I want to use the Get-ADUser cmdlet to determine who's accounts are disabled.
The "Description" attribute in any user's account is not showing up.
Is it only the attributes that you get when you do Get-ADUser [username], as listed here:
DistinguishedName
Enabled
GivenName
Name
ObjectClass
ObjectGUID
SamAccountName
SID
Surname
UserPrincipalName
We list the employeeID number in the description of the user account and that's helpful when we have duplicate names and need to figure out who's who. The command I'm using is:
Get-ADUser -SearchBase "OU=ou,OU=ou,OU=ou,DC=dc,DC=dc,DC=dc" -Filter {Enabled -eq $false} | FT SamAccountName,Name,Description
and the results for one person would look like this:
SamAccountName Name Description
------------------------- -------- ---------------
john.doe John Doe
Just a blank spot, not even <> like if you listed something that doesn't exist.
That tells me the Powershell command acknowledges the attribute exists, just won't grab it from the AD Account's info.
Sounds like it is not one of the default properties that get-aduser displays. Hence in order to get this information you have to explicitly tell it to display the description property. Hence:
Get-ADUser -Properties description -SearchBase "OU=ou,OU=ou,OU=ou,DC=dc,DC=dc,DC=dc" -Filter {Enabled -eq $false} | FT SamAccountName,Name,Description
Related
I need to bulk "download" every user we have on Active directory.
I need the email address, location etc.
I have been looking into the PowerShell command "Get-ADuser -Filter", however I need some help getting this to work.
See the documentation for Get-ADUser which has several examples as well.
If you want to retrieve every user, you can use an asterisk * with the Filter parameter. Otherwise, you can filter using a specific property.
You can specify which properties to return using the Properties parameter. By default, the cmdlet will only return a default set of properties, which are below
DistinguishedName
Enabled
GivenName
Name
ObjectClass
ObjectGUID
SamAccountName
SID
Surname
UserPrincipalName
Example: Get every user with default property set
Get-ADUser -Filter *
Example: Get every enabled user with default property set
Get-ADUser -Filter 'enabled -eq $true'
Example: Get every user with specific properties
Get-ADUser -Filter * -Properties emailAddress,office,city
Example: Get every user with every property
Get-ADUser -Filter * -Properties *
Example: Get every user with every property and export as a CSV
Get-ADUser -Filter * -Properties * | Export-CSV -Path "C:\Temp\ADUsers.csv" -NoTypeInformation
Additional Info
Active Directory: Get-ADUser Default and Extended Properties
I am trying to list all users that have the PasswordNeverExpires flag set.
If I use
Get-ADUser
I get a list of all users in my domain, along with a load of default properties.
If I use
Get-ADUser -Filter * -Properties Name | Format-Table -Property Name -AutoSize
I also get a list of all usernames in my domain, as a table.
When I use
Get-ADUser -Filter * -Properties Name,PasswordNeverExpires | Format-Table -Property Name,PasswordNeverExpire
I get a table that contains a full list of usernames, but ONLY the following accounts have either True or False in the PasswordNeverExpires column
Guest
krbtgt
Administrator
SBSMonAcct
Network Administrator
<MyDomainAdminAccount>
SPSearch
<AnAdministratorAccountForOneOfOurSoftwareVendors>
<AnAccountThatWasCopiedFromTheDomainAdministratorAccount>
<AnotherAccountCopiedFromTheDomainAdministratorAccount>
All the other items/usernames in the table have empty/blank/non-existent values.
I have also tried
Get-ADUser -LDAPFilter "(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
but that only returns
<MyDomainAdminAccount>
SPSearch
Why is the PasswordNeverExpires flag not being picked up for all users? Thanks.
PasswordNeverExpires is calculated from the userAccountControl attribute.
Probably the fastest way to search for users that have that flag set is as follows:
Get-ADUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=65536)" -Properties PasswordNeverExpires
See the documentation for more information on searching using a bitwise filter. 65536 (0x10000) corresponds to the ADS_UF_DONT_EXPIRE_PASSWD bit position, so this LDAP search filter searches only for accounts that have that flag set.
Hmm, your third line pulls the property "PasswordNeverExpires" but Selects "PasswordNeverExpire". If this was just a typo in your question this disregard. If not then there is your answer. :-)
I have some users in AD that have the UPN address set like User#this.org. I want to change those users so their UPN looks like that User#that.com.
