Powershell script to list group membership - powershell

I have written the below script to list all users who are "contractors"(employeetype=contractors) and not part of a particular group like "domain contractors" But it is not working, can some one help :)
$adusers = get-aduser -filter * -searchbase "OU=test,dc=domain,dc=com" -properties employeetype | where {($_.employeetype -like "contractor") -AND ($_.enabled -eq $true)}
foreach ($aduser in $adusers){
$contractorsDn = (Get-ADGroup 'domaincontractors').DistinguishedName
Get-ADUser $aduser -LDAPFilter "(!(memberof=$contractorsDn))"
}

$users = get-aduser -filter {(employeetype -like "contractor") -AND (enabled -eq $true)} -searchbase "dc=domain,dc=COM" -properties employeetype
$group = "Domaincontractors"
$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty DistinguishedName
ForEach ($user in $users) {
If ($members -contains $user) {
write-host "$user exists" -ForegroundColor Red
} Else {
write-host "$user doesnt exist" -ForegroundColor Green
}}

Related

Get-ADuser multiple exclude users

I want to exclude some users inside AD.
e.g
TST292736ca
PRD1212ca
PRD212132121ca
PRD293873
PRD122
TST141444
TST122
cyberhw12
and so on
My question is : I want to exclude "Users starting with TST and ending with ca" , "Users starting with PRD and ending with ca" , "starting with cyber" users.
script :
get-aduser -filter * -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress |where {$_.Enabled -eq "True"} | where { $_.PasswordNeverExpires -eq $false } | where { $_.passwordexpired -eq $false }
I would do it something like that: fill $ADUsersExcluded with excluded users and with foreach and if fill new array with users $filteredUsers.
[array]$ADUsersExcluded = $null
$ADUsersExcluded += Get-ADUser -Filter {SamAccountName -like "TST*ca"}
$ADUsersExcluded += Get-ADUser -Filter {SamAccountName -like "PRD*ca"}
$ADUsersExcluded += Get-ADUser -Filter {SamAccountName -like "cyber*"}
$AllUsers = Get-ADUser -Filter * -Properties Name,PasswordNeverExpires,PasswordExpired,PasswordLastSet,EmailAddress | Where-Object {$_.Enabled -eq "True"} | Where-Object { $_.PasswordNeverExpires -eq $false } | Where-Object { $_.passwordexpired -eq $false }
[array]$filtered = $null
foreach($user in $AllUsers) {
if($ADUsersExcluded -notcontains $user){
$filteredUsers += $user
}
}
$filteredUsers
First, dont forget to import AD module. Check condition values.
[array] $ADExcludedUser = 'User1', 'User2', 'User3'
$AllUsers = Get-ADUser -Filter * -Properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress | Where-Object { ( $_.Enabled -eq "True" ) -and ( $_.PasswordNeverExpires -eq $false ) -and ( $_.name -notin $ADExcludedUser ) }
$AllUsersExceptExcluded = $AllUsers | where-object { $_.name -notin $ADExcludedUser }
write-host -object $AllUsersExceptExcluded
I would use a regex -notmatch for this:
Get-ADUser -Filter "Enabled -eq $true" -Properties PasswordNeverExpires, PasswordExpired, PasswordLastSet, EmailAddress |
Where-Object { $_.PasswordNeverExpires -eq $false -and $_.PasswordExpired -eq $false -and $_.Name -notmatch '^(TST|PRD).*ca$|^cyber' }
If you need case-sensitivity, change notmatch into -cnotmatch

Powershell - Ad user from OU to Security groups if not members of several groups

I'm writing a script to check if user from specific OU are not members of Group 1 or Group 2 or Group 3 or Group 4.
I have try this but some users are getting listed while they are not suppose to be.
get-aduser -filter * -searchbase "$Ou" | where-object {((get-aduser $_.samaccountname -properties memberof).memberof -ne "$grp1") -or ((get-aduser $_.samaccountname -properties memberof).memberof -ne "grp2") -or ((get-aduser $_.samaccountname -properties memberof).memberof -ne "grp3") -or ((get-aduser $_.samaccountname -properties memberof).memberof -ne "grp4")} | Select SamAccountName
Not sure I follow, but it sounds like you're asking for something like this:
$ou = 'OU=crowleytest,DC=contoso,DC=local'
$group1 = 'CN=group1,OU=crowleytest,DC=contoso,DC=local'
$group2 = 'CN=group2,OU=crowleytest,DC=contoso,DC=local'
$group3 = 'CN=group3,OU=crowleytest,DC=contoso,DC=local'
$group4 = 'CN=group4,OU=crowleytest,DC=contoso,DC=local'
$users = Get-ADUser -SearchBase $ou -Filter * -Properties memberof
$results = $users | where {
$_.memberof -notcontains $group1 -and
$_.memberof -notcontains $group2 -and
$_.memberof -notcontains $group3 -and
$_.memberof -notcontains $group4
}
$results
e - This filter could also be moved to the left into the -filter parameter for better performance, but that requires a different syntax. If you're not working with a huge list of users, the example above should suffice.

