I need to retrieve a list of Distribution groups with their x400 and x500 addresses. I have determined the attributes are proxyaddresses and TextEncodedORAddress. We are running Exchange 2013. When I look at a high level searchbase like "OU=Exchange,OU=company,DC=company,DC=com" and use Get-ADUser it returns the user accounts, however I need Distribution Groups.
Using the following returns the users with the attributes I need, but I need distribution groups, not users.
Get-ADUser -SearchBase "OU=Exchange,OU=company,DC=company,DC=com" `
-Filter * -Properties * | Select * |
FT CN,distinguishedName,proxyaddresses,textEncodedORAddress
I tried Get-Mailbox, Get-DistributionGroup, but I get an error saying it's not a cmdlet. I also tried using the attribute groupType to filter, but it didn't work. I'm not sure if I'm able to use Get-ADObject as I'm not quite sure how I'd use that cmdlet. Any help would be appreciated.
Because there are multiple values in that proxyaddresses, I was receiving Microsoft.ActiveDirectory.Management.ADPropertyValueCollection, therefore I had to use the following.
Get-ADGroup -SearchBase "OU=Exchange,OU=Company,DC=company,DC=com" `
-Filter * -Properties proxyAddresses | Select CN,distinguishedName,textEncodedORAddress,`
#{L=’ProxyAddress_1′; E={$_.proxyaddresses[0]}},
#{L=’ProxyAddress_2′; E={$_.ProxyAddresses[1]}},
#{L=’ProxyAddress_3′; E={$_.proxyaddresses[2]}},
#{L=’ProxyAddress_4′; E={$_.proxyaddresses[3]}},
#{L=’ProxyAddress_5′; E={$_.proxyaddresses[4]}}|
Export-CSV C:\temp\x500_Export.csv
The only thing I can't figure out for the output, is why I see the various proxyaddresses and the distinguishedname, however it won't show CN, or displayname. Those are blank.
get-adgroup -filter "GroupCategory -eq 'Distribution'"
Related
I have a script that is supposed to search for computers in different OUs with the same name in AD.
eg.
Get-ADComputer -filter * -Searchbase "OU=domain,DC=home,DC=com" -properties * |
Where-Object {$_.DistinguishedName -like "*XXX09*"} |
Select name, DistinguishedName
Everything works fine, but it is terribly slow, is there any way to speed it up, or build the script differently ?
Not only can you speed-up this by using a filter, but also, using -Properties * is asking for ALL properties. That is useless and time consuming in this case because you only want to retrieve the Name and DistinguishedName.
Get-ADCumputer by default already returns these properties:
DistinguishedName, DNSHostName, Enabled, Name, ObjectClass, ObjectGUID, SamAccountName, SID, UserPrincipalName.
Try
Get-ADComputer -Filter "DistinguishedName -like '*XXX09*'" | Select-Object Name, DistinguishedName
Use the filter during the search instead of after will reduce the query time quite a bit.
Get-ADComputer -filter 'DistinguishedName -like "*XXX09*"' -Searchbase "OU=domain,DC=home,DC=com" -properties * | select name, DistinguishedName
You might need to tune the query slighty, but i tested it with 'name' instead of 'DistinguishedName' and that works just fine (and quite a bit quicker ;))
I'm an IT intern tasked with performing an audit of users on our domain and I'm having some trouble finding the info I need without all of the extra stuff. Is there a way to pull all of this info in one command? If not, can you recommend commands to pull users, usernames, and login info separately in a manner that I can copy-paste in the format I need?
I previously used get-adgroup -filter * and wrote to a file. Are there some options I can add for this filter? I also used a script to get all users, and all groups and their user permissions on separate occasions.
You could try something like:
Get-ADGroup -Filter "Name -like '*Accounting*'" |
Get-ADGroupMember |
Select-Object name, SamAccountName
Or if you need more fields from the user object, then try something like:
Get-ADGroup -Filter "Name -like '*Accounting*'" |
Get-ADGroupMember |
Get-ADUser -Properties Enabled |
Select-Object Name, SamAccountName, UserPrincipalName, Enabled
You'll probably want to export to a spreadsheet, so use Export-Csv for that.
I am trying to list all users that have the PasswordNeverExpires flag set.
If I use
Get-ADUser
I get a list of all users in my domain, along with a load of default properties.
