I am trying to get a list of AD user who does not have picture. I am on QBC.CAN domain and trying to get information from KOBAL domain. The KOBAL domain looks like this KOBAL.COM. There is OU called SALES AND sub OU called NORTHWEST.
My job is the get a list of users with name, title, email, where Picture is not present. thumbnailPhoto is the ldap-display name. I tried few queries but it doesn't give me what I need and keep getting error.
Get-ADUser -Filter * -Server "ADCP12WSDC54X01.KOBAL.COM" -properties thumbnailPhoto | ? {!$_.thumbnailPhoto} | select Name
This code works but I don't need the entire list. I only need OU=SALES,OU=NORTHWEST. If I change the script to following I get an error
Get-ADUser -Filter * -SearchBase "OU=NORTHWEST, OU=SALES ,DC=KOBAL,DC=COM" -properties thumbnailPhoto | ? {!$_.thumbnailPhoto} | select Name
Get-ADUser : The supplied distinguishedName must belong to one of the following
partition(s): 'DC=QBC,DC=CAN , CN=Configuration,DC=QBC,DC=CAN , cN=Schema,CN=Configuration,DC=QBC,DC=CAN , DC=DomainDnsZones,DC=QBC,DC=CAN, DC=ForestDnsZones,DC=QBC,DC=CAN'.
Here's what I would use:
$SearchBase = 'OU=NORTHWEST,OU=SALES,DC=KOBAL,DC=COM';
$LdapServer = 'YourLDAPServerName';
$UsersWithoutPhotos = Get-ADUser -Filter 'thumbnailPhoto -notlike "*"' -SearchBase $SearchBase -SearchScope 'Subtree' -Server $LdapServer | Select-Object 'Name'
The filter here removes the need for piping to a Where-Object. It will return any user in the target OU or below that doesn't have a thumbnailPhoto attribute. You don't need -Properties thumbnailPhoto now since you're not using it for anything anymore, so you won't be returning all that data.
Edit to add:
By default, the only properties returned by Get-ADUser are DistinguishedName, Enabled, GivenName, Name, ObjectClass, ObjectGUID, SamAccountName, SID, Surname, UserPrincipalName. If you want access to anything else, you'll need to include the -Properties parameter again with Get-ADUser to tell that command to fetch that data, too. All the Select-Object command does is eliminate fields that you don't want to see.
This should work for you:
$UsersWithoutPhotos = Get-ADUser -Filter 'thumbnailPhoto -notlike "*"' -SearchBase $SearchBase -SearchScope 'Subtree' -Server $LdapServer -Properties 'title', 'displayName';
You can then restrict it to just the fields you want:
$UsersWithoutPhotos = $UsersWithoutPhotos | Select-Object 'Name','title', 'displayName';
Or sort it by a field:
$UsersWithoutPhotos = $UsersWithoutPhotos | Sort-Object 'displayName';
And display it:
$UsersWithoutPhotos | Format-Table -AutoSize;
Or:
$UsersWithoutPhotos | Out-GridView;
Of course, you can do all that on one line, too, and just keep piping.
Related
I have a requirement to combine Get-ADUser and Get-ADGroup (with filtering) to retrieve a list of a users groups, only where the group name matches a wildcard pattern I specify.
Getting the whole list of a users groups can be slow over VPN when WFH. So instead of retrieving all the users group names into an array, then looping through that to find the matching names I need, can I include the group name filtering further upstream in the Get-ADUser call, or the Get-ADGroup call?
My question isn't so much "how is it done?" but "can it be done?", and would it actually be any quicker than pulling all group names into an array then looping.
Something like:
$SEC_GROUPS = (Get-ADUser $_ –Properties MemberOf).memberof |
Get-ADGroup -filter {Name -like "*SEC*"} -Properties Name,Description |
Select-Object Name,Description |
Sort-Object name
Thank you for any replies so far
I had another bash and thought this worked:
$SEC_GROUPS = (get-aduser $_ -properties Memberof).memberof |
Get-ADGroup -filter 'Name -like "*SEC*"' -Properties Name,Description -ErrorAction SilentlyContinue |
select-object Name,Description |
Sort-Object Name
But it pulls all matching AD groups, not just those the user is a member of.
