I am trying to get a subset of users. I want to capture a list of groups members but only those who have a canonical name that starts with "contoso.com" Here is the code snippet hopefully someone can help me.
Get-ADGroupMember -Identity $GroupName | where{$_.ObjectClass -eq "User"} | Get-ADUser -Properties CanonicalName | Select CanonicalName | where{$_.CanonicalName -Like "contonso.com"}
Get-ADGroupMember -Identity $group | where{$_.ObjectClass -eq "User"} | Get-ADUser -Properties CanonicalName | where{$_.CanonicalName -match "contoso.com"} | select Canonicalname,name
You need to add a wildcard so that the remaining characters in the CanonicalName will match something in the -like criteria:
...where{$_.CanonicalName -Like "contonso.com*"}
# add a wildcard here ^
Related
I have a requirement to combine Get-ADUser and Get-ADGroup (with filtering) to retrieve a list of a users groups, only where the group name matches a wildcard pattern I specify.
Getting the whole list of a users groups can be slow over VPN when WFH. So instead of retrieving all the users group names into an array, then looping through that to find the matching names I need, can I include the group name filtering further upstream in the Get-ADUser call, or the Get-ADGroup call?
My question isn't so much "how is it done?" but "can it be done?", and would it actually be any quicker than pulling all group names into an array then looping.
Something like:
$SEC_GROUPS = (Get-ADUser $_ –Properties MemberOf).memberof |
Get-ADGroup -filter {Name -like "*SEC*"} -Properties Name,Description |
Select-Object Name,Description |
Sort-Object name
Thank you for any replies so far
I had another bash and thought this worked:
$SEC_GROUPS = (get-aduser $_ -properties Memberof).memberof |
Get-ADGroup -filter 'Name -like "*SEC*"' -Properties Name,Description -ErrorAction SilentlyContinue |
select-object Name,Description |
Sort-Object Name
But it pulls all matching AD groups, not just those the user is a member of.
Update: Using the comment from Santiago below was the trick. Remember, for speed I needed to retrieve only the user groups matching the group name pattern I specify, as early as possible, no manually processing on the full groups list.
$SEC_GROUPS = (get-aduser $_ -properties Memberof).memberof -like '*SEC*' |
Get-ADGroup -Properties Name,Description |
select-object Name,Description |
Sort-Object Name
I found that, even when my group names started with SEC I still needed to include the * on both side of the match pattern, using SEC* didn`t work. I'm guessing this is because the match target starts with CN=SEC_whatever
You can use the Active Directory Filter to search for all groups having your user as member and having a name containing SEC. This is as fast as it gets in my opinion.
$user = (Get-ADUser someUser).DistinguishedName
$groups = Get-ADGroup -LDAPFilter "(&(member=$user)(name=*SEC*))" -Properties Description |
Select-Object Name, Description |
Sort-Object Name
If you want to give it a try you can also filter the memberof property of your user including those having a CN (common name) containing SEC (I don't think this will be faster or more robust than before snippet):
$groups = (Get-ADUser someUser -Properties memberOf).memberOf -match '(?<=^CN=).*SEC.*?(?<!\\),' |
Get-ADGroup -Properties Description |
Select-Object Name, Description |
Sort-Object Name
I'm tryin to get a powershell query with two displaynames in it. It works fine with one displayname.
Get-ADUser -Filter "displayName -like '**'" -SearchBase "OU= ,OU= ,OU= AG,DC= ,DC=" -Properties * | select-object mail | sort-object
How can i insert more displayname variables to the code?
You can use OR in the filter
Get-ADUser -Filter "DisplayName -like '*user1*' -or DisplayName -like '*user2*'" -SearchBase "OU= ,OU= ,OU= AG,DC= ,DC=" -Properties Mail |
Select-Object -ExpandProperty Mail | Sort-Object
Using LDAP Filter you can do like this (using | as OR)
Get-ADUser -LDAPFilter "(|(cn=*user1*)(cn=*user2*))" -SearchBase "OU= ,OU= ,OU= AG,DC= ,DC=" -Properties Mail |
Select-Object -ExpandProperty Mail | Sort-Object
i'm trying to find all users that belong to the group "Windows".
i want to display their id, last name, first name.
desired output format:
Windows Users,1234567,John,Doe
Windows Administators,7654321,Jane,Doe
this one-liner does do more less what i want but i need to modify the parameter identity everytime from "Windows Users" to "Windows PowerUsers" to "Windows Administrators" etc.
example:
Get-ADGroupMember -identity "Windows Users" -Recursive | Get-ADUser | select SamAccountName, Surname, GivenName
so i attempted to put it all together by but it's giving me errors.
