I have a task where we have a .csv file containing users. The contents of the CSV should be compared against an AD security group. Any user that is NOT in the CSV needs to be removed from the AD group.
In the past I have added/removed users from groups that ARE listed in the CSV file, but have no idea how to remove them if they are not in the CSV.
Will I have to use one script to dump the members of the group to a file, compare this file against the CSV which would then create a file of the users in the group but not in the CSV, and then use that as my source to remove the users?
Create a list from the relevant user attribute in the CSV (e.g. the distinguished name). Get the group members that are not present in this list using a Where-Object filter with the -notcontains operator. Then remove those members from the group.
Example:
$validUsers = Import-Csv 'C:\path\to\your.csv' | Select-Object -Expand dn
$invalidUsers = Get-ADGroupMember 'groupname' |
Where-Object { $validUsers -notcontains $_.distinguishedName }
Remove-ADGroupMember 'groupname' $invalidUsers -WhatIf
Remove the -WhatIf switch to actually remove the group members instead of doing a dry-run.
Related
I am trying to get a table of permissions out of some groups that I have in AD. I'm pretty new to PowerShell and I'm not sure what I want is even possible.
So far I've been able to select the groups that I want by using
Get-ADUser -Identity groupname
And I can see the info pulled up in the response from PowerShell, but from there I've hit a huge dead-end with piping the result into anything that would let me see the permissions for that group.
I'm assuming you want the permissions to the group itself (for example, who is allowed to modify the group).
You can use Get-Acl (ACL stands for Access-Control List), which is used for getting permissions from files as well. To direct it to AD, you use the AD: drive, along with the distinguished name of the AD object. For example:
(Get-Acl "AD:CN=SomeGroup,OU=Groups,DC=example,DC=com").Access
If you don't know the distinguished name, you can get that from your call to Get-ADGroup (I assume you meant to use Get-ADGroup, not Get-ADUser like you put in your question).
$group = Get-ADGroup groupname
(Get-Acl "AD:$($group.distinguishedName)").Access
More reading here: Understanding Get-ACL and AD Drive Output
I've been working an identity management project involving Active Directory and hit a case I can't figure out the Powershell to. Essentially we are looking at the employeeID attribute, we want to find all users that have the same value in that attribute across the whole domain. Users shouldn't have the same employeeID, so if there are two or more with the same employeeID. They need to be cleaned up.
I know Powershell could do this for me but I'm not sure what commands I would need. I've been looking Get-ADUser but nothing is jumping out at me to even get started. I essentially just want a report of all users that have the same employeeID as another user so that they can be cleaned up.
You could:
Enumerate all accounts with an employeeID value
Compare and group them based on the value using Group-Object
# Fetch all user accounts with an employeeID
$employeeAccounts = Get-ADUser -Filter 'employeeID -like "*"' -Properties employeeID
# Group them by value of employeeID attribute, keep any group with more than 1 account
$accountsByEmployeeID = $employeeAccounts |Group-Object employeeID |Where-Object Count -gt 1
foreach($ID in $accountsByEmployeeID){
# $accounts will contain a list of accounts with the same employeeID
# you could send an email, file a ticket, or disable one or more of the accounts here
$accounts = $ID.Group
}
I'm trying to retrieve a list of all Ad users matching a filter, pipe that into Get-ADPrincipalGroupMembership and then export the result to an easy to read CSV.
*NB I can't use MemberOf as it returns blank for every single Ad user, and most successful scripts I've found are using MemberOf.
Here's what I've tried which gives me a list of groups but no association as to who goes where. Tried to export-csv as well but it complains of an empty pipe?
import-module activedirectory
foreach ($user in (Get-AdUser -Filter {(Name -Like "*(s)") } | select samaccountName)) {
Get-ADPrincipalGroupMembership $user.samaccountName | select samaccountname,name
}
This will include the user's sAMAccountName in the group results:
Import-Module ActiveDirectory
ForEach ($user in (Get-AdUser -Filter {(Name -Like "*(s)") } | select sAMAccountName)) {
Get-ADPrincipalGroupMembership $user.sAMAccountName| select #{Expression={$user.sAMAccountName};Label="User"},sAMAccountName,name
}
That weird notation is for creating a custom table. You can read more about it here: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-powershell-1.0/ee692794(v=technet.10)
Not seeing anything in memberOf may be normal. If you check in Users and Computers, do you see a value in memberOf?
The memberOf attribute will only show groups with a Universal scope in the same AD forest, Global groups on the same domain, or Domain Local groups on the same domain of the server you're reading from (which may not be the same domain as the user). So it has its limitations.
Users can also be "a member" of a group by the primaryGroupId attribute, which stores the RID (the last section of the SID) of the user's primary group. This is usually only used for the Domain Users group.
Get-ADPrincipalGroupMembership takes care of all of that for you. It will include the primary group and search every domain in your forest for Global and Domain Local groups that have the user as a member.
I use a simple Get-ADGroup on this top level of our networks Active Directory and I get back the error "get-adgroup : cannot find an object with identity 'GroupName' under: Domain
I have tried to query the group using "Find" in Active Directory Users and Computers and it is only able to be found if set to search for Organizational Units, however if I try a Get-ADOrganizationalUnit with the name of the OU nothing will populate.
Most of the time, the group name you see from your front-end is not actually what the group name is in ActiveDirectory.
I suggest you install Active Directory Users and Computers
Query the group based on the current group name you think it is.
Open the properties and see what the actual group name is.
The fact that Get-AdGroup returned that error means you have the wrong group name.
For Get-ADGroup you have to use the objects GUID or the DistinguishedName. What I typically do with this is something like this:
Get-DistributionGroup -identity "GroupName" | select -Expand DistinguishedName | Get-ADGroup
i need to get all group members which are in a specific OU (usersNewYork), the location of the group is in an other ou (ProxyGroups).
To copy the Users from the Group i would use this script:
Add-ADGroupMember destinationgroup -Members (Get-ADGroupMember sourceGroup)
How is it possible to only copy the members to the Destination Group from the specific OU?
You need to filter your results to only include the group members that you want. There are several ways to do that, but you could try something like this:
Add-ADGroupMember destinationgroup -Members (Get-ADGroupMember sourceGroup | ? dn -match "*OU=usersNewYork,dc=company,dc=com" )