Update: Using the comment from Santiago below was the trick. Remember, for speed I needed to retrieve only the user groups matching the group name pattern I specify, as early as possible, no manually processing on the full groups list.
$SEC_GROUPS = (get-aduser $_ -properties Memberof).memberof -like '*SEC*' |
Get-ADGroup -Properties Name,Description |
select-object Name,Description |
Sort-Object Name
I found that, even when my group names started with SEC I still needed to include the * on both side of the match pattern, using SEC* didn`t work. I'm guessing this is because the match target starts with CN=SEC_whatever
You can use the Active Directory Filter to search for all groups having your user as member and having a name containing SEC. This is as fast as it gets in my opinion.
$user = (Get-ADUser someUser).DistinguishedName
$groups = Get-ADGroup -LDAPFilter "(&(member=$user)(name=*SEC*))" -Properties Description |
Select-Object Name, Description |
Sort-Object Name
If you want to give it a try you can also filter the memberof property of your user including those having a CN (common name) containing SEC (I don't think this will be faster or more robust than before snippet):
$groups = (Get-ADUser someUser -Properties memberOf).memberOf -match '(?<=^CN=).*SEC.*?(?<!\\),' |
Get-ADGroup -Properties Description |
Select-Object Name, Description |
Sort-Object Name
Current powershell script being used is in this format:
Get-ADUser -Filter * -Properties EmailAddress, DisplayName -SearchBase "OU=USERS, OU=Site, OU=$_, DC=domain" -Server ServerName | Select DisplayNAme, EmailAddress
My problem is that the OU users, and site are buried in different folders one level up, and I can't figure out how to make the powershell script look thru all the folders above (OU=$_). Using OU=* doesn't work either (bad syntax error).
The -SearchBase parameter doesn't allow wildcards, if I understand correctly, you're looking for all parents OUs having OU=USERS, OU=Site as child OU, in which case, you can first filter for all OUs with Name Users then filter again for those OUs where their DistinguishedName contains OU=USERS, OU=Site and lastly feed these OUs to Get-ADUser -SearchBase:
(Get-ADOrganizationalUnit -LDAPFilter "(name=users)").DistinguishedName | ForEach-Object {
if($_ -notlike "OU=USERS, OU=Site*") { return }
Get-ADUser -Filter * -Properties EmailAddress, DisplayName -SearchBase $_ -Server ServerName
} | Select DisplayName, EmailAddress
I'm trying to sort my disabled users by the last date they logged in.
I used the following command:
Get-ADUser -Filter "samaccountname -eq '$user' -and enabled -eq '$False'" -Properties * |
select samaccountname, displayname, emailaddress, LastLogonDate |
Sort-Object -Property LastLogonDate
I'm not sure why, but it doesn't sort the LastLogonDate property. I keep getting an unsorted list of my disabled users.
Continuing from my comment, I think the code you show is the part inside a loop where you iterate users, perhaps based on the input from a CSV file.
Your code only finds one single user and sorts that one object on its LastLogonDate.
The sorting should be done after you have collected all your users like
# capture the resulting objects from a collection of users
$result = foreach ($user in $MyListOfUserSamAccountNames) {
Get-ADUser -Filter "samaccountname -eq '$user' -and enabled -eq '$False'" -Properties displayname, emailaddress, LastLogonDate |
Select-Object samaccountname, displayname, emailaddress, LastLogonDate
}
# here is where you sort the result for output
$result | Sort-Object -Property LastLogonDate
Please bear in mind that the calculated property LastLogonDate (not really a AD attribute at all) is not replicated within the domain and to get the most accurate value, you need to iterate the domaincontrollers in your domain.
I have below PowerShell commands, using which I can get the properties for all the users in the AD.
Import-Module ActiveDirectory
$attributes = 'SamAccountName', 'Name', 'Mail', 'PasswordLastSet', 'Enabled',
'PasswordNeverExpires', 'PasswordExpired'
Get-ADUser -Filter * -Properties $attributes | select $attributes
If I want properties for one specific user, I can use below example in a command prompt:
net user /domain testuser
But, how can I get the AD properties for given list of users?
