Powershell AD user search by name and OU - powershell

I receive task on studies to create command that will find a specific users in specific OU in Active Directory.
More precise, find all persons that name is A* and are located in OU *es.
After hours of researching I created such commands:
For finding all A* users:
Get-ADUser -filter {name -like "A*"}
For finding all *es OU
Get-ADObject -filter {OU -like "*es"}
And I don't have idea how to connect those outputs.
I was thinking about such resolutions, but they don't work for me.
$var = Get-ADObject -filter {OU -like "*es"} | Select DistinguishedName
Get-ADUser -filter {name -like "A*"} -SearchBase $var
Or
Get-ADUser -filter {name -like "A*" -and OU -like "*es"}
I'm lost, please advice.

You could first use the server filter to get all A*users and then filter the OU on the client using the Where-Object cmdlet:
Get-ADUser -filter {Name -like 'A*'} | Where-Object DistinguishedName -like '*OU=*es*'
If you know all your OU you want to filter, consider using the -SearchBase Parameter. More information here.

Related

Users in ADGroup with direct reports

I want a list of users in ATL Users that have direct reports.
Part 1: Group Membership
I can get the users in a group.
Get-ADGroupMember "ATL Users" | Where objectClass -eq "user"
Part 2: Filter for Direct Reports
I can get a list of users with direct reports, but very slowly (scans entire tree).
Get-ADUser -Filter "DirectReports -like '*'"
Question
How can I get the list of users in ATL Users then -Filter those users by if they have direct reports?
This is readily done with an LDAP filter using memberOf. If this is a one-off query and you know the group's distinguished name (cn=ATL Users,ou=groups,dc=domain,dc=gTLD in this example), you can use:
get-aduser -LDAPFilter "(&(memberOf=cn=ATL Users,ou=groups,dc=domain,dc=gTLD)(directReports=*)(objectClass=user))"
If you will be running this query repeatedly, it would be best to get the group object from a search so directory restructuring won't break your query.
PS> $groupFQDN = (get-adgroup -identity "ATL Users").distinguishedName
PS> $groupFQDN
CN=ATL Users,OU=NewGroupsOU,DC=company,DC=gTLD
PS> get-aduser -LDAPFilter "(&(memberOf=$groupFQDN)(directReports=*)(objectClass=user))"
You can just pipe a foreach into Get-ADUser -filter after Get-ADGroupMember
Example:
Get-ADGroupMember "ATL Users" | Where-Object {$_.ObjectClass -eq "user"} | foreach {Get-ADUser $_.samaccountname -properties Name, DirectReports | Where-Object {$_.DirectReports -like "*"} |Select Name, DirectReports}

How to retrieve only enabled users from the Active Directory

I'm trying to retrieve only enabled users in the AD. When I run this code line it returns the error. I tried using a filter as well to filter only enabled users for the requested info but it returns ALL users from every domain instead of just the single id.
Get-ADUser : A positional parameter cannot be found that accepts argument 'enabled -eq 'true''.
This is my code that is throwing the error.
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter '*' | Get-ADUser Where "enabled -eq 'true'" | Get-ADUser -Properties ('Mail')
This one returns ALL users from every domain
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter "enabled -eq'true'" | Get-ADUser -Properties ('Mail')
Is my syntax wrong on both of them? If I just want to return values from say "Animal shop A" and then "Animal Shop B"
.. or a little bit shorter this way:
Get-ADUser -Filter 'enabled -eq $true' -Properties mail |
Select-Object -Property Name,samaccountname,mail
Besides this I would recommend to use a -SearchBase. That's less stressful for the AD. ;-)
Get-ADUser -Filter * -Properties mail | Where { $_.Enabled -eq $True} | Select Name,samaccountname,mail
That will get all enabled users in your target domain that are enabled and display the name, username, and mail properties
Important to know for both commands:
You must work with an elevated powershell process.
Otherwise the result may not be complete.
get-aduser -filter 'enabled -eq "true"' -ResultSetSize $Null
simply try below commands in powershell as administrator permission.
As a guide, the first part will filter users, second part filtered enabled users and last part will give you export of results.
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like “false”} | Export-Csv -Path C:\eport.csv -Encoding ascii -NoTypeInformation
hope to be useful for you.