I have written a PS line to find me such users:
Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(userPrincipalName=*#this.org))" -SearchBase "OU=this,DC=that" | Select SamAccountName
But how do I update those users. I know about Set-AdUser command, but I can't figure out how to feed the result of the Get-Aduser into it.
Just pipe it to Set-ADUser:
Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(userPrincipalName=*#this.org))" -SearchBase "OU=this,DC=that" | % {Set-ADUser $_ -UserPrincipalName "that"}
Just a heads up, use -Whatif during testing before you crash you whole AD.
Explanation:
% - Alias for foreach
$_ - Equals each object of the foreach (each User found in the Get-ADuser)
-UserPrincipalName "that" - Set the UPN of the given User to that
My code:
Get-ADUser -Filter {Name -eq "James Kent"} -Properties Description | where {$_.Description -Notlike "Services User"} | select Name
I tried the code above and it still display both account. So I have users with 2 accounts. One account being a regular account and one being a services account. I only want to display the regular account.
Your code looks fine, and works for me (with changed account variable). That means you should check the account and the "Services User". Break down the pipeline step-by-step to verify things work.
Get-ADUser -Filter {Name -eq "James Kent"} -Properties Description
This should output the two accounts, along with their description as headers. According to your errors, this part is working well so you probably don't even need to check it.
However, it still may be good to do to check that the "Description" property looks fine:
Get-ADUser -Filter {Name -eq "James Kent"} -Properties Description | select Description
If those match what you have written, then add the next element to the pipeline:
Get-ADUser -Filter {Name -eq "James Kent"} -Properties Description | where {$_.Description -Notlike "Services User"}
For this part, it is more important to see what it outputs. From what you are saying, this will output both accounts, but this is not what you want. The most likely case is that "Services User" is not exactly the description of your other account. Compare it to the output of the snippet above this one.
I hope this helps, it's just classic debugging. You could also use something like the DistinguishedName property to compare the two accounts, it might be more reliable than the description (which is not a mandatory property).
Maybe You should use another switch. Instead using -not like, you should use -ne or -eq:
Get-ADUser -Filter {Name -eq "James Kent"} -Properties Description | where {$_.Description -ne "Services User"} | select Name
Or:
Get-ADUser -Filter {Name -eq "James Kent"} -Properties Description | where {$_.Description -eq "regular account"} | select Name
Of course when you use above switches you must check the string in description. It must be equal to string in where condition.
Interest... It works when I add "*service*"
Thanks for summing up the issue guys.
As a process to disable users, I have a CSV where users are identified by employeeID and not username. I need to loop through and compare the CSV to AD users, and any AD user not in the CSV needs to be disabled. This is what I have so far, but it's not working. I'll admit I'm still fairly new to powershell scripting, so any help would be much appreciated.
Import-Module ActiveDirectory
Import-Csv -Path c:\ADTerm.csv | foreach {Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Identity $_.employeeID} | Where {$_ -ne $null} | Disable-ADAccount -Identity $_.employeeID
I cant really fit this all in a comment without it looking horrible so lets start with this.
You are combining -Filter and -Identity which most likely wont net the results you are looking for. Use Identity to get one specific user or filter to get one to many. Looking at TechNet for Get-AdUser you will see Identity only matches values to:
DistinguishedName
objectGUID
objectSid
sAMAccountName
In that regard I see you have a column for EmployeeID. I'm guessing that those are not SamAccountName which is one of the values that -Identity supports. I feel that you could do with the following changes.
$IDs = Import-Csv -Path c:\ADTerm.csv | Select-object -ExpandProperty EmployeeID
Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Properties EmployeeID |
Where-Object{$_.EmployeeID -and ($IDs -notcontains $_.EmployeeID)} | Disable-ADAccount
Update the get-aduser to get all users in that OU. Get-Aduser does not return the EmployeeID by default so we use -Properties to specify it. Filter all those users that have employeeID but not one in the list. Disable-ADAccount will take the output of Get-AdUser nicely so there is not need to specify the account again.
Depending you might be storing this value as EmployeeNumber in AD. This is also dependent on your having a csv file with a column for EmployeeNumber