I need to create CSV file containing all my users from AD. I'll be creating gsuite addresses for each user from this domain. Google needs only their name, surname email address and password. I will compose mail like this [first letter of the name and surname]#mydomain.com. The only problem i have is with powershell. I'm trying to use Select-ADuser cmdlet to get this jobe done. This is my basic query:
Get-AdUser -Server $server -filter {(ObjectClass -eq "user") -and (enabled -eq $true)}
It returns users I want but with things I don't need like "HealthMailbox". My domain follows the agdlp rules so it shouldn't be that hard to retrieve the users. Only question is how can I specify OU I want to retrive my users from?
Only question is how can I specify OU I want to retrive my users from?
Use the SearchBase parameter:
Get-ADUser -SearchBase 'OU=ActualUsers,DC=domain,DC=tld' -Filter {(ObjectClass -eq "user") -and (enabled -eq $true)} -Server $server
Related
Get-Aduser -identity $User -Properties Memberof -filter {Memberof Name -Notlike "Domain Users" | ForEach-Object { $_.Memberof | Remove-ADGroupMember -Members $User -Confirm:$false}}
Hey Yall,
Im trying to remove folks from their AD Groups except for the Domain Users Group in AD (Our company is holding on to AD accounts, idk why, but they want to remove their general accesses.
When I use the above code to remove them it says: "Get-ADUser : Parameter set cannot be resolved using the specified named parameters."
Im not sure what way is a better way to do this.
I have been asked to export the details of all service accounts in our AD domain. Seems straight forward but I have found over the years there has not be a consistent way service accounts have been controlled. We have a Service Accounts OU as well as a Service Account AD security group. Some accounts are in the OU but not the group, some in the group but another random OU, some are in both.
I can query each one individually:
Group
Get-ADGroupMember GROUP.ServiceAccounts
OU
Get-ADUser -SearchBase "OU=Service Accounts,OU=Accounts,DC=Domain,DC=com" -filter *
How can I combine both into one powershell query?
To combine these into one query, which will likely be more inefficient than what you are already doing, you can do the following:
$searchBase = '*OU=Service Accounts,OU=Accounts,DC=Domain,DC=com'
$groupDN = 'CN=Group Name,OU=Groups,DC=Domain,DC=com'
Get-Aduser -Filter * |
Where-Object { $_.DistinguishedName -like $searchBase -or $_.MemberOf -contains $groupDN}
You will need to update $groupDN with the actual distinguished name of your group. If you could find a more efficient way to -Filter on DistinguishedName, you could make this faster with the -Filter parameter.
Alternative Solution:
A more efficient way would be to combine your results into an object array.
$array1 = Get-ADGroupMember $Group
$array2 = Get-ADUser -SearchBase "OU=Service Accounts,OU=Accounts,DC=Domain,DC=com" -filter *
$array1,$array2
I've come across an issue I can't explain. When I use a variable in the below statement, I get incorrect data as my result. If instead I use the value the variable represents, then I get the expected data. The workaround is easy, but I'm curious as to what the problem is. I'd expect the string and the value the string represents to provide the same results.
I'm using Get-CSOnlineUser and filtering by StreetAddress. I assigned the address of Super Secret Address to a variable $location. When I use the variable name it returns the wrong results. When I use the value of the variable it returns the correct results
This code gives the wrong results:
#Returns a table of SFB Users filtered by location and whether or not they have enterprise voice
#Variables
$location = 'Super Secret Address'
#Get all enterprise voice users at specified address
Get-CsOnlineUser -Filter {StreetAddress -eq $location -and VoicePolicy -eq "BusinessVoice"} |ft DisplayName, Alias, Office, Phone, VoicePolicy, LineURI
#Get non-enterprise voice- users at specified address
Get-CsOnlineUser -Filter {StreetAddress -eq $location -and VoicePolicy -eq "HybridVoice"} |ft DisplayName, Alias, Office, Phone, VoicePolicy, LineURI
This gives the right results:
#Get all enterprise voice users at specified address
Get-CsOnlineUser -Filter {StreetAddress -eq 'Super Secret Address' -and VoicePolicy -eq "BusinessVoice"} |ft DisplayName, Alias, Office, Phone, VoicePolicy, LineURI
#Get non-enterprise voice- users at specified address
Get-CsOnlineUser -Filter {StreetAddress -eq 'Super Secret Address' -and VoicePolicy -eq "HybridVoice"} |ft DisplayName, Alias, Office, Phone, VoicePolicy, LineURI
Edit: Apologies. I should have clarified. The wrong results were showing a different subset of users that did not work at that StreetAddress. Interestingly, it seems like those users were contractors. Aside from that, I'm not seeing a pattern here.
In addition to the wrong subset of users, I saw this warning repeat itself within the results
WARNING: "OriginalRegistrarPool" with identity "123456789" assigned to "sip:user#company.com" has been removed from configuration store.
Is it possible to modify a ADProperty within a filter?
The use I want it for is to be able to check if there already is a user with a certain name in a specific OU.
Something like this:
$ou="HQOffice"
Get-ADUser -Properties Displayname -Filter {Displayname -eq "Major Minor" -and (DistinguishedName).split(',')[2].split('=')[1] -eq $ou}
As a process to disable users, I have a CSV where users are identified by employeeID and not username. I need to loop through and compare the CSV to AD users, and any AD user not in the CSV needs to be disabled. This is what I have so far, but it's not working. I'll admit I'm still fairly new to powershell scripting, so any help would be much appreciated.
Import-Module ActiveDirectory
Import-Csv -Path c:\ADTerm.csv | foreach {Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Identity $_.employeeID} | Where {$_ -ne $null} | Disable-ADAccount -Identity $_.employeeID
I cant really fit this all in a comment without it looking horrible so lets start with this.
You are combining -Filter and -Identity which most likely wont net the results you are looking for. Use Identity to get one specific user or filter to get one to many. Looking at TechNet for Get-AdUser you will see Identity only matches values to:
DistinguishedName
objectGUID
objectSid
sAMAccountName
In that regard I see you have a column for EmployeeID. I'm guessing that those are not SamAccountName which is one of the values that -Identity supports. I feel that you could do with the following changes.
$IDs = Import-Csv -Path c:\ADTerm.csv | Select-object -ExpandProperty EmployeeID
Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Properties EmployeeID |
Where-Object{$_.EmployeeID -and ($IDs -notcontains $_.EmployeeID)} | Disable-ADAccount
Update the get-aduser to get all users in that OU. Get-Aduser does not return the EmployeeID by default so we use -Properties to specify it. Filter all those users that have employeeID but not one in the list. Disable-ADAccount will take the output of Get-AdUser nicely so there is not need to specify the account again.
Depending you might be storing this value as EmployeeNumber in AD. This is also dependent on your having a csv file with a column for EmployeeNumber