Trying to change displayname in AD LDS with Powershell

I have an online learning management system with most of its data in sql server but its page structure and contents in an AD LDS instance. I have a few classes which have already been set up with 50 pages called "Unused Portfolio 01" through "Unused Portfolio 50". These are their displaynames. Their CNs are "Portfolio 01" through "Portfolio 50".
I need to change the displaynames to each have a different student's name, in the format "Last, First". I am trying to use Active Directory Module for Windows Powershell. Right now I am on a test server trying to make this work for just a few pages. I can't manage to change more than one displayname at a time.
I can get a list of the objects for these pages:
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US'
I get the distinguishedname, name, objectclass, and objectguid for all three expected objects and no unexpected objects. Great.
I can change any one object's displayname at a time:
set-adobject -Server localhost:389 -identity "CN=Portfolio 01,CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US" -displayname "testing"
The specified object has its displayname changed to "testing". Awesome.
I'm trying to use this to change all of the displaynames for these three objects to "testing" at once, and obviously I have something wrong because it is not working:
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US' | foreach-object 'set-adobject -Server localhost:389 -identity $_ -displayname "testing"'
The ultimate goal is that I will have a csv file (which I will have gotten from an sql query from the sql server) containing a "number" column 01 to 50, a "lastname" column, and a "firstname" column, and I will change each page's display name to match ", " for each student, but I'm not at that point yet.
Thanks for any help you can offer.
Foreach-Object uses a script block and not a string, so use:
something | Foreach-Object {Do something with $_}
This might be due to the fact that $_ contains an object and not its DN. $_.DistinguishedName. Also what ojk says
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US' | foreach-object {set-adobject -Server localhost:389 -identity $_.DistinguishedName -displayname "testing"}

get all computer accounts and remove-ADPrincipalGroupMembership

I'm trying to remove all the principal group memberships starting with the name of all computer accounts in one specific ou.
I've tried browsing to the OU with the AD provider, typing gci and getting a list of all the computers in the ou to find their ADPrincipalGroupMembership which works. Also, using get-adcomputer -searchbase <ou> -filter * works too. But I can't then remove every group that each machine is a member of.
When I then try to expand on that with remove-ADPrincipalGroupMembership, my input for the groups to remove are system.string and remove-ADPrincipalGroupMembership won't accept that. I have something like this so far/
Get-ADComputer -SearchBase 'OU=blahblah' -Filter * |
Remove-ADPrincipalGroupMembership -MemberOf (Get-ADGroup -Filter 'name -like "17"')
I've read help and examples but I can't find how to do this. I don't want to give up and just use the gui :)
thank you
You can try this...I am not able to test it to confirm it works, but I think it should.
$Comps = Get-ADComputer -SearchBase 'OU=blahblah' -Filter * -Prop MemberOf
Foreach ($Comp in $Comps)
{
$Groups = $Comp.MemberOf | ? {$_ -like "CN=17*"}
if ($Groups)
{
Remove-ADPrincipalGroupMembership -Identity $Comp -MemberOf $Groups -Whatif #-Confirm $False
}
}
Assuming it works with the -whatif statement, by default I believe that command will prompt you if you're sure about each removal which could be a pain so you could uncomment -confirm $false to try and avoid that.
Also it is assuming the distinguished name of each group is going to be something along the lines of
CN=17groupA,OU=Computer Groups,OU=Computer,DC=TEST,DC=NET

Make all users within the domain a member of a security group

Using either Powershell or VBS, how can I make all of the users within my domain who have an email address a member of a specific security group?
import ActiveDirectory
$Group = Get-ADGroup -filter {Name -eq "GroupName"}
Get-ADUser -filter {EmailAddress -like "*"} | % {Add-ADGroupMember $Group $_}