My organization has a different OU for each site we have. Within each site is a nested out called OU=USERS.
I want to find all members in every sites nested USERS OU.
Simply using the following command does not work:
Get-ADUser -Filter * -SearchBase "OU=USERS,DC=*****,DC=*****"
Obviously, this does not return anything. I must specify a site:
Get-ADUser -Filter * -SearchBase "OU=USERS,OU=MySite,DC=*****,DC=*****"
Is it possibly to search through every site OU looking for the sub USERS ou?
You could use another cmdlet to get the OU's you are looking for.
$ous = Get-ADOrganizationalUnit -Filter "Name -eq 'Users'"
$ous | ForEach-Object{
Get-ADUser -Filter * -SearchBase $_.DistinguishedName
}
Get-ADOrganizationalUnit will get all the USERS OU's for you then you can run Get-ADUser against each of those.
Related
How would I add filter on this to query only enable users ?
(Get-ADUser -Filter * -SearchBase “ou=Users,dc=qq,dc=com”).count
Just tell it to look at the Enabled property in the -Filter parameter:
(Get-ADUser -Filter "Enabled -eq $true" -SearchBase "ou=Users,dc=qq,dc=com").Count
Note that there is no Enabled attribute in AD itself. But PowerShell exposes an Enabled property that maps to the value in AD (the userAccountControl attribute). The actual LDAP query this gets translated to looks something like this:
(Get-ADUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -SearchBase "ou=Users,dc=qq,dc=com").Count
So PowerShell simplifies it a bit for you.
I have been asked to export the details of all service accounts in our AD domain. Seems straight forward but I have found over the years there has not be a consistent way service accounts have been controlled. We have a Service Accounts OU as well as a Service Account AD security group. Some accounts are in the OU but not the group, some in the group but another random OU, some are in both.
I can query each one individually:
Group
Get-ADGroupMember GROUP.ServiceAccounts
OU
Get-ADUser -SearchBase "OU=Service Accounts,OU=Accounts,DC=Domain,DC=com" -filter *
How can I combine both into one powershell query?
To combine these into one query, which will likely be more inefficient than what you are already doing, you can do the following:
$searchBase = '*OU=Service Accounts,OU=Accounts,DC=Domain,DC=com'
$groupDN = 'CN=Group Name,OU=Groups,DC=Domain,DC=com'
Get-Aduser -Filter * |
Where-Object { $_.DistinguishedName -like $searchBase -or $_.MemberOf -contains $groupDN}
You will need to update $groupDN with the actual distinguished name of your group. If you could find a more efficient way to -Filter on DistinguishedName, you could make this faster with the -Filter parameter.
Alternative Solution:
A more efficient way would be to combine your results into an object array.
$array1 = Get-ADGroupMember $Group
$array2 = Get-ADUser -SearchBase "OU=Service Accounts,OU=Accounts,DC=Domain,DC=com" -filter *
$array1,$array2
I've written two scripts that give me the independent output that I need, but am not sure how to put them together to give me the combined output.
Returns the count of all of the active users in a particular OU
(Get-ADUser -searchbase "OU=OU, DC=domain, DC=com" -filter * |Where {$_.enabled -eq "True"}).count
Returns the OU's underneath the same above OU that have "string" in the description property.
Get-ADOrganizationalUnit -searchbase "OU=OU, DC=domain, DC=com" -filter * -Properties description | where {$_.description -eq "string"}
What I'm trying to accomplish is for the script to give me a count of all of the active users underneath the OU's that have "string" in the description property.
