Is it possible to modify a ADProperty within a filter?
The use I want it for is to be able to check if there already is a user with a certain name in a specific OU.
Something like this:
$ou="HQOffice"
Get-ADUser -Properties Displayname -Filter {Displayname -eq "Major Minor" -and (DistinguishedName).split(',')[2].split('=')[1] -eq $ou}
Related
Still learning Powershell for AD and i have one question that is bothering me. Have to change AD properties for multiple users in AD within specific location, for example we have in same OU people from Berlin and from Washington, and cities are set in each profile, but im wondering if i need to get also properties before changing address for one of those locations like this
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' -Properties StreetAddress, PostalCode | % {Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}}
or if it would work also without doing -Properties and just pipe filter City results to Set-ADUser
Thank you.
You do not need to specify -Properties unless you want to see them in the output. You also don't need the foreach, simply piping to Set-ADUser is sufficient.
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' |
Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}
This will update those values just fine. The same is true for filtering. The following command will filter on the postalcode but it will not be included in the output unless you add -Properties postalcode
Get-ADUser -Filter "PostalCode -eq '221202XX'"
Thank you for answer, i have left out -Properties and that seems fine, also tried but this won't work without foreach as i guess Set-ADUser does not know which of those users that are filtered out needs to be updated. So i had to use
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' | % {Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}}
while if i use without foreach
Get-ADUser -filter 'City -like "Berlin"' -SearchBase 'OU=Users,OU=Staff,DC=Contoso,DC=com' | Set-ADUser $_ -Replace #{StreetAddress="New street 11";PostalCode="221202XX"}
i get error
Set-ADUser : Cannot validate argument on parameter 'Identity'. The argument is null. Provide a valid value for the
argument, and then try running the command again.
but anyway, seems to be OK without -Properties which was my main concern
I have been wanting to figure out how to use -filter to get what I want. What I am trying to do is find the Domain Admins group by a -like statement of *-512 against the SID property using the following:
get-adgroup -filter "SID -like '*-512'"
It works if I put the actual SID
get-adgroup -filter "SID -eq 'S-1-5-21domain-512'"
I know doing it this way will work
get-adgroup -filter * | ? {$_.SID -like '*-512'}
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
As BenH comments, you cannot partially filter on SIDs in LDAP queries, because of the way SID values are stored in the directory. The SID string you see is an SDDL representation of an underlying byte array.
I assume your motivation for attempting wildcard matching against a well-known RID is that you don't know the domain SID in advance. You can easily obtain that with the Get-ADDomain cmdlet:
$DomainSID = (Get-ADDomain).DomainSID
$DomainAdminsSid = New-Object System.Security.Principal.SecurityIdentifier ([System.Security.Principal.WellKnownSidType]::AccountDomainAdminsSid,$DomainSID)
Get-ADGroup -Filter {SID -eq $DomainAdminsSid}
I need to create CSV file containing all my users from AD. I'll be creating gsuite addresses for each user from this domain. Google needs only their name, surname email address and password. I will compose mail like this [first letter of the name and surname]#mydomain.com. The only problem i have is with powershell. I'm trying to use Select-ADuser cmdlet to get this jobe done. This is my basic query:
Get-AdUser -Server $server -filter {(ObjectClass -eq "user") -and (enabled -eq $true)}
It returns users I want but with things I don't need like "HealthMailbox". My domain follows the agdlp rules so it shouldn't be that hard to retrieve the users. Only question is how can I specify OU I want to retrive my users from?
Only question is how can I specify OU I want to retrive my users from?
Use the SearchBase parameter:
Get-ADUser -SearchBase 'OU=ActualUsers,DC=domain,DC=tld' -Filter {(ObjectClass -eq "user") -and (enabled -eq $true)} -Server $server
As a process to disable users, I have a CSV where users are identified by employeeID and not username. I need to loop through and compare the CSV to AD users, and any AD user not in the CSV needs to be disabled. This is what I have so far, but it's not working. I'll admit I'm still fairly new to powershell scripting, so any help would be much appreciated.
Import-Module ActiveDirectory
Import-Csv -Path c:\ADTerm.csv | foreach {Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Identity $_.employeeID} | Where {$_ -ne $null} | Disable-ADAccount -Identity $_.employeeID
I cant really fit this all in a comment without it looking horrible so lets start with this.
You are combining -Filter and -Identity which most likely wont net the results you are looking for. Use Identity to get one specific user or filter to get one to many. Looking at TechNet for Get-AdUser you will see Identity only matches values to:
DistinguishedName
objectGUID
objectSid
sAMAccountName
In that regard I see you have a column for EmployeeID. I'm guessing that those are not SamAccountName which is one of the values that -Identity supports. I feel that you could do with the following changes.
$IDs = Import-Csv -Path c:\ADTerm.csv | Select-object -ExpandProperty EmployeeID
Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Properties EmployeeID |
Where-Object{$_.EmployeeID -and ($IDs -notcontains $_.EmployeeID)} | Disable-ADAccount
Update the get-aduser to get all users in that OU. Get-Aduser does not return the EmployeeID by default so we use -Properties to specify it. Filter all those users that have employeeID but not one in the list. Disable-ADAccount will take the output of Get-AdUser nicely so there is not need to specify the account again.
Depending you might be storing this value as EmployeeNumber in AD. This is also dependent on your having a csv file with a column for EmployeeNumber
I'm trying to get all members that have the Admincount=1 attribute, and are not part of any of the built-in privileged groups. I'm just not sure how to do the part with the built-in privileged groups.
Here is what I've tried:
Connect-QADService -Service *****.org | Out-Null
$Domains="*****.org","*****.org","*****.org","*****.org","*****.org"
foreach ($Domain in $Domains)
$Users=get-qaduser -sizelimit 0 -searchroot $Domain/ -LDAPFilter “(admincount=1)” | where-object {($_.AccountIsDisabled -eq $False) -and ($_.AllMemberOf -ne "*,CN=Builtin,*")}
Don't have the Quest cmdlets but should be easy to assume that AllMemberOf is an array. Couple points about using -eq or -ne in this case is that they dont use wildcards and you are comparing a string to an array. Point being that this is not the way you would make that comparison. Using the ActiveDirectory cmdlets, if that is an option for you, you could do this.
Get-ADuser -LDAPFilter "(admincount=1)" -Properties memberof | Where-Object{(($_.Memberof -join "") -notmatch "cn=builtin") -and $_.Enabled}
Since it looks like you are excluding users if they are in a builtin group we just join all the groups into one big string and test for a match.
Also I would heed Mjolinor advice. Never steered me wrong yet.
I noticed that AllMemberOf is supposed to be good for getting membership from other domains since Memberof does not have this information. I can't test this but updating your code would give you something like this:
$Users = Get-QADUser -sizelimit 0 -searchroot $Domain/ -LDAPFilter “(admincount=1)” |
where-object {(!($_.AccountIsDisabled) -and (($_.AllMemberOf -join "") -notmatch "CN=Builtin")}
If you just change them all to 0, within an hour the AdminSDHolder process will change all of them that are a member of a protected group back to 1.
AdminSDHolder