I need to check the following code against a txt file with computer names, so if the computer name exist in the file, it'll be copied to the shadow group.
$OU="OU=Computers,DC=mylab,DC=local"
$ShadowGroup="CN=SelectPCs,OU=Groups,DC=mylab,DC=local"
Get-ADComputer –SearchBase $OU –SearchScope OneLevel –LDAPFilter "(!memberOf=$ShadowGroup)" | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup}
I tried a pipe and 'Where', but couldn't make it work:
$OU="OU=Computers,DC=mylab,DC=local"
$ShadowGroup="CN=SelectPCs,OU=Groups,DC=mylab,DC=local"
$PCList = c:\scripts\computernames.txt
Get-ADComputer –SearchBase $OU –SearchScope OneLevel –LDAPFilter "(!memberOf=$ShadowGroup)" **| Where-Object {$_.Name –Match $PCList}** |ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup}
I suggest you rewrite your command as follows:
Get-Content c:\scripts\computernames.txt | Get-ADComputer -Property MemberOf |
Where-Object { $_.DistinguishedName -match ('^[^,]+,' + $OU + '$') -and
$_.MemberOf -notcontains $ShadowGroup } |
ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup}
Start with your list of computer names, which Get-ADComputer should be able to identify directly, via the pipeline, implicitly bound to the -Identity parameter.
-Property MemberOf ensures that the non-default property MemberOf is included in each return object.
The Where-Object call then checks whether the computer is in the right OU ($_.DistinguishedName -match ('^[^,]+,' + $OU + '$') - perhaps you don't even need this, given that you've identified the computers by name[1]
) and whether it's not already a member of $ShadowGroup ($_.MemberOf -notcontains $ShadowGroup).
Finally, the Foreach-Object calls adds the matching computers to group $ShadowGroup.
[1] Computers are assumed to have unique names, so using Get-ADComputer with a computer name (which implies parameter -Identity) matches a computer in any OU, so there's generally no need to constrain the matches by OU.
That said, the regex used above is explicitly designed to only match computers located directly in $OU.
If you wanted to match computers in the specified OU and any descendent OU, use $_.DistinguishedName -match (',' + $OU + '$')
It looks like you are trying to match a name with the array of computer names. That would be like asking does 'computer1' contain 'computer1, computer2, computer3' which would be false. But asking if 'computer1, computer2, computer3' contains the string 'computer1' would be true.
In other words, instead of Where-Object {$_.Name -match $PCList} you could do Where-Object {$PCList -match $_.Name}.
Keep in mind though that this would also do partial matches. For example computer1 would match for computer1 and also computer11, computer12, etc.
The better approach would be to loop through the list of computernames in the text file to perform your check and action (as mklement0's answer demonstrates).
Related
i'm tryin to figure out which computers are deactivated. for that i provide the computer names in a csv list. i just want to output the computers which are deactivated. this is what i have. unfortunately i get all deactivated computers. but i only want that names provided in the csv
Import-CSV -Path "C:\pc_names" | Select -expand Name | Get-ADComputer -searchbase 'XXX' -Filter {(Enabled -eq $False)} -Properties Name, OperatingSystem | Export-CSV “C:\Temp\DisabledComps.CSV” -NoTypeInformation
The problem is likely in the Get-ADComputer command, you specify a SearchBase (assumedly an OU), and a filter for all disabled computers - but never actually include the name of the PC that you piped in from the CSV, so it just returns every disabled PC under that search base.
Try something like this instead;
Import-CSV -Path "C:\pc_names" | Select -Expand Name | Get-ADComputer -SearchBase 'XXX' -Filter {(Enabled -eq $False) -and ($_.Name)} -Properties Name, OperatingSystem | Export-CSV "C:\Temp\DisabledComps.CSV" -NoTypeInformation
Note the $_.Name in the filter.
I've probably got that filter syntax wrong - but that should be the cause.
There is no way you can test if the computername is to be found in an array of names using the -Filter parameter..
You need to first collect computer objects within your SearchBase OU and filter the disabled ones only.