$ADGroups = Get-ADGroup -Filter {name -like "Windows*"}
foreach ($ADGroup in $ADGroups) {
Get-ADGroup -filter {Name -eq $ADGroup.Name} | Get-ADGroupMember -identity
$ADGroup.Name -Recursive | Get-ADUser | select SamAccountName, Surname, GivenName
}
any ideas will be greatly appreciated. i can't figure out how to capture all users that belong to the group Windows* such as "Windows Users" to "Windows PowerUsers" to "Windows Administrators" etc
note: i looked into this but it's not quite what i'm looking for Powershell script to display all Users in a Group AD
thank you.
Your example is a good start.
Try this one. It should do the job:
Get-ADGroup -Filter {name -like "Windows*"} | foreach {
$currentGroup = $_.Name
$_ | Get-ADGroupMember | foreach {
$_ | Get-ADUser | select #{name="Group"; expression={ $currentGroup }}, SamAccountName, Surname, GivenName
}
}
I don't have my access to AD at the moment, but i would give this a try
get-aduser -filter {memberof -like "Windows*"} -property samaccountname,surname,givenname,memberof | select samaccountname,surname,givenname
OR you could try this inside your original foreach loop...
get-adgroup -filter {name -eq $adgroup.name} | select -expand members | get-aduser $_ | select samaccountname,surname,givenname
I can't remember what "members" produces, I believe it is samaccountname if not you could add an ldap filter to get-aduser -filter {whatever -eq $_}
I'm trying to pull some information from AD but having difficulty. I'm trying to get a list of users that have the PRIMARY smtp address from the ProxyAddresses attribute (an array) in a specific format (SMTP:firstname.lastname*) only. I only want the ones that match "SMTP" (case sensitive) and of those only those that have the email address in the format of firstname.lastname.
Get-ADUser -SearchBase "DC=corp,DC=companyx,DC=com" -Filter * -Properties ProxyAddresses,sn,givenname,displayname,mail |
Where-Object {$_.ProxyAddresses -clike "SMTP:{$_.givenname+$_.sn}*"} # | Select-Object proxyaddresses,displayName,givenName,sn
Try this:
Get-ADUser -SearchBase "DC=corp,DC=companyx,DC=com" -Filter * -Properties ProxyAddresses,sn,givenname,displayname,mail |
Where-object {($_.ProxyAddresses -cmatch "SMTP:") -and ($_.ProxyAddresses -match "$($_.givenname).$($_.sn)*")}
I am wanting to bring forward a CSV file containing all users Name, SamAccountName and Description, however we have noticed that there are several people who do not have descriptions. What I am looking for is how to edit my existing code (I know there's a simple way to do it I just can't remember it) so that is filters my output so it only shows users who have no description.
Get-ADUser -Filter * -Properties Name,SamAccountName,Description -SearchBase "DC=REMOVED,DC=com" |
? { $_.Enabled -notlike "FALSE" } |
Select Name,SamAccountName,Description |
Export-Csv "C:\scripts\NoDescriptionUsers.csv"
You need to add another condition in your Where-Object scriptblock since you can't filter empty values with an LDAP-Query AFAIK. One suggestion:
Get-ADUser -Filter * -Properties Name,SamAccountName,Description -SearchBase "DC=REMOVED,DC=com" |
? { $_.Enabled -notlike "FALSE" -and [string]::IsNullOrEmpty($_.Description.Trim()) } |
Select Name,SamAccountName,Description |
Export-Csv "C:\scripts\NoDescriptionUsers.csv"
Personally I would also move the enabled-check into a filter in Get-ADUser to speed things up. Now the DC will only send you enabled users instead of all users. Try:
Get-ADUser -Filter { Enabled -eq $true } -Properties Name,SamAccountName,Description -SearchBase "DC=REMOVED,DC=com" |
? { [string]::IsNullOrEmpty($_.Description.Trim()) } |
Select Name,SamAccountName,Description |
Export-Csv "C:\scripts\NoDescriptionUsers.csv"