I would like a powershell script to find the domain of an user.
I tried with Get-ADUser <user> -Properties *
It shows the domain(CN=Domain Users,CN=Users,DC=nam,DC=nsroot,DC=net). But I want it to display on the domain because I have a huge list of users
Maybe this?
Get-ADUser <user> -Properties * |
Select *,#{l='Domain';e={ $_.canonicalname.split('/')[0] } }
Well..there is the userprincipalname property but a lot of times it is blank. You could do something like this
(get-aduser -filter *).SamAccountName | % {$_.Insert(0,'test\')}
Just change 'test\' to your domain name
Pick what properties you want and modify this:
$Domain = Get-ADDomain | select -expandproperty NetBIOSName
Get-ADUser <USERID OR -Filter *> -Properties DisplayName | select samAccountName, DisplayName, #{n="Domain";e={$Domain}} | Export-Csv Users1.csv -NoTypeInformation
Just in case someone else is looking for this in the future...
Related
I'm trying to use a list of usernames to perform a simple get-aduser command. It works fine for a single user, but I can't input a file to perform this for a list.
This command works fine for a single user:
get-aduser -identity myusername -properties passwordlastset, passwordneverexpires |
sort name | ft Name, passwordlastset, Passwordneverexpires | out-file c:\PS\Output.txt
This works fine, but rather than use -filter * for all AD or identity pointing to a file, I am completely lost. I have tried doing a get-content and link to a file but I'm just getting into a pickle.
If I have a text file with a list of usernames in, how do I run the above command against that single text file list, rather than all of AD?
As a side query, is there a way that I can perform the above command, but for a specific OU?
If you have a list that isn't an object, either import it to an object or iterate over the values
Try something like:
$Userlist = Get-Content -path 'c:\temp\test.txt'
$Results = $Userlist | ForEach-Object {
Get-aduser -identity $_ -properties passwordlastset, passwordneverexpires
}
$Results | sort name | ft Name, passwordlastset, Passwordneverexpires | out-file c:\PS\Output.txt
This will work as long as you supply valid SamAccountNames in your list
I would do it this way. You can pipe in identity byvalue. You can import the csv later and get objects back.
get-content userlist.txt |
Get-aduser -properties passwordlastset, passwordneverexpires |
sort name |
select Name, passwordlastset, Passwordneverexpires |
export-csv users.csv
# searchbase example
get-aduser -filter 'name -like "j*"' -SearchBase 'OU=People,DC=stackoverflow,DC=com'
I have below PowerShell commands, using which I can get the properties for all the users in the AD.
Import-Module ActiveDirectory
$attributes = 'SamAccountName', 'Name', 'Mail', 'PasswordLastSet', 'Enabled',
'PasswordNeverExpires', 'PasswordExpired'
Get-ADUser -Filter * -Properties $attributes | select $attributes
If I want properties for one specific user, I can use below example in a command prompt:
net user /domain testuser
But, how can I get the AD properties for given list of users?
So, far I have tried the below but couldnt achieve yet as it returns only for one user (not sure how to loop):
Import-Module ActiveDirectory
cd AD:
$Users = gc "C:\AD\accounts.txt"
Get-ADUser -Filter '*' -Properties DisplayName, Office |
? { $Users -contains $_.SamAccountName } |
select DisplayName, Office |
Export-Csv -Path "C:\AD\output\UserProp_14072016.csv" -NoTypeInformation
I'm looking for password last set, active or inactive, owner of that account.
Could you please help?
A technique I use for getting an arbitrary list of AD users is to construct an ORed LDAP filter from the text list:
$Users = gc "C:\AD\accounts.txt"
$User_filter = $Users -replace '^','(SamAccountName=' -replace '$',')'
$Filter = "(|$User_filter)"
Get-ADUser -LDAPFilter $Filter -Properties DisplayName,Office
You can try the following:
Import-Module ActiveDirectory
$Users = "Get-Content C:\AD\Accounts.txt"
Get-ADUser -Filter '*' -Properties DisplayName,Office,PasswordLastSet,LastLogonDate |
? {$Users -contains $_.SamAccountName} |
Select DisplayName,Office,PasswordLastSet,LastLogonDate |
Export-CSV -Path "C:\AD\output\UserProp_14072016.csv" -NoTypeInformation
I'm not aware of a specific "Active" property, but you can add the "LastLogonDate" to the Properties to determine when the account was last logged onto.
