Trouble retrieving Active Directory computer description - powershell

When I run:
$computer = Get-ADComputer -SearchBase 'OU="Windows 7 Machines",OU="Devices",dc=blah,dc=Local' -Filter 'name -like "computerName"' -Properties Description
I'm able to get the AD description using
$computer.Description
My question is: how do I get the computer description without using the -Properties Description argument?
$computer = Get-ADComputer -SearchBase 'OU="Windows 7 Machines",OU="Devices",dc=blah,dc=Local' -Filter 'name -like "computerName"'
How do I get the description from the $computer variable here?

With Get-ADComputer or some other LDAP query tools? You don't.
Specifying -Properties Description is what tells the Get-ADComputer cmdlet to request the description field from the LDAP server. If you don't specifically request it, the LDAP server does not send it in the response back to the cmdlet. You must specify any fields you want beyond the defaults, and description is not a default field.
I mean sure, ok, you could say -Properties *, and that technically answers your question, but then you're asking for every property (this is bad; it takes much longer).

Related

Powershell deleting user in ADSI from outside LDAP domain

Our application allows the customer to authenticate to their own domain via Ldap but we keep a cached copy of those logons and accounts in "myserver" ADSI. Due to limitations with another part of our application I have a need to delete several thousand of those cached accounts from myserver ADSI
Keep in mind that this is NOT FOR MY DOMAIN but for the customer's domain. And no, I'm not trying to delete accounts in THEIR domain, just our cached copies in ADSI.
The following line of code does NOT throw an error but it also does NOT delete the acct (neither does piping it to "remove-aduser"
Get-ADObject -Server "myserver:3890" -SearchBase "CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentDirectory" -filter {name -eq "testuser"} | remove-adobject
Side note: I can query this tree of the default naming context just fine
Get-ADObject -Server "myserver:3890" -filter 'objectclass -like "*"' -SearchBase "CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentDirectory"
or I can use -ldapfilter switch to get pertinent info about a specific account.
It's a weird situation since I'm NOT dealing with accounts in my own domain. Many other variations on this theme throw errors referencing my own domain, partitions, etc. I've worked through all of those I think. The above examples SHOULD work in my opinion.
Final note: I CAN delete the user in the ADSIEDIT gui but as mentioned, they have given me a list of thousands of accts that need removing. There's gotta be a way?!
I figured it out (I’m feeding it a list of $users)
Get-ADObject -Server “myserver:3890” -SearchBase “CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentdirectoryDirectory” -Filter * | Where-Object {$_.name -eq “$user”} | Remove-ADObject -confirm:$false

Powershell - How to get the GUID from a security group to assign acl

I might be missing something, but I am trying to get the GUID from a security group to assign some delegated permissions.
I have a basic code see below;
$guidmap = get-adgroup -Filter "name -like 'MyOU'" -Properties * | select objectguid
Write-host "Here is what you need: " $guidmap
Not sure why I can't seem to resolve the GUID on this.
The thing to remember is that Powershell is very much an object-based language. One of your best debugging tools will be the Get-Member cmdlet. In this case, it turns out that the output from Select-Object is still an object of type ADGroup (specifically, Selected.Microsoft.ActiveDirectory.Management.ADGroup), when what you want is apparently either a System.GUID or a System.String.
If you want a System.GUID, try
$GUIDMap = (Get-ADGroup -Filter "Name -like 'MyOU'" -Properties ObjectGUID).ObjectGUID
or if you want a System.String, use
$GUIDMap = (Get-ADGroup -Filter "Name -like 'MyOU'" -Properties ObjectGUID).ObjectGUID.GUID
(Incidentally, if you're retrieving the information for a single specific group, you don't need to use the -Filter parameter and expression; you can use -Identity instead - Get-ADGroup -Identity MyOU -Properties ObjectGUID...)