Following that, you filter out the ones that can be found in the $pcNames array using a Where-Object clause:
$pcNames = (Import-Csv -Path "C:\pc_names.csv").Name
Get-ADComputer -SearchBase 'XXX' -Filter "Enabled -eq 'False'" -Properties OperatingSystem |
Where-Object { $pcNames -contains $_.Name } | # or: Where-Object { $_.Name -in $pcNames }
Export-Csv -Path "C:\Temp\DisabledComps.csv" -NoTypeInformation
Note: Get-ADComputer by default already returns these properties: DistinguishedName, DNSHostName, Enabled, Name, ObjectClass, ObjectGUID, SamAccountName, SID, UserPrincipalName. That means you only have to ask for the extra property OperatingSystem in this case
It's pretty obvious that something like this ignores what's piped in and returns many computers.
'comp001' | get-adcomputer -filter 'Enabled -eq $False'
If you wait until the end, there is an error message:
get-adcomputer : The input object cannot be bound to any parameters for the command either because the command does not take pipeline input or the input and its
properties do not match any of the parameters that take pipeline input.
At line:1 char:13
+ 'comp001' | get-adcomputer -filter 'Enabled -eq $false'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (comp001:String) [Get-ADComputer], ParameterBindingException
+ FullyQualifiedErrorId : InputObjectNotBound,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
You can do get-adcomputer inside a foreach loop and test Name as well:
$list = echo comp001 comp002 comp003
$list | % { get-adcomputer -filter 'Enabled -eq $False -and Name -eq $_' }
Import-Module ActiveDirectory
Get-ADComputer -Filter {enabled -eq $true} -properties *|select Name,
| Out-File -FilePath c:\Powershell.txt
I am trying to export a list to txt file and have it display a list of all the computers on my domain by name and the OU or group it is assigned to. i am able to retrieve the name with this, but would like to ad a OU Colum.
Since the DistinguishedName value contains the OU RDN, we can extract it with a bit of string splitting magic:
Get-ADUser -Filter * |Select Name,#{Name='OU';Expression={$_.DistinguishedName -split '(?<!\\),' |Select -Index 1}}
This will give us only the RDN (ie. OU=Company Users), if you want the full DN of the OU, do:
Get-ADUser -Filter * |Select Name,#{Name='OU';Expression={$_.DistinguishedName -split '(?<!\\),',2 |Select -Skip 1}}
The pattern (?<!\\), will match any , in the DN only if not preceded by \ - this is to avoid splitting on escaped ,'s, like in CN=LastName\, FirstName,OU=Users,...
Honestly, I would derive the OU from the DistinguishedName value. It will be quicker than running additional ActiveDirectory module PowerShell commands. You can then output the OU value using Select-Object's calculated properties. I would also recommend outputting to CSV (using Export-Csv) since that format is easily readable by PowerShell and other file editing tools.
Get-ADComputer -Filter 'Enabled -eq $true' |
Select-Object Name,#{n='OU';e={$_.DistinguishedName -creplace '^.*?,(?=[A-Z]{2}=.*)'}} |
Export-Csv -Path c:\Computers.csv
Note that the CSV export will have a header row and values will be delimited by comma. If you prefer a different delimiter, you can use the -Delimiter parameter or your PowerShell session's default list separator with the -UseCulture switch.
-creplace is a case-sensitive version of -replace operator.
^.*?,(?=[A-Z]{2}=.*) is regex syntax for matching the text to replace. ^ denotes the start of the string. .*?, matches a few characters as possible until a , is matched. But since a CN value can contain , characters, we only want to stop matching when it precedes OU= or DC=. This is why we have positive lookahead (?=[A-Z]{2}=.*). [A-Z]{2} matches exactly two capital letters followed by =.
This what I do, it is a bit slower than the other examples provided but it will prevent any timeout on the Get-ADcomputer cmdlet. I'm also using CanonicalName to have an absolute path of the OU because OUs can have the same name and Canonical is easier to read than Distinguished.
$OUs = Get-ADOrganizationalUnit -Filter * -Properties CanonicalName
$Result = foreach($OU in $OUs)
{
$hash = #{
Filter = 'Enabled -eq $true'
SearchScope = 'OneLevel'
SearchBase = $OU.DistinguishedName
}
foreach($computer in Get-ADComputer #hash)
{
[pscustomobject]#{
ComputerName = $computer.Name
OU = $OU.CanonicalName
}
}
}
I am trying to send a user name (SamAccountName) down the PowerShell Pipeline to find a computer based on the Description property in Active Directory:
The Description property is always "something-UserName"
I know I don't need to send the variable down the pipeline and can simply express it in the filter but I have s specific use case where I need to do this.
