working well so you probably don't even need to check it.
However, it still may be good to do to check that the "Description" property looks fine:
Get-ADUser -Filter {Name -eq "James Kent"} -Properties Description | select Description
If those match what you have written, then add the next element to the pipeline:
Get-ADUser -Filter {Name -eq "James Kent"} -Properties Description | where {$_.Description -Notlike "Services User"}
For this part, it is more important to see what it outputs. From what you are saying, this will output both accounts, but this is not what you want. The most likely case is that "Services User" is not exactly the description of your other account. Compare it to the output of the snippet above this one.
I hope this helps, it's just classic debugging. You could also use something like the DistinguishedName property to compare the two accounts, it might be more reliable than the description (which is not a mandatory property).
Maybe You should use another switch. Instead using -not like, you should use -ne or -eq:
Get-ADUser -Filter {Name -eq "James Kent"} -Properties Description | where {$_.Description -ne "Services User"} | select Name
Or:
Get-ADUser -Filter {Name -eq "James Kent"} -Properties Description | where {$_.Description -eq "regular account"} | select Name
Of course when you use above switches you must check the string in description. It must be equal to string in where condition.
Interest... It works when I add "*service*"
Thanks for summing up the issue guys.
Related
Still learning Powershell for AD and i have one question that is bothering me. Have to change AD properties for multiple users in AD within specific location, for example we have in same OU people from Berlin and from Washington, and cities are set in each profile, but im wondering if i need to get also properties before changing address for one of those locations like this
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' -Properties StreetAddress, PostalCode | % {Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}}
or if it would work also without doing -Properties and just pipe filter City results to Set-ADUser
Thank you.
You do not need to specify -Properties unless you want to see them in the output. You also don't need the foreach, simply piping to Set-ADUser is sufficient.
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' |
Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}
This will update those values just fine. The same is true for filtering. The following command will filter on the postalcode but it will not be included in the output unless you add -Properties postalcode
Get-ADUser -Filter "PostalCode -eq '221202XX'"
Thank you for answer, i have left out -Properties and that seems fine, also tried but this won't work without foreach as i guess Set-ADUser does not know which of those users that are filtered out needs to be updated. So i had to use
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' | % {Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}}
while if i use without foreach
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' | Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}
i get error
Set-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the
argument, and then try running the command again.
but anyway, seems to be OK without -Properties which was my main concern
I am new to PowerShell and I am trying to get a list of Active Directory items that start with the same naming convention for example I have a number of groups beginning with "ABC_Group1", "ABC_Group2", "ABC_Group3".
I know that:
get-adgroup "ABC_Group1"
will list that specific group
'get-adgroup -filter * | sort name | select Name'
will list all the groups but I don't know how to filter to find just the specific groups starts with "ABC_"
I then want to list it's members.
You can use Wildcard search with Where condition. In the newer PS version, the where clause can be used as Filter
Import-Module ActiveDirectory
Get-ADGroup -Filter {Name -like 'ABC_*'} -Properties * | select -property SamAccountName,Name,Description,DistinguishedName,CanonicalName,GroupCategory,GroupScope,whenCreated
Since the OP asked to get the members of the group as well, here is the piece of code which will help you:
Get-ADGroup -Filter {Name -like 'ABC_*'} -SearchBase "DC=YourDC" | Get-ADGroupMember -Partition "DC=YourDC"
OR
Get-ADGroup 'Group Name' -Properties Member | Select-Object -ExpandProperty Member
OR use Dot notation:
(Get-ADGroup 'Group Name' -Properties Member).Member
Hope this helps.
I've done some research and played around with the code and it turns out,
Get-ADGroup -Filter "name -like '*ABC_*'" | sort name lists all the groups that have "ABC_"
However, this also means it will list directories such as "Group_ABC_". However, I only want to list directories that START with "ABC_"
Well, wouldn't it be enough to just remove the "*" in front of the ABC?