If I use
Get-ADUser -Filter * -Properties Name | Format-Table -Property Name -AutoSize
I also get a list of all usernames in my domain, as a table.
When I use
Get-ADUser -Filter * -Properties Name,PasswordNeverExpires | Format-Table -Property Name,PasswordNeverExpire
I get a table that contains a full list of usernames, but ONLY the following accounts have either True or False in the PasswordNeverExpires column
Guest
krbtgt
Administrator
SBSMonAcct
Network Administrator
<MyDomainAdminAccount>
SPSearch
<AnAdministratorAccountForOneOfOurSoftwareVendors>
<AnAccountThatWasCopiedFromTheDomainAdministratorAccount>
<AnotherAccountCopiedFromTheDomainAdministratorAccount>
All the other items/usernames in the table have empty/blank/non-existent values.
I have also tried
Get-ADUser -LDAPFilter "(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
but that only returns
<MyDomainAdminAccount>
SPSearch
Why is the PasswordNeverExpires flag not being picked up for all users? Thanks.
PasswordNeverExpires is calculated from the userAccountControl attribute.
Probably the fastest way to search for users that have that flag set is as follows:
Get-ADUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=65536)" -Properties PasswordNeverExpires
See the documentation for more information on searching using a bitwise filter. 65536 (0x10000) corresponds to the ADS_UF_DONT_EXPIRE_PASSWD bit position, so this LDAP search filter searches only for accounts that have that flag set.
Hmm, your third line pulls the property "PasswordNeverExpires" but Selects "PasswordNeverExpire". If this was just a typo in your question this disregard. If not then there is your answer. :-)
As a process to disable users, I have a CSV where users are identified by employeeID and not username. I need to loop through and compare the CSV to AD users, and any AD user not in the CSV needs to be disabled. This is what I have so far, but it's not working. I'll admit I'm still fairly new to powershell scripting, so any help would be much appreciated.
Import-Module ActiveDirectory
Import-Csv -Path c:\ADTerm.csv | foreach {Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Identity $_.employeeID} | Where {$_ -ne $null} | Disable-ADAccount -Identity $_.employeeID
I cant really fit this all in a comment without it looking horrible so lets start with this.
You are combining -Filter and -Identity which most likely wont net the results you are looking for. Use Identity to get one specific user or filter to get one to many. Looking at TechNet for Get-AdUser you will see Identity only matches values to:
DistinguishedName
objectGUID
objectSid
sAMAccountName
In that regard I see you have a column for EmployeeID. I'm guessing that those are not SamAccountName which is one of the values that -Identity supports. I feel that you could do with the following changes.
$IDs = Import-Csv -Path c:\ADTerm.csv | Select-object -ExpandProperty EmployeeID
Get-ADUser -filter * -SearchBase "ou=Test,ou=Logins,dc=domain,dc=com" -Properties EmployeeID |
Where-Object{$_.EmployeeID -and ($IDs -notcontains $_.EmployeeID)} | Disable-ADAccount
Update the get-aduser to get all users in that OU. Get-Aduser does not return the EmployeeID by default so we use -Properties to specify it. Filter all those users that have employeeID but not one in the list. Disable-ADAccount will take the output of Get-AdUser nicely so there is not need to specify the account again.
Depending you might be storing this value as EmployeeNumber in AD. This is also dependent on your having a csv file with a column for EmployeeNumber
I am very new to Powershell and am having an issue when using the Get-ADUser and GetADComputer cmdlets.
I am trying to use the Get-ADComputer and Get-ADUser to retrieve the memberOf from Active-Directory of all the users and computers. It only appears to be retrieving information from users and computers that are in 2 or more groups. Any users/computers that are only in 1 group display nothing.
For example: If UserA is in group Administrators I get no output when I use MemberOf. But if User2 is in both Administrators and Domains Administrators I get some output. However it will only output one of those groups.
Get-ADGroup does the same thing.
Is this normal? I can't imagine it is.
Here is my code:
Get-ADUser -Filter * -Properties * | Select-Object -Property Name,MemberOf | Sort-Object -Property Name
Thanks
Your trouble comes from the fact that the primary group is not part of the memberOf attribute.
So try this :
Get-ADUser -Filter * -Properties * | Select-Object -Property Name,MemberOf,PrimaryGroup | Sort-Object -Property Name
You'll find a deeper explanation in this answer.