Additionally, I'm not sure what you're looking for when you are asking for the "Owner" of the account.
Incidentally, for a list of all of the properties available, you can do the following:
Get-ADUser <username> -Properties *
You may be able to find what you're looking for in the list.
Hope that helps.
Get last logon on descending order
Import-Module ActiveDirectory
Get-ADUser -filter * -properties Displayname, LastLogonDate, SamAccountName, office, PasswordLastSet | select-object Displayname, LastLogonDate,office, SamAccountName, PasswordExpired, PasswordLastSet | Sort LastLogonTime -Descending | Export-csv c:\users.csv -NoTypeInformation
I'm attempting to move AD users to different ou's based on a CSV file of employee numbers. I've searched around and I have found a suggestion and tried this code:
Import-Module ActiveDirectory
$TargetOU = "OU=Math,OU=Students,DC=domain,DC=net"
$IDs = Import-CSV "c:\testids.csv" | Select -ExpandProperty employeeID
Get-ADUser -filter * -Properties employeeID | Where { $IDs -contains $_.employeeID } |
Move-ADObject -TargetPath $TargetOU
My csv file looks like this
employeeID
11111
22222
33333
It runs with no errors. But the users never move. Im running Server 2012R2.
Any suggestions? Am I on the wrong track or completely off in left field?
Try this
Import-Module ActiveDirectory
$TargetOU = "OU=Math,OU=Students,DC=domain,DC=net"
$IDs = Import-CSV "c:\testids.csv" | Select employeeID
$IDs | % { Get-ADUser -Filter { employeeID -eq $_.employeeID } -Property employeeID |
Move-ADObject -TargetPath $TargetOU }
Sorry, I pushed 'Enter' too quickly. This has your CSV saved as the $IDs object before you start. I think your pipes were a little out of order. Let me know if this works, and if it doesn't I'll try again.
Ok, I'm on the bandwagon of I want to be sure your finding the correct users first. Theory being that Move-ADObject is not getting any input.
First I would do this to check the CSV file contents.
Get-Content "c:\testids.csv" | Select -Skip 1 | ForEach-Object{"'$_'"}
Then assuming that is working what is the result of this command?
$IDs | ForEach-Object{Get-ADUser -Filter "employeeID -eq '$_'" -Property employeeID
Update from Comments
I wonder now if you are looking at the wrong AD Attribute. Maybe it should be EmployeeNumber.
$IDs | ForEach-Object{Get-ADUser -Filter "employeeNumber -eq '$_'" -Property employeeNumber
Give that a try and see if that is what you need?
Also should try and verify that you have no white-space or special characters in the actual employeeid
"'$(Get-Aduser accountthathasid -properties employeeid | select -expand employeeid)'"
I'm willing to bet that the whole issue you're running into is that Get-ADUser is returning no user objects.
<Previous answer removed>
Edit: Ok, I give up, this makes no sense. I now can not find my own user by looking for it by EmployeeID. I think there may be some issues searching by employeeID because this returns nothing:
$me = get-aduser $env:USERNAME -Properties EmployeeID
Get-ADUser -filter "EmployeeID -eq '$($me.EmployeeID)'" -Properties EmployeeID
I verified that $me does in fact contain my ADUser object info, including my EmployeeID. I thien tried:
Get-ADUser -filter "UserPrincipalName -eq '$($me.UserPrincipalName)'"
This did work, so I am sure that my format works. At this point, I withdraw and wish you luck.
I am trying to get a list of AD user who does not have picture. I am on QBC.CAN domain and trying to get information from KOBAL domain. The KOBAL domain looks like this KOBAL.COM. There is OU called SALES AND sub OU called NORTHWEST.
My job is the get a list of users with name, title, email, where Picture is not present. thumbnailPhoto is the ldap-display name. I tried few queries but it doesn't give me what I need and keep getting error.
Get-ADUser -Filter * -Server "ADCP12WSDC54X01.KOBAL.COM" -properties thumbnailPhoto | ? {!$_.thumbnailPhoto} | select Name
This code works but I don't need the entire list. I only need OU=SALES,OU=NORTHWEST. If I change the script to following I get an error
Get-ADUser -Filter * -SearchBase "OU=NORTHWEST, OU=SALES ,DC=KOBAL,DC=COM" -properties thumbnailPhoto | ? {!$_.thumbnailPhoto} | select Name
Get-ADUser : The supplied distinguishedName must belong to one of the following
partition(s): 'DC=QBC,DC=CAN , CN=Configuration,DC=QBC,DC=CAN , cN=Schema,CN=Configuration,DC=QBC,DC=CAN , DC=DomainDnsZones,DC=QBC,DC=CAN, DC=ForestDnsZones,DC=QBC,DC=CAN'.