Powershell - Unable to pass variable to commandlet

When I'm holding a variable and passing it to a commandlet I am getting inconsistent results. Maybe I am just plain using variables in powershell incorrectly? If there were a way to see exactly the line of code my Visual Studio Code was sending at runtime that would be helpful.
My code returns a $null object when executing those first two filters. I've confirmed that $username actually does contain the string "userLoginName" but it doesn't seem to pass to the Get-ADUser commandlet correctly.
PS C:\> $username = "userLoginName"
PS C:\> Get-ADUser -Filter {SAMAccountName -eq "$($username)"}
PS C:\> Get-ADUser -Filter {SAMAccountName -eq "$username"}
PS C:\> Get-ADUser -Filter {SAMAccountName -eq "userLoginName"}
Why is it that only the third -filter command runs successfully? The first two return $null, not a UserNotFound kind of exception or anything. What am I doing wrong here? Do I just have no concept of how to use variables in powershell (yes)? Sorry for being a noob, but thank you for your time.
See this post. The AD calls' -Filter parameter doesn't like taking in string variables as part of a ScriptBlock for some reason (you can read the post more for more info). But passing -Filter as a String should work.
Get-ADUser -Filter "SAMAccountName -eq '$username'"
Alternatively, if you're just wanting to lookup an AD user with the SAMAccountName, you can just do Get-ADUser -Identity $username. That's probably easier. The benefit (or sometimes the consequence) of using the -Filter parameter is that, like you discovered, it won't throw an exception if a user is not found. If you use the -Identity parameter, it WILL throw an exception if a user is not found.

How to retrieve only enabled users from the Active Directory

I'm trying to retrieve only enabled users in the AD. When I run this code line it returns the error. I tried using a filter as well to filter only enabled users for the requested info but it returns ALL users from every domain instead of just the single id.
Get-ADUser : A positional parameter cannot be found that accepts argument 'enabled -eq 'true''.
This is my code that is throwing the error.
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter '*' | Get-ADUser Where "enabled -eq 'true'" | Get-ADUser -Properties ('Mail')
This one returns ALL users from every domain
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter "enabled -eq'true'" | Get-ADUser -Properties ('Mail')
Is my syntax wrong on both of them? If I just want to return values from say "Animal shop A" and then "Animal Shop B"
.. or a little bit shorter this way:
Get-ADUser -Filter 'enabled -eq $true' -Properties mail |
Select-Object -Property Name,samaccountname,mail
Besides this I would recommend to use a -SearchBase. That's less stressful for the AD. ;-)
Get-ADUser -Filter * -Properties mail | Where { $_.Enabled -eq $True} | Select Name,samaccountname,mail
That will get all enabled users in your target domain that are enabled and display the name, username, and mail properties
Important to know for both commands:
You must work with an elevated powershell process.
Otherwise the result may not be complete.
get-aduser -filter 'enabled -eq "true"' -ResultSetSize $Null
simply try below commands in powershell as administrator permission.
As a guide, the first part will filter users, second part filtered enabled users and last part will give you export of results.
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like “false”} | Export-Csv -Path C:\eport.csv -Encoding ascii -NoTypeInformation
hope to be useful for you.

Trying to change displayname in AD LDS with Powershell

I have an online learning management system with most of its data in sql server but its page structure and contents in an AD LDS instance. I have a few classes which have already been set up with 50 pages called "Unused Portfolio 01" through "Unused Portfolio 50". These are their displaynames. Their CNs are "Portfolio 01" through "Portfolio 50".
I need to change the displaynames to each have a different student's name, in the format "Last, First". I am trying to use Active Directory Module for Windows Powershell. Right now I am on a test server trying to make this work for just a few pages. I can't manage to change more than one displayname at a time.
I can get a list of the objects for these pages:
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US'
I get the distinguishedname, name, objectclass, and objectguid for all three expected objects and no unexpected objects. Great.
I can change any one object's displayname at a time:
set-adobject -Server localhost:389 -identity "CN=Portfolio 01,CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US" -displayname "testing"
The specified object has its displayname changed to "testing". Awesome.
I'm trying to use this to change all of the displaynames for these three objects to "testing" at once, and obviously I have something wrong because it is not working:
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US' | foreach-object 'set-adobject -Server localhost:389 -identity $_ -displayname "testing"'
The ultimate goal is that I will have a csv file (which I will have gotten from an sql query from the sql server) containing a "number" column 01 to 50, a "lastname" column, and a "firstname" column, and I will change each page's display name to match ", " for each student, but I'm not at that point yet.
Thanks for any help you can offer.
Foreach-Object uses a script block and not a string, so use:
something | Foreach-Object {Do something with $_}
This might be due to the fact that $_ contains an object and not its DN. $_.DistinguishedName. Also what ojk says
Get-ADObject -Server localhost:389 -filter 'displayname -like "*Portfolio*" -and cn -like "Portfolio*"' -searchbase 'CN=DMIN2013-LMS 101-02,CN=LMS 101,CN=LMS,CN=Academics,CN=Portal,O=Jenzabar,C=US' | foreach-object {set-adobject -Server localhost:389 -identity $_.DistinguishedName -displayname "testing"}