So '*ABC_*' would turn into 'ABC_*' and therefore be
Get-ADGroup -Filter "name -like 'ABC_*'" | sort name
I highly recommend you to read yourself into Regular Expressions, you wont need it for this task but it can make you're life so much easier regarding pattern matching in strings and similar cases
I would like to extract a username from AD using Get-ADUser. The issue I'm having is when using sAMAaccount name as filter, I get multiple results if the value is found in multiple entries. To illustrate, if my samaccountname is 'a123b', and my coworker's is 'c1234d', I get both our names when I run this:
get-aduser -ldapFilter "(samaccountname=*123*)"| select Name
I would like to return only my information based on '123' and not '1234'
I've already tried the following as well to no avail:
get-aduser -Filter "samaccountname -like '*123*'" | select Name
You can narrow it down with a regular expression:
$filter = "[a-zA-Z]123[a-zA-Z]"
Get-ADUser -Filter "samaccountname -like '*123*'" | where { $_.samaccountname -match $filter} | select name
$filter is a simple regex pattern looking for 123 surrounded by letters (uppercase or lowercase)
-match is the operator that allows a regex comparison
When using a partial SamAccountName in a Filter or LDAPFilter, it is more than likely to get multiple results.
To test and return a specific user account, you need the filter to be more specific if possible (depends on what policies your environment uses for accountnames), like
Get-ADUser -Filter "SamAccountName -like 'a123*'" | Select-Object Name
or use an extra Where-Object clause to narrow down the results by some other user property like the firstname for instance:
Get-ADUser -Filter "SamAccountName -like '*123*'" | Where-Object { $_.GivenName -eq 'John' } | Select-Object Name
Mind you, the above examples can still return multiple user objects..
If you have it, the absolute sure way of retrieving a single user object is by using the DistinghuishedName of that user and get the object by using the -Identity parameter. See Get-ADUSer
P.S.:
When using the -like operator or an LDAPFilter, use wildcard characters on the parts of the name that can vary.
Since you can't use regex in the LDAP query, you could use a query like this to tell it to find user accounts that contain 123 but not with a fourth digit:
(&(objectClass=user)(samaccountname=*123*)(!samaccountname=*1231*)(!samaccountname=*1232*)(!samaccountname=*1233*)(!samaccountname=*1234*)(!samaccountname=*1235*)(!samaccountname=*1236*)(!samaccountname=*1237*)(!samaccountname=*1238*)(!samaccountname=*1239*)(!samaccountname=*1230*))
It's ugly, but it works.
Note that, if you have a filter that starts with a wildcard, the index for that attribute cannot be used, so it will have to look at every account to find a match. I added a filter for objectClass, since that is indexed and it will ensure it only looks at user objects.
Is it possible to modify a ADProperty within a filter?
The use I want it for is to be able to check if there already is a user with a certain name in a specific OU.
Something like this:
$ou="HQOffice"
Get-ADUser -Properties Displayname -Filter {Displayname -eq "Major Minor" -and (DistinguishedName).split(',')[2].split('=')[1] -eq $ou}
I want to use the Get-ADUser cmdlet to determine who's accounts are disabled.
The "Description" attribute in any user's account is not showing up.
Is it only the attributes that you get when you do Get-ADUser [username], as listed here:
DistinguishedName
Enabled
GivenName
Name
ObjectClass
ObjectGUID
SamAccountName
SID
Surname
UserPrincipalName
We list the employeeID number in the description of the user account and that's helpful when we have duplicate names and need to figure out who's who. The command I'm using is:
Get-ADUser -SearchBase "OU=ou,OU=ou,OU=ou,DC=dc,DC=dc,DC=dc" -Filter {Enabled -eq $false} | FT SamAccountName,Name,Description
and the results for one person would look like this:
SamAccountName Name Description
------------------------- -------- ---------------
john.doe John Doe
Just a blank spot, not even <> like if you listed something that doesn't exist.
That tells me the Powershell command acknowledges the attribute exists, just won't grab it from the AD Account's info.
Sounds like it is not one of the default properties that get-aduser displays. Hence in order to get this information you have to explicitly tell it to display the description property. Hence:
Get-ADUser -Properties description -SearchBase "OU=ou,OU=ou,OU=ou,DC=dc,DC=dc,DC=dc" -Filter {Enabled -eq $false} | FT SamAccountName,Name,Description