Here's what I would use:
$SearchBase = 'OU=NORTHWEST,OU=SALES,DC=KOBAL,DC=COM';
$LdapServer = 'YourLDAPServerName';
$UsersWithoutPhotos = Get-ADUser -Filter 'thumbnailPhoto -notlike "*"' -SearchBase $SearchBase -SearchScope 'Subtree' -Server $LdapServer | Select-Object 'Name'
The filter here removes the need for piping to a Where-Object. It will return any user in the target OU or below that doesn't have a thumbnailPhoto attribute. You don't need -Properties thumbnailPhoto now since you're not using it for anything anymore, so you won't be returning all that data.
Edit to add:
By default, the only properties returned by Get-ADUser are DistinguishedName, Enabled, GivenName, Name, ObjectClass, ObjectGUID, SamAccountName, SID, Surname, UserPrincipalName. If you want access to anything else, you'll need to include the -Properties parameter again with Get-ADUser to tell that command to fetch that data, too. All the Select-Object command does is eliminate fields that you don't want to see.
This should work for you:
$UsersWithoutPhotos = Get-ADUser -Filter 'thumbnailPhoto -notlike "*"' -SearchBase $SearchBase -SearchScope 'Subtree' -Server $LdapServer -Properties 'title', 'displayName';
You can then restrict it to just the fields you want:
$UsersWithoutPhotos = $UsersWithoutPhotos | Select-Object 'Name','title', 'displayName';
Or sort it by a field:
$UsersWithoutPhotos = $UsersWithoutPhotos | Sort-Object 'displayName';
And display it:
$UsersWithoutPhotos | Format-Table -AutoSize;
Or:
$UsersWithoutPhotos | Out-GridView;
Of course, you can do all that on one line, too, and just keep piping.
I am trying to get the list of a specific user’s groups and the groups’ descriptions using PowerShell.
import-module activedirectory
$username = Read-Host 'Please enter Username!'
Get-ADPrincipalGroupMembership $username | select name, description
The description field returns blank.
From Get-ADPrincipalGroupMembership manual:
The Get-ADPrincipalGroupMembership cmdlet returns a default set of ADGroup property values. To retrieve additional ADGroup properties pass the ADGroups objects produced by this cmdlet through the pipline to Get-ADGroup. Specify the additional properties required from the group objects by passing the -Properties parameter to Get-ADGroup.
So, let’s do it!
import-module activedirectory
$username = Read-Host 'Please enter Username!'
Get-ADPrincipalGroupMembership $username | Get-ADGroup -Properties * | select name, description
Also, in this case it should be enough to specify name,description instead of asterisk (*). If this is a performance issue, replace it. I am leaving it at asterisk because you might later change your mind about which properties you need.
Here is a simple but effective script to get AD Group info.
Get-ADGroup -filter * -Properties * | Select Name,GroupCategory,Description | Export-Csv D:\Test\SecurityGroups.csv
Just add or remove the attributes you would like to see in the Select area. To see a list of usable attributes you can do something like this:
Get-ADGroup -filter * -Properties * | Where-Object {$_.Name -eq 'DHCP Users' }
Get-ADPrincipalGroupMembership should work but fails if any group has a NAME containing '/' (which is a legal character in names as far as I understood the MS AD documentation).
This forces a heavy workaround:
$Groups = (Get-ADUser -identity $TemplateUserName -server $TemplateUserDomain -Properties MemberOf|select memberof).MemberOf|Get-ADGroup -Server :3268
foreach ($Group in $Groups)
{
Write-Output $Group.Name
}
Notice I use a domain search for the user's properties and then a search in global catalog
(-server :3268) for each group. Else you eventually won't get all of the user's groups or you'll get an error if any group belongs to a different domain than the user.
For a list of groups a user is member of:
(get-aduser NameOfTheUser -properties *).memberof
For Users
Get-ADUser -Filter {name -eq $username} -Properties * | select name,description
For Groups
Get-ADGroup -Filter {displayname -eq $groupname} -Properties * | select name,description