I think this is the easiest way to achieve your goal
$OUs = Get-ADOrganizationalUnit -searchbase "OU=OU, DC=domain, DC=com" -filter * -Properties description | where {$_.description -eq "string"}
ForEach ($OU in $OUs) {
$count = (Get-ADUser -searchbase $OU -filter * | Where {$_.enabled -eq "True"}).count
Write-Host "OU $OU has $count users"
}
the result will be
OU OU=foo,DC=domain,DC=com has 6 users
OU OU=Computers,OU=foo,DC=domain,DC=com has 0 users
OU OU=Users,OU=foo,DC=domain,DC=com has 6 users
OU OU=Groups,OU=foo,DC=domain,DC=com has 0 users
Sergio Tanaka's helpful answer works well; let me complement it with a performance improvement:
You can greatly speed up your command by filtering at the source, by passing the filter criterion as a -Filter argument instead of retrieving all objects first and then filtering them with a separate Where-Object call:
Get-ADOrganizationalUnit -SearchBase 'OU=OU, DC=domain, DC=com' `
-Filter 'Description -eq "string"' -Properties description | #`
ForEach-Object {
$count = (Get-ADUser -SearchBase $_ -Filter 'Enabled -eq $true').Count
}
Note that the -Filter-string syntax of the AD cmdlets resembles PowerShell code, but it differs in many important ways - see Get-Help about_ActiveDirectory_Filter
The general advantages of using -Filter:
On a general note, the same performance improvement can be had with cmdlets for other PowerShell data providers, such as the one for the filesystem (e.g., Get-ChildItem), if they support a -Filter parameter:
A -Filter string is applied at the data source, which means that PowerShell only receives the result of the filtering.
Since providers are are implemented in compiled code (and they have access to lower-level internals), this generally makes for much better performance; additionally, in remoting scenarios performance improves by simply having to transfer less data over the network.
Note that -Filter parameters are always strings with provider-specific syntax, so you must consult the relevant provider/cmdlet documentation.
I'm searching a way in PowerShell to list all OU with Users in it.
I tried something with Get-ADUser or Get-ADOrganizationalUnit but it doesn't really work.
One approach would be to get all of the OU's and check to see if they contain any users via -SearchBase. Filter them out with a Where-Object clause
Get-ADOrganizationalUnit -Filter * |
Where-Object {(Get-ADUser -SearchBase $_.DistinguishedName -Filter *).Count -gt 0} |
Select-Object -ExpandProperty DistinguishedName
Simply pull the OU from each user object. Then find unique values.
Get-ADUser -Filter * |
ForEach-Object {$_.DistinguishedName -replace '(^.*?)(OU=.*)','$2'} |
Sort-Object -Unique
Note: this makes the assumption that you are not storing user objects in Containers rather than OUs
I need to retrieve a list of Distribution groups with their x400 and x500 addresses. I have determined the attributes are proxyaddresses and TextEncodedORAddress. We are running Exchange 2013. When I look at a high level searchbase like "OU=Exchange,OU=company,DC=company,DC=com" and use Get-ADUser it returns the user accounts, however I need Distribution Groups.
Using the following returns the users with the attributes I need, but I need distribution groups, not users.
Get-ADUser -SearchBase "OU=Exchange,OU=company,DC=company,DC=com" `
-Filter * -Properties * | Select * |
FT CN,distinguishedName,proxyaddresses,textEncodedORAddress
I tried Get-Mailbox, Get-DistributionGroup, but I get an error saying it's not a cmdlet. I also tried using the attribute groupType to filter, but it didn't work. I'm not sure if I'm able to use Get-ADObject as I'm not quite sure how I'd use that cmdlet. Any help would be appreciated.
Because there are multiple values in that proxyaddresses, I was receiving Microsoft.ActiveDirectory.Management.ADPropertyValueCollection, therefore I had to use the following.
Get-ADGroup -SearchBase "OU=Exchange,OU=Company,DC=company,DC=com" `
-Filter * -Properties proxyAddresses | Select CN,distinguishedName,textEncodedORAddress,`
#{L=’ProxyAddress_1′; E={$_.proxyaddresses[0]}},
#{L=’ProxyAddress_2′; E={$_.ProxyAddresses[1]}},
#{L=’ProxyAddress_3′; E={$_.proxyaddresses[2]}},
#{L=’ProxyAddress_4′; E={$_.proxyaddresses[3]}},
#{L=’ProxyAddress_5′; E={$_.proxyaddresses[4]}}|
Export-CSV C:\temp\x500_Export.csv
The only thing I can't figure out for the output, is why I see the various proxyaddresses and the distinguishedname, however it won't show CN, or displayname. Those are blank.
get-adgroup -filter "GroupCategory -eq 'Distribution'"