So, far I have tried the below but couldnt achieve yet as it returns only for one user (not sure how to loop):
Import-Module ActiveDirectory
cd AD:
$Users = gc "C:\AD\accounts.txt"
Get-ADUser -Filter '*' -Properties DisplayName, Office |
? { $Users -contains $_.SamAccountName } |
select DisplayName, Office |
Export-Csv -Path "C:\AD\output\UserProp_14072016.csv" -NoTypeInformation
I'm looking for password last set, active or inactive, owner of that account.
Could you please help?
A technique I use for getting an arbitrary list of AD users is to construct an ORed LDAP filter from the text list:
$Users = gc "C:\AD\accounts.txt"
$User_filter = $Users -replace '^','(SamAccountName=' -replace '$',')'
$Filter = "(|$User_filter)"
Get-ADUser -LDAPFilter $Filter -Properties DisplayName,Office
You can try the following:
Import-Module ActiveDirectory
$Users = "Get-Content C:\AD\Accounts.txt"
Get-ADUser -Filter '*' -Properties DisplayName,Office,PasswordLastSet,LastLogonDate |
? {$Users -contains $_.SamAccountName} |
Select DisplayName,Office,PasswordLastSet,LastLogonDate |
Export-CSV -Path "C:\AD\output\UserProp_14072016.csv" -NoTypeInformation
I'm not aware of a specific "Active" property, but you can add the "LastLogonDate" to the Properties to determine when the account was last logged onto.
Additionally, I'm not sure what you're looking for when you are asking for the "Owner" of the account.
Incidentally, for a list of all of the properties available, you can do the following:
Get-ADUser <username> -Properties *
You may be able to find what you're looking for in the list.
Hope that helps.
Get last logon on descending order
Import-Module ActiveDirectory
Get-ADUser -filter * -properties Displayname, LastLogonDate, SamAccountName, office, PasswordLastSet | select-object Displayname, LastLogonDate,office, SamAccountName, PasswordExpired, PasswordLastSet | Sort LastLogonTime -Descending | Export-csv c:\users.csv -NoTypeInformation
I am trying to get the list of a specific user’s groups and the groups’ descriptions using PowerShell.
import-module activedirectory
$username = Read-Host 'Please enter Username!'
Get-ADPrincipalGroupMembership $username | select name, description
The description field returns blank.
From Get-ADPrincipalGroupMembership manual:
The Get-ADPrincipalGroupMembership cmdlet returns a default set of ADGroup property values. To retrieve additional ADGroup properties pass the ADGroups objects produced by this cmdlet through the pipline to Get-ADGroup. Specify the additional properties required from the group objects by passing the -Properties parameter to Get-ADGroup.
So, let’s do it!
import-module activedirectory
$username = Read-Host 'Please enter Username!'
Get-ADPrincipalGroupMembership $username | Get-ADGroup -Properties * | select name, description
Also, in this case it should be enough to specify name,description instead of asterisk (*). If this is a performance issue, replace it. I am leaving it at asterisk because you might later change your mind about which properties you need.
Here is a simple but effective script to get AD Group info.
Get-ADGroup -filter * -Properties * | Select Name,GroupCategory,Description | Export-Csv D:\Test\SecurityGroups.csv
Just add or remove the attributes you would like to see in the Select area. To see a list of usable attributes you can do something like this:
Get-ADGroup -filter * -Properties * | Where-Object {$_.Name -eq 'DHCP Users' }
Get-ADPrincipalGroupMembership should work but fails if any group has a NAME containing '/' (which is a legal character in names as far as I understood the MS AD documentation).
This forces a heavy workaround:
$Groups = (Get-ADUser -identity $TemplateUserName -server $TemplateUserDomain -Properties MemberOf|select memberof).MemberOf|Get-ADGroup -Server :3268
foreach ($Group in $Groups)
{
Write-Output $Group.Name
}
Notice I use a domain search for the user's properties and then a search in global catalog
(-server :3268) for each group. Else you eventually won't get all of the user's groups or you'll get an error if any group belongs to a different domain than the user.
For a list of groups a user is member of:
(get-aduser NameOfTheUser -properties *).memberof
For Users
Get-ADUser -Filter {name -eq $username} -Properties * | select name,description
For Groups
Get-ADGroup -Filter {displayname -eq $groupname} -Properties * | select name,description