This is what I have tried:
"bloggsJ" | %{Get-ADComputer -server domain.com -Filter * -Properties Description | ?{$_.Description -eq "something-$_"}} | select Name
This produces nothing even though there is a computer with a description property of "Something-bloggsJ" on that domain.
Any advice please.
Instead of using the -eq operator, I would use -like.
Something like this:
"bloggsJ", "IanB" | ForEach-Object {
$name = $_
Get-ADComputer -Filter * -Properties Description |
Where-Object {$_.Description -like "*-$name"}
} | Select-Object Name
Inside the ForEach-Object loop, the $_ automatic variable is one of the usernames. Inside the Where-Object clause, this $_ variable represents one ADComputer object, so in order to have the username to create the -like string, you need to capture that name before entering the Where-Object clause.
I believe you are missing the underscore for $_ variable:
"ivan" | ForEach-Object -Process { Get-ADComputer -Filter * -properties description | Where-Object -Property description -eq "something-$_"}
this one is working ...
I have a list of names taken from Oracle that Im trying to find the SamAccountName for. The file is a CSV and some names are "last, first" or "last, first middle initial" and some have three or four names like "alpha bravo charlie delta". The names in the list are likely not the same as listed in AD. Trying to figure out how to sort through this to find AD accounts. The code I currently have is not producing any results.
Import-Module ActiveDirectory
Import-Csv "\\server\users\folder\Oracle_HR.csv"
ForEach-Object{
Get-ADUser -Filter { Name -like "'$($_.name)'"} -Properties Name |
Select-Object Name,SamAccountName |
Export-CSV "\\server\users\folder\Oracle_ADs.csv" -NoTypeInformation
}
The answers by Gabriel Luci and Mathias R. Jessen give good advice on "fuzzy" filtering of AD users.[1]
However, your primary problem is that your ForEach-Object call is not receiving pipeline input, because you haven't connected it to output from the Import-Csv call.
Simply join the two commands with |:
Import-Csv "\\server\users\folder\Oracle_HR.csv" | ForEach-Object { # ...
Secondarily, your -Filter argument { Name -like "'$($_.name)'"} mistakenly applies two layers of quoting and is missing wildcard characters, given that -like compares against the entire field, yet you want substring matching.
Since it's better to avoid the use of script blocks ({ ... }) as -Filter arguments, use a string:
"Name -like `"*$($_.name)*`"" # Note the enclosing '*' to match substrings
Note that I've used embedded " quoting (escaped as `") rather than ' quoting, so as not to break the filter with names that contain ', such as O'Malley.
That said, if, as your question suggests, the names in your CSV data aren't direct substrings of the AD users' .Name property values, the above filter will not be enough, and even the ANR (Ambiguous Name Resolution) technique shown in the linked answers may not be enough.
Thirdly, your Export-Csv call is misplaced: because it is inside the ForEach-Object script block, the same output file gets overwritten in every iteration.
Restructure your command as follows:
Import-Csv ... | ForEach-Object { ... } | Export-Csv ...
Optional reading: ForEach-Object behavior when not providing pipeline input:
The associated script block is executed once.
$_, the automatic variable that contains the current input object, is $null.
[1] Note that the search term in the LDAP filter may need escaping ; per this article, the characters * ( ) \ NUL require escaping and must be escaped as \<hh>, where <hh> is the two-digit hex representation of the char's ASCII code (e.g., * must be escaped as \2A):
$escapedName = -join $(foreach ($c in [char[]] $_.name) { if ('*', '\', '(', ')', "`0" -contains $c) { '\' + ([int] $c).ToString('X2') } else { $c } })
Get-ADUser -LDAPFilter "(anr=$escapedName)"
With $_.name containing string "James* (Jimmy) Smith\Smyth`0", $escapedName would evaluate to literal James\2A \28Jimmy\29 Smith\5CSmyth\00
Keep in mind that the property names in PowerShell are not named the same as the attributes in AD. The Name property corresponds to both the name and cn attributes in AD (both attributes are always the same).