Grab Managers from AD

I'm currently getting a list of managers in AD from
Get-ADUser -Filter "DirectReports -like '*'" -Properties *
Whats the easiest way to scan this against the entire AD domain to see if they are a manager?
Not working code:
$Users = Get-ADUser -Filter * -Properties *
Foreach ($User in $Users) {
If (Get-AdUser -Identity $User -Filter "DirectReports -like '*' -eq $True")
{Write-Host "$User is a Manager"} Else {Write-Host "$User is NOT a Manager"}
}
Thanks
Do you mean this?
Get-ADUser -Filter * -Properties directReports | ForEach-Object {
$isManager = ($_.directReports | Measure-Object).Count -gt 0
$_ | Select-Object name,
#{Name = "Manager"; Expression = {$isManager}}
}

Powershell script to list all users whose manager account is disabled

I have modified the same script for groups instead of users as below, I am not getting any display
$adgroups = get-adgroup -searchbase "ou=test,dc=domain,dc=com" -filter * -Properties *
Foreach($adgroup in $adgroups)
{
if($adgroup.manager -ne $null)
{
$manager = Get-ADGroup -filter {Distinguishedname -eq $adgroup.manager}
if($($manager.enabled) -eq $false)
{
write-host "$($adgroup.SamAccountName),$($manager.SamAccountName)" -Path "C:\Users\test\Desktop\log.csv"
}
}
}
This should work.
$adusers = get-aduser -searchbase "ou=test,dc=domain,dc=com" -filter * -Properties manager
Foreach($aduser in $adusers)
{
if($aduser.manager -ne $null)
{
$manager = Get-ADUser -filter {Distinguishedname -eq $aduser.manager}
if($($manager.enabled) -eq $false)
{
Add-Content -Value "$($aduser.SamAccountName),$($manager.SamAccountName)" -Path "C:\Users\test\Desktop\log.csv"
}
}
}

Organizing Active Directory accounts

I am trying to get a script to work that will organize my active directory accounts based off of their display name since all of our accounts have their OU in their name (or a subOU). I am trying to do this with an If statement inside of a ForEach loop in PowerShell. Every time I run it though, it keeps asking me for an identity. Can anyone help me fix this? This is what I have...
Import-Module ActiveDirectory
$OU = "OU=Test, OU=com"
$Test1OU = "OU=Test1, OU=Test, OU=Com"
$Test2OU = "OU=Test2, OU=Test, OU=Com"
$Users = (Get-ADUser -SearchBase $OU -Filter * -Properties samAccountName,DisplayName)
ForEach ($user in $users)
{
If ($($user.DisplayName -like ("*Supply*" -or "*Supplies*"))
{Move-ADObject -Identity $($user.samAccountName -TargetPath $Test1OU}
ElseIf ($($user.DisplayName -like ("*Accounting*" -or "*Accountant*"))
{Move-AdObject -TargetPath $Test2OU}
}
You are running into a few problems here
Like Vesper said you are not passing anything to Move-ADObject hence the error you are getting
$DisplayNames is not a string array of names but an object with a displayname property. That is what -ExpandProperty parameter is for with Select-Object FYI.
You are pulling all the users but only really want to process certain ones. Instead of -Filter * lets use a more targeted approach.
While it is tempting you cant nest -like conditions like that. If you take "*Supply*" -or "*Supplies*" and type that it will evaluate to true. Same as all non zero length strings.
For what we plan on doing we will not have to address all those issues. We should use the pipeline to help with this. Depending on how many variances you have something like a switch statement might be better which is covered below.
$supplyFilter = 'DisplayName -like "*Supply*" -or DisplayName -like "*Supplies*"'
$accountFilter = 'DisplayName -like "*Accounting*" -or DisplayName -like "*Accountant*"'
Get-ADUser -SearchBase $OU -Filter $supplyFilter -Properties displayName | Move-ADObject -TargetPath $Test1OU
Get-ADUser -SearchBase $OU -Filter $accountFilter -Properties displayName | Move-ADObject -TargetPath $Test2OU
You could get freaky with this and make a custom object in a loop with filter and target pairs so that you don't need to repeat the cmdlet call to each Get-ADuser instance.
$moves = #(
#{
Filter = 'DisplayName -like "*Supply*" -or DisplayName -like "*Supplies*"'
OU = "OU=Test1, OU=Test, OU=Com"
},
#{
Filter = 'DisplayName -like "*Accounting*" -or DisplayName -like "*Accountant*"'
OU = "OU=Test2, OU=Test, OU=Com"
}
) | ForEach-Object{New-Object -TypeName PSCustomObject -Property $_}
ForEach($move in $moves){
Get-ADUser -SearchBase $OU -Filter $move.Filter -Properties displayName | Move-ADObject -TargetPath $move.OU
}
You should be able to scale into this easily by adding new $moves. This would be cleaner with PowerShell v3.0 but I do not know what version you have.
Using a switch
If you want something closer to what your currently have I would suggest something like this instead then.
$Users = Get-ADUser -SearchBase $OU -Filter * -Properties DisplayName
ForEach ($user in $users){
switch($user.DisplayName) {
($_ -like "*Supply*" -or $_ -like "*Supplies*"){Move-ADObject -Identity $user -TargetPath $Test1OU}
($_ -like "*Accounting*" -or $_ -like "*Accountant*"){Move-ADObject -Identity $user -TargetPath $Test1OU}
}
}
I'm not able to test currently, but this should do the trick:
Import-Module ActiveDirectory
$OU = "OU=Test, OU=com"
$Test1OU = "OU=Test1, OU=Test, OU=Com"
$Test2OU = "OU=Test2, OU=Test, OU=Com"
$users = (Get-ADUser -SearchBase $OU -Filter * -Properties displayName)
foreach ($user in $users)
{
if ($($user.displayName) -like "*Supply*" -OR $($user.displayName) -like "*Supplies*")){
Move-ADObject -Identity $user -TargetPath $Test1OU
}
elseif ($($user.displayName) -like "*Accounting*" -OR $($user.displayName) -like "*Accountant*")) {
Move-AdObject -Identity $user -TargetPath $Test2OU
}
}
I've Added an Identity Parameter to Move-ADObject also i've changed some of the var names to better reflect their content.