There is also DisplayName (displayName in AD), GivenName (givenName), and Surname (sn). You could try matching against the DisplayName:
Get-ADUser -Filter "DisplayName -eq '$($_.name)'"
If none of those properties match your data exactly, you will have some trouble. No one thing you do will probably work for every account. Hopefully this is just a one-time job and you can work through them in pieces (try one thing, take out the ones that work, and try something different on the rest).
One thing you can try is using AD's Ambiguous Name Resolution (ANR), which will match a search string against several different attributes and even match a first and last name against givenName and sn. That might work with some in your list. You would use it like this:
Get-ADUser -LDAPFilter "(anr=$($_.name))"
If none of that works, you'll have to split the names (for example, by spaces: $_.name.Split(" ")) and try to match pieces of it to different attributes. You'll have to look at your data and see what works.
One approach is to use the Ambiguous Name Resolution feature in Active Directory.
It'll do fuzzy matching against multiple attributes, like the displayName, Name and mail attributes (among others), so it's pretty good for this exact kind of scenario where you don't necessarily know the order or the names or the full name up front:
Get-ADUser -LDAPFilter "(&(anr=$($_.name)))"
I recommend using LDAPFilter and Ambiguous Name Resolution (anr) with Get-ADUser. The algorithm looks up several name fields in different orders to find matches:
Get-ADUser -LDAPFilter "(anr=John Doe)"
Or modifying your code:
Get-ADUser -LDAPFilter "(anr=$($_.name))"
You could try something like the following:
Import-Module ActiveDirectory
$allUsers = Get-Content "\\server\users\folder\Oracle_HR.csv"
$users = #()
ForEach($obj in $allUsers){
$user = Get-ADUser -Filter { GivenName -like $obj} -Properties Name, samAccountName
if(!$user){
$user = Get-ADUser -Filter { SurName -like $obj} -Properties Name, samAccountName
}
if(!$user){
$user = Get-ADUser -Filter { Name -like $obj} -Properties Name, samAccountName
}
if(!$user){
Write-Host "User $obj could not be found" -ForegroundColor Red
}else{
$users += $user
}
}
$users | Select-Object Name,SamAccountName | Export-CSV "\\server\users\folder\Oracle_ADs.csv" -NoTypeInformation
You might need to split the values also like:
Import-Module ActiveDirectory
$allUsers = Get-Content "\\server\users\folder\Oracle_HR.csv"
$users = #()
ForEach($obj in $allUsers){
$objSplit = $obj.Split(",")
foreach($split in $objSplit){
$user = Get-ADUser -Filter { GivenName -like $split} -Properties Name, samAccountName
if(!$user){
$user = Get-ADUser -Filter { SurName -like $split} -Properties Name, samAccountName
}
if(!$user){
$user = Get-ADUser -Filter { Name -like $split} -Properties Name, samAccountName
}
if(!$user){
Write-Host "User $split could not be found" -ForegroundColor Red
}else{
if($users.samAccountName -notcontains $user.SamAccountName){
$users += $user
}
}
}
}
$users | Select-Object Name,SamAccountName | Export-CSV "\\server\users\folder\Oracle_ADs.csv" -NoTypeInformation
I need to move a few hundred AD distro groups to a new OU. I was given their email address only, and wanted to make a script to move them based on samaccountname. I am wondering why the below does not return anything, if I do the groups one-off filtering for email address it works, but foreach returns nothing.
The "groups.txt" listed below is just a list of email addresses.
gc groups.txt | % {
Get-ADGroup -Filter {mail -eq "$_"}| Select-Object -ExpandProperty SamAccountName
}
Remove the quotes you have around $_.
gc groups.txt | % {
Get-ADGroup -Filter {mail -eq $_}| Select-Object -ExpandProperty SamAccountName
}
In your posted filter script block the variable is quoted. Since it is a script block, PowerShell doesn't do any processing first and the ActiveDirectory module expects a variable not surrounded in quotes. That would look for Mail that is literally "$_" and not the email address value of the variable.
Take the "" off of $_
gc groups.txt | %{ Get-ADGroup -Filter {mail -eq "$_"} | select -expandproperty samaccountname}